feat(web): harden login gate — throttle, scoped TLS, token-derived seal key
Remediates the two web-console residuals from the 2026-07-05 posture audit: - Brute-force throttle (loginThrottle.ts): per-IP exponential backoff after 5 free attempts, plus a global floor for spread-out floods, keyed on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped map. The constant-time compare already stopped the timing leak; this bounds guess *volume* against a by-design LAN-exposed console. - Session seal key now derives from the high-entropy mgmt token instead of the low-entropy login password, so a captured cookie is no longer an offline password oracle. Falls back to the password only when no token is configured (dev/local). Rotating the token now invalidates sessions. - Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now verifies normally. Dropped the env var from the systemd unit, Steam Deck installer, Windows run scripts, env examples, and web README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+8
-6
@@ -19,13 +19,15 @@ PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
|
||||
# the proxy gets 401.
|
||||
PUNKTFUNK_MGMT_TOKEN=
|
||||
|
||||
# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback,
|
||||
# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound
|
||||
# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert.
|
||||
NODE_TLS_REJECT_UNAUTHORIZED=0
|
||||
# NOTE: NODE_TLS_REJECT_UNAUTHORIZED is intentionally NOT set. The host's self-signed loopback cert
|
||||
# is accepted only for the /api proxy's loopback hop — scoped inside the proxy code (Bun per-request
|
||||
# TLS: server/routes/api/[...].ts), so it can never silently unverify some other outbound TLS. A
|
||||
# NON-loopback PUNKTFUNK_MGMT_URL is verified normally (present a valid chain).
|
||||
|
||||
# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
|
||||
# from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
|
||||
# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, the key is derived from the
|
||||
# high-entropy PUNKTFUNK_MGMT_TOKEN (so a captured cookie is NOT an offline password oracle); only if
|
||||
# no token is configured (dev/local) does it fall back to deriving from PUNKTFUNK_UI_PASSWORD.
|
||||
# Rotating the mgmt token invalidates existing sessions.
|
||||
# PUNKTFUNK_UI_SECRET=
|
||||
|
||||
# TLS: serve the console over HTTPS (HTTP/1.1 over TLS) using the HOST's own identity cert (the cert
|
||||
|
||||
Reference in New Issue
Block a user