docs: update SESSION_STATE for CORS security fix completion (Session 20)
This commit is contained in:
@@ -1,8 +1,8 @@
|
||||
# CURRENT AI WORKING SESSION — HANDOVER
|
||||
|
||||
**Active AI:** Claude Haiku 4.5
|
||||
**Last Updated:** 2026-04-21 (Session 19 - Network/CORS Configuration Complete)
|
||||
**Current Version:** v1.13.0 (Photo UI + Network Config - Phase 2 Complete)
|
||||
**Last Updated:** 2026-04-21 (Session 20 - CORS Security Fix Complete)
|
||||
**Current Version:** v1.13.1 (Subnet-aware CORS middleware + Phase 2 complete)
|
||||
**Branch:** dev (All changes committed, ready for Phase 3)
|
||||
|
||||
---
|
||||
@@ -37,18 +37,27 @@
|
||||
|
||||
### Known Issues for Next Session
|
||||
|
||||
**Priority 1: VPN CORS (Blocking)**
|
||||
- Problem: Subnet notation (100.78.182.0/24) creates invalid origin URLs like `https://100.78.182.0/24:8918`
|
||||
- Current workaround: `allow_origins=["*"]` (insecure, temporary)
|
||||
- Solution needed: Implement proper subnet validation in CORS middleware using `is_origin_allowed()` function
|
||||
- Files involved: `backend/main.py`, `start_server.sh`
|
||||
**RESOLVED: VPN CORS (Was Blocking) ✅**
|
||||
- ✅ Implemented `SubnetAwareCORSMiddleware` in `backend/main.py`
|
||||
- ✅ Uses `is_origin_allowed()` to validate exact origins + subnet matching
|
||||
- ✅ Handles CORS preflight (OPTIONS) properly with origin validation
|
||||
- ✅ Tested subnet parsing (100.78.182.0/24 → matches 100.78.182.x)
|
||||
- ✅ Removed insecure `allow_origins=["*"]` wildcard
|
||||
- Commit: `6f1e7731` (current session - CORS security fix)
|
||||
- Note: Old commit `904e153d` (temp CORS) is in history but no longer used
|
||||
|
||||
**Priority 2: Clean up Temporary CORS**
|
||||
- Remove `allow_origins=["*"]` once subnet validation is working
|
||||
- Commit: `904e153d` (marked as "temp")
|
||||
**No Blocking Issues Remaining** ✅
|
||||
- Backend: 127/128 tests passing (1 unrelated schema test failure)
|
||||
- Frontend: Ready for Phase 3
|
||||
|
||||
### Latest Commits (This Session)
|
||||
### Latest Commits (Session 19-20)
|
||||
|
||||
**Session 20 (Current - CORS Security Fix):**
|
||||
```
|
||||
6f1e7731 fix: implement subnet-aware CORS middleware to replace insecure wildcard origins
|
||||
```
|
||||
|
||||
**Session 19 (Network/Login Form Fixes):**
|
||||
```
|
||||
6bf95a0d fix: prevent username input from unmounting during typing in login form
|
||||
904e153d temp: allow all CORS origins for debugging LDAP login issue
|
||||
|
||||
Reference in New Issue
Block a user