5ebf9925ed
- Store session tokens server-side on login (was: generated but not stored) - Add /api/v1/auth/logout endpoint for server-side session invalidation - Delete old sessions on login to prevent session fixation attacks - Add Cache-Control: no-store headers to all auth responses Security fixes: 1. Session identifiers now rotated on login (old sessions deleted) 2. Logout properly invalidates server-side session 3. Auth responses include anti-caching headers |
||
|---|---|---|
| .. | ||
| bin | ||
| lang | ||
| static | ||
| templates | ||
| access_log.go | ||
| api_client.go | ||
| api_mobile.go | ||
| api_proxy.go | ||
| defense.go | ||
| dossier_sections.go | ||
| genome.go | ||
| import_json.go | ||
| inou-portal | ||
| main.go | ||
| main.go.bak | ||
| mcp_http.go | ||
| mcp_tools.go | ||
| oauth.go | ||
| portal | ||
| trackers.go | ||
| upload.go | ||