Test User 469ee5ff85 security: harden API authentication system ...

- Use crypto.timingSafeEqual() for API key validation (prevents timing attacks)
- Make WebSocket tokens single-use (invalidated after first validation)
- Add AUTOMAKER_HIDE_API_KEY env var to suppress API key banner in logs
- Add rate limiting to login endpoint (5 attempts/minute/IP)
- Update client to fetch short-lived wsToken for WebSocket auth
  (session tokens no longer exposed in URLs)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2025-12-29 17:35:55 -05:00

..

src

security: harden API authentication system

2025-12-29 17:35:55 -05:00

tests

docs: add API security hardening design plan

2025-12-29 17:17:16 -05:00

.env.example

refactor: streamline ALLOWED_ROOT_DIRECTORY handling and remove legacy support

2025-12-20 20:49:28 -05:00

.gitignore

feat: add comprehensive integration tests for auto-mode-service

2025-12-13 13:34:27 +01:00

package.json

docs: add API security hardening design plan

2025-12-29 17:17:16 -05:00

pnpm-lock.yaml

feat: add comprehensive integration tests for auto-mode-service

2025-12-13 13:34:27 +01:00

tsconfig.json

chore: update project management and API integration

2025-12-12 00:23:43 -05:00

tsconfig.test.json

feat: add comprehensive integration tests for auto-mode-service

2025-12-13 13:34:27 +01:00

vitest.config.ts

adjusted minheight logic and fixed tests

2025-12-21 23:13:59 -06:00