24 lines
979 B
Markdown
24 lines
979 B
Markdown
|
# TODO List
|
||
|
|
|
||
|
|
## Security Improvements
|
||
|
|
|
||
|
|
### Make Server Secret Configurable
|
||
|
|
Currently, the server secret used for cookie encryption is not configurable and uses Rocket's default. We should:
|
||
|
|
- Add a configuration option for the server secret
|
||
|
|
- Allow it to be set via environment variable or config file
|
||
|
|
- Generate and persist a random secret on first run if none is provided
|
||
|
|
- Add documentation about the security implications of the secret
|
||
|
|
|
||
|
|
### Improve Session Management
|
||
|
|
Current session management is basic and needs improvement:
|
||
|
|
- Replace simple user_id cookie with a proper session system
|
||
|
|
- Add session expiry and renewal logic
|
||
|
|
- Store sessions in the database with proper cleanup
|
||
|
|
- Add ability to revoke sessions
|
||
|
|
- Consider adding "remember me" functionality
|
||
|
|
- Add session tracking (last used, IP, user agent, etc.)
|
||
|
|
|
||
|
|
Reference: [Current basic implementation in user.rs](src/user.rs) with the comment:
|
||
|
|
```rust
|
||
|
|
// TODO there should be a more complicated notion of a session
|
||
|
|
```
|