<feed xmlns='http://www.w3.org/2005/Atom'>
<title>doot.git/internal/auth/middleware.go, branch master</title>
<subtitle>doot — personal productivity web app
</subtitle>
<id>https://git.terst.org/doot.git/atom?h=master</id>
<link rel='self' href='https://git.terst.org/doot.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/'/>
<updated>2026-06-03T00:35:02+00:00</updated>
<entry>
<title>fix: add CSRF and WebSocket origin protection to Claudomator proxy</title>
<updated>2026-06-03T00:35:02+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-06-03T00:35:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=eb089ef4c9416bd3d5642bb5a4437355ffa2fdd0'/>
<id>urn:sha1:eb089ef4c9416bd3d5642bb5a4437355ffa2fdd0</id>
<content type='text'>
Token-based CSRF is impractical for a reverse proxy whose UI doesn't
know Doot's session tokens, so state-changing requests to /claudomator/*
are now validated against the configured WebAuthn origin via Origin/Referer
header. WebSocket upgrades reject mismatched or missing Origin headers
before hijacking the connection. Both checks are no-ops when WebAuthnOrigin
is unset (local dev).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Add Agent Context API for external agent integration</title>
<updated>2026-01-29T08:19:28+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-29T08:19:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=05b1930e04ac222d73ffb2f45c1b1febb69f893d'/>
<id>urn:sha1:05b1930e04ac222d73ffb2f45c1b1febb69f893d</id>
<content type='text'>
Phase 1: Authentication and read-only context
- POST /agent/auth/request - request access with name + agent_id
- GET /agent/auth/poll - poll for approval status
- POST /agent/auth/approve|deny - user approval (browser auth required)
- GET /agent/context - 7-day timeline context (agent session required)

Phase 1.5: Browser-only agent endpoints (HTML pages)
- GET /agent/web/request - request page with token
- GET /agent/web/status - status page with polling
- GET /agent/web/context - context page with timeline data

WebSocket notifications:
- GET /ws/notifications - push agent requests to browsers
- Approval modal with trust indicators and countdown timer

Database:
- agents table for registered agent tracking
- agent_sessions table for pending/active sessions

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Phase 3: Error handling and security hardening</title>
<updated>2026-01-26T17:03:53+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-26T17:03:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=8c2b8c352f8c980c79bb4bb4772e8cbc02d14164'/>
<id>urn:sha1:8c2b8c352f8c980c79bb4bb4772e8cbc02d14164</id>
<content type='text'>
- Handle JSON marshal errors in sqlite.go (log + fallback to empty array)
- Add 30s timeout to Google Calendar client initialization
- Fix CSRF timing attack by using subtle.ConstantTimeCompare

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Add CSRF protection and auth unit tests</title>
<updated>2026-01-21T01:18:57+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-21T01:18:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=78e8f597ff28f1b8406f5cfbf934adc22abdf85b'/>
<id>urn:sha1:78e8f597ff28f1b8406f5cfbf934adc22abdf85b</id>
<content type='text'>
Add CSRF token middleware for state-changing request protection,
integrate tokens into templates and HTMX headers, and add unit
tests for authentication service and handlers.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Add session-based authentication</title>
<updated>2026-01-20T21:34:33+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-20T21:34:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=08bbcf18b1207153983261652b4a43a9b36f386c'/>
<id>urn:sha1:08bbcf18b1207153983261652b4a43a9b36f386c</id>
<content type='text'>
Implement secure authentication using scs session manager with SQLite
backing store and bcrypt password hashing.

- Add users and sessions tables (migration 004)
- Create internal/auth package with Service, Middleware, and Handlers
- Protect all routes except /login, /logout, /static/*
- Add login page template and logout button to dashboard
- Default credentials: admin/changeme (configurable via env vars)

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
</feed>
