UMBRA

rohskiddo/UMBRA

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Pope	ab84c7bc53	Fix review findings: transaction atomicity, perf, and UI polish Backend fixes: - session.py: record_failed/successful_login use flush() not commit() — callers own transaction boundary (BUG-2 atomicity fix) - auth.py: Add explicit commits after record_failed_login where callers raise immediately; add commit before TOTP mfa_token return path - passkeys.py: JOIN credential+user lookup in login/complete (W-1 perf) - passkeys.py: Move mfa_enforce_pending clear before main commit (S-2) - passkeys.py: Add Path(ge=1, le=2147483647) on DELETE endpoint (BUG-3) - auth.py: Switch has_passkeys from COUNT to EXISTS with LIMIT 1 (W-2) - passkey.py: Add single-worker nonce cache comment (H-1) Frontend fixes: - PasskeySection: emerald→green badge colors (W-3 palette) - PasskeySection: text-[11px]/text-[10px]→text-xs (W-4 a11y minimum) - PasskeySection: Scope deleteMutation.isPending to per-item (W-5) - nginx.conf: Permissions-Policy publickey-credentials use (self) (H-2) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-17 22:59:59 +08:00
Kyle Pope	eebb34aa77	Phase 0: Consolidate session creation into shared service Extract _create_db_session, _set_session_cookie, _check_account_lockout, _record_failed_login, and _record_successful_login from auth.py into services/session.py. Update totp.py to use shared service instead of its duplicate _create_full_session (which lacked session cap enforcement). Also fixes: - auth/status N+1 query (2 sequential queries -> single JOIN) - Rename verify_password route to verify_password_endpoint (shadow fix) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-17 22:40:46 +08:00

Author

SHA1

Message

Date

Kyle Pope

ab84c7bc53

Fix review findings: transaction atomicity, perf, and UI polish

Backend fixes:
- session.py: record_failed/successful_login use flush() not commit()
  — callers own transaction boundary (BUG-2 atomicity fix)
- auth.py: Add explicit commits after record_failed_login where callers
  raise immediately; add commit before TOTP mfa_token return path
- passkeys.py: JOIN credential+user lookup in login/complete (W-1 perf)
- passkeys.py: Move mfa_enforce_pending clear before main commit (S-2)
- passkeys.py: Add Path(ge=1, le=2147483647) on DELETE endpoint (BUG-3)
- auth.py: Switch has_passkeys from COUNT to EXISTS with LIMIT 1 (W-2)
- passkey.py: Add single-worker nonce cache comment (H-1)

Frontend fixes:
- PasskeySection: emerald→green badge colors (W-3 palette)
- PasskeySection: text-[11px]/text-[10px]→text-xs (W-4 a11y minimum)
- PasskeySection: Scope deleteMutation.isPending to per-item (W-5)
- nginx.conf: Permissions-Policy publickey-credentials use (self) (H-2)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-17 22:59:59 +08:00

Kyle Pope

eebb34aa77

Phase 0: Consolidate session creation into shared service

Extract _create_db_session, _set_session_cookie, _check_account_lockout,
_record_failed_login, and _record_successful_login from auth.py into
services/session.py. Update totp.py to use shared service instead of
its duplicate _create_full_session (which lacked session cap enforcement).

Also fixes:
- auth/status N+1 query (2 sequential queries -> single JOIN)
- Rename verify_password route to verify_password_endpoint (shadow fix)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-17 22:40:46 +08:00

2 Commits