beabigegg
35c90fe76b
feat: implement 5 QA-driven security and quality proposals
Implemented proposals from comprehensive QA review:
1. extend-csrf-protection
- Add POST to CSRF protected methods in frontend
- Global CSRF middleware for all state-changing operations
- Update tests with CSRF token fixtures
2. tighten-cors-websocket-security
- Replace wildcard CORS with explicit method/header lists
- Disable query parameter auth in production (code 4002)
- Add per-user WebSocket connection limit (max 5, code 4005)
3. shorten-jwt-expiry
- Reduce JWT expiry from 7 days to 60 minutes
- Add refresh token support with 7-day expiry
- Implement token rotation on refresh
- Frontend auto-refresh when token near expiry (<5 min)
4. fix-frontend-quality
- Add React.lazy() code splitting for all pages
- Fix useCallback dependency arrays (Dashboard, Comments)
- Add localStorage data validation in AuthContext
- Complete i18n for AttachmentUpload component
5. enhance-backend-validation
- Add SecurityAuditMiddleware for access denied logging
- Add ErrorSanitizerMiddleware for production error messages
- Protect /health/detailed with admin authentication
- Add input length validation (comment 5000, desc 10000)
All 521 backend tests passing. Frontend builds successfully.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 23:19:05 +08:00
..
2026-01-05 23:39:12 +08:00
2026-01-11 18:41:19 +08:00
2026-01-04 21:49:52 +08:00
2026-01-12 23:19:05 +08:00
2026-01-04 21:49:52 +08:00
2026-01-10 22:13:43 +08:00
2026-01-10 22:13:43 +08:00
2026-01-11 08:37:21 +08:00
2026-01-07 21:24:36 +08:00
2026-01-04 21:49:52 +08:00
2026-01-04 21:49:52 +08:00
2026-01-11 18:41:19 +08:00
2026-01-11 08:37:21 +08:00
2025-12-29 00:31:34 +08:00
2026-01-10 22:13:43 +08:00
2026-01-11 18:41:19 +08:00
2026-01-10 22:13:43 +08:00
2026-01-11 08:37:21 +08:00
2026-01-11 18:41:19 +08:00
2026-01-12 23:19:05 +08:00
2026-01-11 08:37:21 +08:00
2025-12-28 23:41:37 +08:00