Add HTMX-based UI templates and handlers for account and audit management
- Introduced `web/templates/` for HTMX-fragmented pages (`dashboard`, `accounts`, `account_detail`, `error_fragment`, etc.). - Implemented UI routes for account CRUD, audit log display, and login/logout with CSRF protection. - Added `internal/ui/` package for handlers, CSRF manager, session validation, and token issuance. - Updated documentation to include new UI features and templates directory structure. - Security: Double-submit CSRF cookies, constant-time HMAC validation, login password/Argon2id re-verification at all steps to prevent bypass.
This commit is contained in:
10
PROGRESS.md
10
PROGRESS.md
@@ -2,7 +2,7 @@
|
||||
|
||||
Source of truth for current development state.
|
||||
---
|
||||
All phases complete. 137 Go server tests + 25 Go client tests + 22 Rust client
|
||||
All phases complete. 137 Go server tests + 25 Go client tests + 23 Rust client
|
||||
tests + 37 Lisp client tests + 32 Python client tests pass. Zero race
|
||||
conditions (go test -race ./...).
|
||||
- [x] Phase 0: Repository bootstrap (go.mod, .gitignore, docs)
|
||||
@@ -30,19 +30,19 @@ conditions (go test -race ./...).
|
||||
- TLS 1.2+ enforced via `tls.Config{MinVersion: tls.VersionTLS12}`
|
||||
- Token state guarded by `sync.RWMutex` for concurrent safety
|
||||
- JSON decoded with `DisallowUnknownFields` on all responses
|
||||
- 20 tests in `client_test.go`; all pass with `go test -race`
|
||||
- 25 tests in `client_test.go`; all pass with `go test -race`
|
||||
|
||||
**clients/rust/** — Rust async client library
|
||||
- Crate: `mcias-client`; tokio async, reqwest + rustls-tls (no OpenSSL dep)
|
||||
- `MciasError` enum via `thiserror`; `Arc<RwLock<Option<String>>>` for token
|
||||
- 22 integration tests using `wiremock`; `cargo clippy -- -D warnings` clean
|
||||
- 23 integration tests using `wiremock`; `cargo clippy -- -D warnings` clean
|
||||
|
||||
**clients/lisp/** — Common Lisp client library
|
||||
- ASDF system `mcias-client`; HTTP via dexador, JSON via yason
|
||||
- CLOS class `mcias-client`; plain functions for all operations
|
||||
- Conditions: `mcias-error` base + 6 typed subclasses
|
||||
- Mock server: Hunchentoot `mock-dispatcher` subclass (port 0, random per test)
|
||||
- 33 fiveam checks; all pass on SBCL 2.6.1
|
||||
- 37 fiveam checks; all pass on SBCL 2.6.1
|
||||
- Fixed: yason decodes JSON `false` as `:false`; `validate-token` normalises
|
||||
to `t`/`nil` before returning
|
||||
|
||||
@@ -50,7 +50,7 @@ conditions (go test -race ./...).
|
||||
- Package `mcias_client` (setuptools, pyproject.toml); dep: `httpx >= 0.27`
|
||||
- `Client` context manager; `py.typed` marker; all symbols fully annotated
|
||||
- Dataclasses: `Account`, `PublicKey`, `PGCreds`
|
||||
- 33 pytest tests using `respx` mock transport; `mypy --strict` clean; `ruff` clean
|
||||
- 32 pytest tests using `respx` mock transport; `mypy --strict` clean; `ruff` clean
|
||||
|
||||
**test/mock/mockserver.go** — Go in-memory mock server
|
||||
- `Server` struct with `sync.RWMutex`; used by Go client integration test
|
||||
|
||||
Reference in New Issue
Block a user