| Age | Commit message (Collapse) | Author |
|---|
|
Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.
- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
Clean up old React Router references after migration to Vite + Wouter:
- Replace build/ and .react-router/ with dist/ in ESLint globalIgnores
- Replace ./build with ./dist in Biome ignore list
- Remove formComponents and NavLink from ESLint settings
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
BFF前提のURL分岐をVite SPA向けに調整。本番URLのハードコードを
VITE_API_BASE_URL環境変数に外出し。
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
