picoclaw/web/backend/tray_offers_copy.go at 6ea364e67dead37e09ffc8d535ccc262a0ffe202 - picoclaw - Gitea: Git with a cup of tea

lzh/picoclaw

mirror of https://github.com/sipeed/picoclaw.git synced 2026-06-12 18:08:54 +00:00

Files

T

zeed zhao 6ea364e67d feat(web): protect launcher dashboard with token and SPA login (#1953 )

Add token-based authentication for the Launcher's embedded Web Dashboard.

- Ephemeral token generated in-memory each run (or via PICOCLAW_LAUNCHER_TOKEN env var)
- HMAC-SHA256 session cookie (HttpOnly, SameSite=Lax, Secure when HTTPS)
- Bearer token support for API/script access
- Rate limiting on login (10 attempts/IP/min)
- Referrer-Policy: no-referrer on all responses
- POST-only logout with JSON content-type (CSRF-safe)
- System tray "Copy dashboard token" action
- Login page shows contextual help (console/tray/log file path)
- Path traversal protection via path.Clean
- X-Forwarded-Host/Port/Proto support for reverse proxy deployments
- Full i18n support (English, Chinese)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-29 13:11:43 +08:00

6 lines

112 B

Go

Raw Blame History

 //go:build (!darwin && !freebsd) || cgo
 package main
 func trayOffersDashboardTokenCopy() bool { return true }