feat(web): harden login gate — throttle, scoped TLS, token-derived seal key
Remediates the two web-console residuals from the 2026-07-05 posture audit: - Brute-force throttle (loginThrottle.ts): per-IP exponential backoff after 5 free attempts, plus a global floor for spread-out floods, keyed on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped map. The constant-time compare already stopped the timing leak; this bounds guess *volume* against a by-design LAN-exposed console. - Session seal key now derives from the high-entropy mgmt token instead of the low-entropy login password, so a captured cookie is no longer an offline password oracle. Falls back to the password only when no token is configured (dev/local). Rotating the token now invalidates sessions. - Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now verifies normally. Dropped the env var from the systemd unit, Steam Deck installer, Windows run scripts, env examples, and web README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+3
-4
@@ -2,7 +2,7 @@
|
||||
#
|
||||
# On a `apt install punktfunk-web` install you DO NOT edit anything: the systemd --user units wire
|
||||
# everything automatically —
|
||||
# punktfunk-web.service sets PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990, NODE_TLS_REJECT_UNAUTHORIZED=0,
|
||||
# punktfunk-web.service sets PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990,
|
||||
# PORT=47992, HOST=0.0.0.0, the PUNKTFUNK_UI_TLS_* cert paths + PUNKTFUNK_UI_SECURE=1, and sources:
|
||||
# ~/.config/punktfunk/mgmt-token (written by the host's `serve` — the shared bearer token)
|
||||
# ~/.config/punktfunk/web-password (written by punktfunk-web-init — the console login password)
|
||||
@@ -10,10 +10,9 @@
|
||||
#
|
||||
# This file documents the variables for a MANUAL deploy (running `bun .output/server/index.mjs`
|
||||
# yourself — the console runs on bun: `Bun.serve` is a Bun API, node can't run it). The mgmt API is
|
||||
# HTTPS with the host's self-signed loopback cert, so the proxy needs NODE_TLS_REJECT_UNAUTHORIZED=0
|
||||
# (its only outbound TLS hop is that loopback connection).
|
||||
# HTTPS with the host's self-signed loopback cert; the proxy accepts it ONLY for that loopback hop,
|
||||
# scoped in code (Bun per-request TLS) — so NODE_TLS_REJECT_UNAUTHORIZED is deliberately unset.
|
||||
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
|
||||
NODE_TLS_REJECT_UNAUTHORIZED=0
|
||||
PORT=47992
|
||||
HOST=0.0.0.0
|
||||
|
||||
|
||||
Reference in New Issue
Block a user