Commit Graph

3 Commits

Author SHA1 Message Date
1e70ab15e9 security: fix K1-K3 critical + H1/H2/H5 + M1/M4/M5/M6/N2
K1: Asset-Token via Authorization-Header (nicht URL/Query → nicht in Logs)
    + UUID-Format-Whitelist gegen Path-Traversal / SSRF
K2: /profile erfordert kurzlebiges Registration-Token (10 Min, signiert)
    statt ungeprüfter userId aus dem Body
K3: PATCH /pair/:pairId/points prüft Ownership via Directus bevor Update
H1: In-Memory Rate Limiting (Login/Register: 10/15min, Assets: 60/min)
H2: Server startet nicht ohne CORS_ORIGIN (kein '*'-Fallback)
H5: lang-Parameter Whitelist in content + UUID-Validierung in progress
M1: points_earned, card_type, result server-seitig validiert (0-100, Enums)
M4: Authorization-Header in Logs geschwärzt
M5: Passwort-Länge server-seitig geprüft
M6: Startup-Check für alle kritischen Env-Vars
N2: pairId-UUID-Format erzwungen

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 22:55:23 +02:00
593753fa4d fix: make assets endpoint public for <img src> usage
Images are non-sensitive learning content; removing auth from
/assets/:fileId so React app can use URLs directly in <img src>.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 22:43:19 +02:00
311d35fac0 init: HejYou API Server (Hono + Node.js + TypeScript)
Thin proxy between React app and Directus.
Admin token stays server-side; clients get own 30-day JWTs.
Endpoints: /auth/* register/login/profile/me, /words, /questions,
/qa-pairs, /pair, /progress, /assets/:fileId

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 22:35:19 +02:00