If a session is refreshed when accessed through /api/auth/session during
a SSR then the Set-Cookie header was lost. Pass this along to the
client in this case to keep the session alive.
Putting secrets into environment variables is problematic due to them
being inherited by sub-processes, the ease as which these can be
leaked in logs, and the lack of support for loading secrets into
environment variables by systems such as systemd and docker.
Change the loading of secrets to be done by loading the content of a
file specified by an environment variable.
If a cookie is signed for one purpose, but the server also uses a
differently named signed cookie name for another purpose, then it's
possible for a malicious client to substitute the value of one signed
cookie with the value of another and have it pass the signature check.
Include the name of the cookie when computing the signature so that no
cookies signed for example for "user_session" can be used as a value for
a hypothetical "admin_session" cookie.
Use the useRuntimeConfig interface to read vapid details on the server
side. This is a more portale way to deal with loading data from the
environment in Nuxt.js.
The access permissions in Forgejo does not allow making packages
of a user private, the only options are hide the user completely
or make packages public. Do a workaround for this by pushing to
a private org.
Render the timeslots as an editable table of times with associated
event. When the event it's linked to is edited the time slot is removed
from the original event it belonged to and added to the possibly new
event it now belongs to. This gives a somewhat intutive editing
experience when editing time slots linked to events with multiple times.
Set a max age for the session cookie to prevent it from expiring when
the browser is closed. To prevent the age limit from being being
reached the session cookie is refreshed every time the session is
loaded. This should fix login being lost when the browser is stopped.
Fix the inital server side load of the schedule not including crew only
items due to headers not being passed from the client to server side
request made to fetch the schedule.
When correcting for a timezone being ahead of UTC the start has to be
moved backwards in time, not forward. Fixes the generated schodule
not using central european times.
Add allowedAccountTypes page metadata which the authenticated middleware
uses to further restrict the types of accounts that can access the page.
If the account type is insufficent to access the page it will return an
HTTP 403 Forbidden status, which is rendered using the error page.
Parse the iso date strings into millseconds from the unix epoch and use
that through the timetable logic instead of reparsing the strings over
and over.
To make it possible to render the timetable in the user's local time we
need to know the timezone to render it in on the server. Otherwise
there will be hydration errors and paint flashing as the client renders
a different timezone.
Add a server global default timezone that can be overriden on a
per-account bases to prepare for timezone handling the timetable.
When rendering on the server the session is not eagerly loaded when the
authenticated middleware runs, causing it to think the user is not
logged in. Fix by awaiting the session composable.
