mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-11 14:17:43 -06:00
0910544583
- CSRF error handler:
- Treat classic form POSTs as HTML (flash + safe redirect) regardless of
Accept header quirks; return JSON only for XHR/JSON requests
- Add contextual logging (path, method, referrer, user, reason) for diagnostics
- Security/config:
- Enforce strong SECRET_KEY in production (no placeholders, min length);
refuse startup if invalid
- Make SESSION_COOKIE_SAMESITE and REMEMBER_COOKIE_SAMESITE env-driven
while keeping Secure/HttpOnly flags configurable
- Client resilience:
- Refresh CSRF token on window focus in addition to periodic refresh
- Pre-submit refresh if token is stale (>15 minutes)
- Auto-inject/refresh tokens for dynamically added forms via MutationObserver
- UX correctness:
- Ensure tasks.edit_task re-renders with projects/users on validation errors
Fixes #77 (csrf_token_missing_or_invalid)
See: https://github.com/DRYTRIX/TimeTracker/issues/77
Files:
- app/__init__.py
- app/config.py
- app/templates/base.html
- app/routes/tasks.py
Note: In production, a single, persistent SECRET_KEY is required across all instances.