Commit Graph

30 Commits

Author SHA1 Message Date
fs
9688848401 Global Boomarks 2026-03-14 21:45:58 +01:00
fs
1cc63a5fbe fix: add missing system-audit search key to sidebar template
The backend returns system-audit results but the sidebar had no
matching <li data-search-key="system-audit"> element, causing a
console warning on every global search query.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 22:40:48 +01:00
fs
2b915f5a43 refactor: extract shared form utils, add aria-live regions and reduced-motion support
DRY duplicated helpers (escapeAttr, belongsToForm, isSubmitControl,
isEditableTarget) into web/js/core/app-form-utils.js and update 7
consumers. Add aria-live="polite" to flash messages, async messages,
and search results for screen reader announcements. Add
prefers-reduced-motion support to CSS tooltips.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 22:28:46 +01:00
fs
ad8f30cb09 feat(security): add Content-Security-Policy headers with strict script-src
Eliminate all inline scripts to enable script-src 'self' without
'unsafe-inline', providing strong XSS mitigation via CSP.

Inline script removal:
- login.phtml: replace inline APP_ASSET_BASE with data-asset-base
  attribute + app-boot.js (matching default.phtml pattern)
- api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js
- docs: extract checkbox enablement to js/pages/admin-docs-index.js
- language-switcher: replace onchange handler with data-auto-submit
  attribute + js/components/app-auto-submit.js event listener

CSP policy (dev + prod nginx):
  default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline';
  img-src 'self' data:; font-src 'self'; connect-src 'self';
  form-action 'self'; base-uri 'self'; frame-ancestors 'none';
  manifest-src 'self'

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:24:10 +01:00
fs
e1c211069e fix(session): preserve intended URL across session timeout with remember-me
Session timeout redirected to /de/login?return_to=... but the remember-me
cookie was not cleared by logoutDueToSessionTimeout(). On the next request,
autoLoginFromCookie() silently re-logged the user in, causing the MintyPHP
router to resolve the login route to pages/index().php (dashboard) instead
of the login action — the intended URL redirect logic never executed.

Fix: intercept ?return_to= immediately after successful auto-login in
index.php and redirect to the sanitized route path. Also harden the login
flow with hidden return_to form fields and POST body fallback for cases
without remember-me.

Additional improvements in this commit:
- Convert stored REQUEST_URI to router-compatible path (strip leading
  slash and locale prefix) via IntendedUrlService::toRoutePath()
- Consolidate duplicate CSRF data attributes into shared data-csrf-key
  and data-csrf-token on <html> element
- Add tenant branding (logo) to auth pages via appAuthLogoUrl() helper

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 18:28:13 +01:00
fs
add5cca222 settings cache 2026-03-13 14:38:58 +01:00
fs
04995e3712 feat(session): preserve intended URL across session timeout and add expiry warning dialog
When a session expires, the user's current URL is now captured and restored
after re-authentication (via remember-me cookie or manual login), instead of
always redirecting to the dashboard. A JavaScript session warning dialog
appears ~2 minutes before idle timeout, allowing users to extend their session
with a single click. Includes open-redirect prevention via URL validation,
Microsoft SSO callback support, and 33 unit tests.

Refs: SESSION-REDIRECT-PRESERVE-001

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 14:28:49 +01:00
fs
082fa4c9a5 empty states 2026-03-13 09:49:11 +01:00
fs
cb7256aebc variablen und empty states 2026-03-12 16:47:53 +01:00
fs
0b9014dcbf page update 2026-03-12 14:09:06 +01:00
fs
39a113c5fc fixed wrong warning with single tenant 2026-03-12 12:22:36 +01:00
fs
24a6b79f7a Fix tenant SSO status mode and refactor status UI tiles 2026-03-12 10:01:24 +01:00
fs
1cdd7e59c1 chore(ui): update shell layout and header/footer partials 2026-03-11 23:33:17 +01:00
fs
277168f7e8 feat(admin): preserve list return target for back and close actions 2026-03-11 23:32:11 +01:00
fs
a1c7c9cf7d Standardize global empty-state UI component 2026-03-11 21:38:15 +01:00
fs
60b890d367 Finalize init defaults and auth flow UX improvements 2026-03-11 21:11:19 +01:00
fs
7153fec05c feat(auth): harden login flows and finalize quality-check coverage 2026-03-07 22:54:33 +01:00
fs
9168730a8a further things around login 2026-03-07 21:21:47 +01:00
fs
e3a0c0eb37 ui/ux login optimization 2026-03-07 14:10:36 +01:00
fs
5fb89485f4 login improvements 2026-03-06 21:59:41 +01:00
fs
9a08f96c11 agent foundation 2026-03-06 00:44:52 +01:00
fs
9819cba733 aside anapssungen 2026-03-05 13:07:43 +01:00
fs
b2dab5bd6c topbar anpassungen 2026-03-05 12:51:53 +01:00
fs
4b31fc7664 Repo Interface für tests 2026-03-05 08:26:51 +01:00
fs
8f4dd5840d major update 2026-03-04 15:56:58 +01:00
fs
16759a2732 weitere updates für instanzierbarkeit und sauberes testing 2026-02-24 08:49:40 +01:00
fs
99db252f60 instances added god may help 2026-02-23 12:58:19 +01:00
fs
25370a1a55 add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
fs
3eb9cc0ac4 big restructure 2026-02-11 19:28:12 +01:00
fs
cd59ccd99b baseline 2026-02-04 23:31:53 +01:00