faral/pokerface
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
12 commits 1 branch 0 tags 298 KiB
Commit graph

8 commits

Author SHA1 Message Date
Jan Willem Mannaerts
99cdd5b102 Fix CSP: allow wp.com image proxy for Gravatar redirects
All checks were successful
Build & Push Container Image / build (push) Successful in 6s
Details 
Gravatar 302 redirects to i0.wp.com for default/fallback avatars.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 16:56:37 +01:00
Jan Willem Mannaerts
4d8c2a301c Fix CSP to allow Google Fonts and Gravatar avatars
All checks were successful
Build & Push Container Image / build (push) Successful in 5s
Details 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 16:50:02 +01:00
Jan Willem Mannaerts
31dfbe3cca Broaden CSP img-src to allow all Atlassian avatar domains
All checks were successful
Build & Push Container Image / build (push) Successful in 5s
Details 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 16:40:02 +01:00
Jan Willem Mannaerts
03ba19042d Harden security across frontend and backend
All checks were successful
Build & Push Container Image / build (push) Successful in 11s
Details 
1. AdfRenderer: validate href starts with https?:// before rendering links
2. Logout route: add requireAuth middleware
3. Jira API params: validate sprintId, boardId, issueIdOrKey are alphanumeric
4. CSP header: add Content-Security-Policy with restrictive defaults
5. OAuth callback: align frontendUrl fallback with index.js
6. Rate limiting: express-rate-limit on API routes + Socket.IO event throttling
7. Session KV keys: prefix with cloudId for tenant isolation defense-in-depth
8. saveScopedEstimate: use withSessionCas for atomic read-update-delete

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 16:05:48 +01:00
Jan Willem Mannaerts
3ab584e2ab Update env example with full Jira scopes and add source code link to privacy page
All checks were successful
Build & Push Container Image / build (push) Successful in 8s
Details 
- Added all required Jira OAuth scopes to .env.example
- Added NATS_TOKEN and JIRA_MOCK_FALLBACK to .env.example
- Added open source section to privacy policy linking to the repo

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 12:32:59 +01:00
Jan Willem Mannaerts
45dbd341a3 Fix Socket.IO origin check and force WebSocket-only transport
All checks were successful
Build & Push Container Image / build (push) Successful in 8s
Details 
Same-origin requests omit the Origin header, which was rejected in
production. Also restrict to WebSocket transport on both client and
server to eliminate need for sticky sessions with multiple replicas.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 12:28:07 +01:00
Jan Willem Mannaerts
047d0de485 Remove dead normalizeIssue function and make legal pages linkable
All checks were successful
Build & Push Container Image / build (push) Successful in 8s
Details 
- Remove unused normalizeIssue and JIRA_STORY_POINTS_FIELD env var
- Add URL routing for /terms, /privacy, /support pages

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-27 22:42:01 +01:00
Jan Willem Mannaerts
fdd9ba8d56 Initial commit: Pokerface sprint planning poker for Jira 
Full-stack app with Express/Socket.io backend, React frontend,
NATS JetStream for state, and Atlassian Jira OAuth integration.

Includes security hardening: NATS auth support, KV bucket TTL
enforcement, CAS retry for race conditions, error message
sanitization, and OAuth state stored in NATS KV.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-26 21:38:37 +01:00