anders-pub/markdown-hub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete TODO items: security, features, polish

Browse Source 
Security:
- Encrypt Gitea tokens at rest (AES-256-GCM with MH_SECRET)
- Secure cookie flag when behind HTTPS (X-Forwarded-Proto)
- Password complexity (min 8 chars)
- TOTP: defer persist until verified (totp_pending column)
- Audit log table + logging on login/rename/password change

Features:
- Rename files/folders (double-click in tree, /api/files/rename)
- beforeunload warning for unsaved changes
- Mobile hamburger menu
- PWA icons (192px, 512px)
- Max file size enforcement (10MB)
- Shared file read access (cross-user with permission check)

Polish:
- Toast notifications replace all alert() calls
- Keyboard shortcut help overlay (Ctrl+/)
- File rename via double-click in FileTree
This commit is contained in:
Anders Holck
2026-05-26 23:51:02 +02:00
parent f60d223c06
commit 68eaee0b9f
12 changed files with 310 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
TODO.md
+15 -15
View File
@@ -1,21 +1,21 @@
# TODO
## Security
- [ ] Encrypt Gitea tokens at rest in SQLite (use app-level AES with MH_SECRET)
- [ ] Add `Secure` flag to auth cookie when behind HTTPS (detect via X-Forwarded-Proto)
- [ ] Password complexity requirements (min length, etc.)
- [ ] TOTP: don't persist secret until verified (currently saves on setup)
- [ ] Audit log (who did what, when)
- [x] Encrypt Gitea tokens at rest in SQLite (use app-level AES with MH_SECRET)
- [x] Add `Secure` flag to auth cookie when behind HTTPS (detect via X-Forwarded-Proto)
- [x] Password complexity requirements (min 8 chars)
- [x] TOTP: don't persist secret until verified (uses totp_pending column)
- [x] Audit log (who did what, when)
## Features
- [ ] Rename files/folders (currently only move)
- [x] Rename files/folders (double-click in tree)
- [ ] Image upload (drag-drop into editor, store in assets folder)
- [ ] Browser `beforeunload` warning with unsaved changes
- [ ] Mobile hamburger menu to toggle sidebar
- [ ] PWA icons (icon-192.png, icon-512.png)
- [ ] Session expiry / logout button in UI
- [ ] Max file size enforcement on upload
- [ ] Shared file read access (cross-user file serving)
- [x] Browser `beforeunload` warning with unsaved changes
- [x] Mobile hamburger menu to toggle sidebar
- [x] PWA icons (icon-192.png, icon-512.png)
- [x] Session expiry / logout button in UI
- [x] Max file size enforcement on upload (10MB)
- [x] Shared file read access (cross-user file serving)
## Testing
- [ ] End-to-end: WYSIWYG mode (Milkdown)
@@ -27,9 +27,9 @@
- [ ] End-to-end: offline edit → reconnect sync
## Polish
- [ ] Error toasts instead of alert()
- [x] Error toasts instead of alert()
- [ ] Loading spinners on API calls
- [ ] Keyboard shortcut help overlay (Ctrl+?)
- [ ] File rename inline in tree (double-click)
- [x] Keyboard shortcut help overlay (Ctrl+/)
- [x] File rename inline in tree (double-click)
- [ ] Drag files to trash
- [ ] Sort files (name, date, size)