bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4df668b5b84d4dc0021454946746da55c8b3a450
crewli/apps/app
History
bert.hausmans 4df668b5b8 feat: replace token-based impersonation with enterprise-grade header-based system 
Replaces the insecure token-in-localStorage approach with a header-based
impersonation system backed by cache sessions and MFA verification.

Key changes:
- New impersonation_sessions audit table (immutable, ULID PK)
- MFA verification required to start impersonation (TOTP/email/backup)
- X-Impersonate-User header + HandleImpersonation middleware
- Per-request auth context swap (admin session never modified)
- IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL
- Activity log auto-tagged with impersonated_by during sessions
- Frontend: sessionStorage, BroadcastChannel sync, countdown timer
- ImpersonateDialog with reason + MFA verification flow
- 26 comprehensive tests covering core, middleware, audit, lifecycle

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:42:53 +02:00
..
public
src
feat: replace token-based impersonation with enterprise-grade header-based system
2026-04-16 02:42:53 +02:00
auto-imports.d.ts
feat: MFA frontend with auth page restyling, challenge screen, and setup wizard
2026-04-15 21:32:17 +02:00
components.d.ts
feat: replace token-based impersonation with enterprise-grade header-based system
2026-04-16 02:42:53 +02:00
dev.Dockerfile
docker-compose.dev.yml
docker-compose.prod.yml
env.d.ts
feat(mail): center-align action button in email template
2026-04-14 00:49:41 +02:00
index.html
feat: align Vuexy primary with demo teal (rgb 13,147,148)
2026-04-15 19:43:14 +02:00
nginx.conf
package.json
feat: MFA frontend with auth page restyling, challenge screen, and setup wizard
2026-04-15 21:32:17 +02:00
pnpm-lock.yaml
feat: MFA frontend with auth page restyling, challenge screen, and setup wizard
2026-04-15 21:32:17 +02:00
prod.Dockerfile
README 2.md
README.md
chore: remove admin SPA and update to two-app production setup
2026-04-15 08:44:10 +02:00
shims.d.ts
themeConfig.ts
feat(mail): center-align action button in email template
2026-04-14 00:49:41 +02:00
tsconfig.json
typed-router.d.ts
refactor: organisation settings — vertical sidebar layout with grouped sections
2026-04-16 02:10:50 +02:00
vite.config.ts
security: round 4 — frontend hardening (deps, XSS, cookie security)
2026-04-14 07:15:00 +02:00

README.md

Crewli — Organizer SPA

Main product UI for organisation and event staff (Vue 3 + Vuexy + Vuetify). Lives in this repo; only re-copy from Vuexy when upgrading the template.

Setup

  1. Install dependencies:
pnpm install
  1. Create .env.local:
VITE_API_URL=http://localhost:8000/api/v1
VITE_APP_NAME="Crewli Organizer"
  1. Dev server uses port 5174 (see vite.config.ts or run from repo root: make app).
pnpm dev --port 5174

Port

Runs on http://localhost:5174

Production: e.g. VITE_API_URL=https://api.crewli.app/api/v1 and host the SPA at https://crewli.app (see api/.env.example for FRONTEND_APP_URL and SANCTUM_STATEFUL_DOMAINS).

Reference in New Issue View Git Blame Copy Permalink