mirror of
https://github.com/velocitatem/cvfs.git
synced 2026-07-15 19:03:38 +00:00
Login hardening: - API: in-memory rate limiter (10 attempts / IP / 15 min), timing-safe credential comparison, strict body validation - Middleware: validate session token timestamp expiry (7-day window) not just HMAC signature - Logout: also clears oidc_token_pub cookie - Login page: try/catch around fetch to surface network errors, parse OIDC error query params, disable inputs during loading, wrap useSearchParams in Suspense Diff propagation: - DiffViewer: shows inherited ancestor patches in a collapsible section above own patches - CVTree: annotates each branch with ↑N ancestor patch count badge; propagate (↓) button on hover for versions with own patches and child branches - Dashboard: computeInheritedPatches/getDescendants helpers; Propagate ↓ action button in version header; handlePropagate sends current version's patches to all descendants via appendPatches Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Stdyi4YmG1BUSurArZPe8w
Next.js 15 webapp with React 19, Tailwind CSS 4, Supabase auth, and Turbopack.
Start
bun dev
# or from project root: make run.webapp
Open http://localhost:3000.
Scripts
| Command | Description |
|---|---|
bun dev |
Dev server with Turbopack |
bun build |
Production build |
bun start |
Serve production build |
bun lint |
Run ESLint |
bun typecheck |
Run tsc --noEmit |
Auth
Auth is wired to Supabase via NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY.
Set NEXT_PUBLIC_REQUIRE_AUTH=false in .env to disable auth-gating entirely (default for quick prototyping).
Structure
src/
app/ - Next.js App Router pages
components/ - Reusable bare-bones components (style last)
utils/supabase - Supabase client helpers
libs/ - Shared utilities
locales/ - i18n strings (add languages as needed)