Commit Graph

96 Commits

Author SHA1 Message Date
herel 0615dc6421 fix: remove Cross-Account Data Leakage 2026-06-29 23:04:48 +02:00
herel 71bbb67cef chore: remove debugging prints 2026-06-29 23:03:48 +02:00
herel a17c362c81 fix(frontend): Sanitize DOM rendering to prevent XSS via innerHTML
Replace unsafe innerHTML template literals with document.createElement()
and textContent for all user-conrolled data fields in index.html.

Event cards and modal details previously interpolated API responses
(event.name, event.title, player.fname, staff.role, etc.) directly into
innerHTML without escaping, allowing stored XSS if upstream MyIce data
is malicious (CWE-79 / vuln-0002).

All dynamic text now flows through textContent or createTextNode(),
while static HTML structures (SVG icons, strong labels) remain safe
hardcoded innerHTML assignments.

Refs vuln-0002
2026-06-29 20:05:45 +02:00
herel 77b2531106 fix(api): Send PKCE code_verifier in token exchange and secure OIDC cookies
The /exchange-token endpoint was not sending the code_verifier to the
token endpoint, rendering PKCE protection ineffective. Add the verifier
to the POST body so the IdP can validate the authorization code exchange.

Also add secure=True and samesite='Lax' to all OIDC cookies on /login
to improve cookie security per the recommended remediation.

Refs vuln-0004
2026-06-29 19:49:07 +02:00
herel 0d39efd034 fix: use tailwindcss cli 2026-06-29 18:02:10 +02:00
herel 12aada4986 fix: better subgroup 2026-06-29 17:35:48 +02:00
herel 9795a4c813 fix: proper jwt verification 2026-06-29 17:35:36 +02:00
herel 46ae216e97 fix: IDC State/Nonce Not Validated 2026-06-29 16:53:14 +02:00
herel 19724b1f8b fix: add timeout for request 2026-06-29 16:52:35 +02:00
herel 9e5db51972 fix: Weak JWT Validation 2026-06-29 16:48:02 +02:00
herel c0bfa85688 fix: No static key fallback; reject non-OIDC tokens 2026-06-29 16:43:09 +02:00
herel ffe0a1cf18 fix: remove hard coded old secret 2026-06-29 16:42:51 +02:00
herel ff69806803 fix: Permissive CORS Configuration 2026-06-29 16:40:36 +02:00
herel 524c4db889 fix: Missing Authentication Checks 2026-06-29 16:37:39 +02:00
herel 6b2965c18a fix(security): Authentication Bypass via Broken JWT Validation in AuthHeaders.validate_oidc_token 2026-06-29 16:33:21 +02:00
herel 9363a1f7ef chore: add some debug 2026-06-29 16:30:35 +02:00
herel 449f5450fe chore: update categories 2026-06-29 16:28:15 +02:00
herel f302357545 fix: prevent OS Command Injection 2026-06-29 16:19:33 +02:00
herel b1a792502f fix(schedule): Use midnight as schedule start date
Change date_start from current time to today at midnight so the
schedule fetch query properly covers the full day.
2026-06-05 15:12:33 +02:00
herel 38e3564524 chore: update Dockerfile 2025-11-11 11:06:40 +01:00
herel 6a240c5773 feat: add ESC key support to close event details modal and bump version to v0.6.0 2025-11-11 08:51:58 +01:00
herel b04e8e2900 docs: improve AGENTS.md with better build/lint/test commands and code style guidelines 2025-11-11 08:46:13 +01:00
herel f33bb46d73 chore(docker): use docker cache mount for pip install step 2025-10-15 16:03:01 +02:00
herel cd32efb657 feat: redesign UI with Tailwind CSS and improve event display 2025-10-15 15:59:57 +02:00
herel 747e9db582 chore: use python image 3.13-slim instead of 3.13-alpine 2025-10-01 16:22:48 +02:00
herel 768ac8375b feat: slim down Docker image size by 8x using Alpine Linux base and multi-stage build 2025-09-30 09:22:26 +02:00
herel 4a5b2a5991 chore: update fastapi and dependencies to latest versions 2025-09-30 08:37:56 +02:00
herel c099f1328b chore: migrate to python 3.13 and update dependencies
Migrate from Python 3.11 to 3.13 with updated dependencies. Switch from PyPDF2 to pypdf library for better PDF processing. Add new U14 age groups and extract-pdf utility script.
2025-09-29 23:05:48 +02:00
herel fe8a4e5d09 refactor: migrate to distroless multi-stage Docker build 2025-09-29 22:07:11 +02:00
herel 781d7000cd feat: display staff information and improve empty state handling in game details modal 2025-09-29 20:17:23 +02:00
herel 6903dab06b doc: fix markdownlint issues in AGENTS.md 2025-09-23 09:33:44 +02:00
herel abfad23a7a chore: bump version to v0.5.7 2025-08-20 11:10:20 +02:00
herel 68ecce7d3a feat: layout filters horizontally 2025-08-20 11:10:06 +02:00
herel 1941a924e2 chore: bump version to v0.5.6 2025-08-20 10:17:08 +02:00
herel 702c425476 feat: add secondary agegroup selector for subgroup filtering
- Added subgroup dropdown selector to filter events by team within agegroup
- Implemented logic to populate subgroup options based on selected agegroup
- Updated event filtering to support both agegroup and subgroup criteria
- Added event listeners for real-time filtering when selectors change
2025-08-20 10:17:00 +02:00
herel a74da811c1 chore: bump version to v0.5.5 2025-08-19 19:22:21 +02:00
herel dac110cee0 feat: auto-load events on login and improve player display in event details
- Automatically load events when user logs in
- Rename updateAccountOptions to updateAccountOptionsAndLoadEvents
- Add auto-fetch of events after account selection
- Enhance event details modal with:
  * Player count summary
  * Position breakdown
  * Players sorted by position first, then by number
  * Position displayed in player list
2025-08-19 19:21:50 +02:00
herel 0fd58848f2 chore: add event title 2025-08-19 19:12:45 +02:00
herel de222023a8 chore: bump version to v0.5.4 2025-08-19 19:06:47 +02:00
herel 08aa3f6a0e feat: update agegroup filter to show only agegroup and filter accordingly 2025-08-19 19:06:24 +02:00
herel 0e02245f21 chore: bump version to v0.5.3 2025-08-19 18:50:12 +02:00
herel a86cf76228 fix: improve UI layout and add loading indicator for events 2025-08-19 18:48:56 +02:00
herel 3ab3273fba fix: finalize UI improvements and ensure all functionality works
Final adjustments to UI layout and positioning. Ensured all JavaScript functions are properly connected and working. Verified event loading functionality is fully restored.
2025-08-19 16:12:51 +02:00
herel a17467c313 fix: restore event loading functionality and improve UI layout
Fixed incomplete fetchEvents function by adding missing data processing logic. Restored updateAgeGroupOptions, displayEvents, and fetchEventDetails functions. Moved connected user info to top-right corner. Hide title when logged in. Reduced vertical spacing for better layout. Made event filters more compact. All functionality restored and UI improved.
2025-08-19 16:09:57 +02:00
herel 9c6df3f6a2 feat: enhance login button styling and fix JavaScript syntax errors
Centered the login button on the page with improved styling including padding and shadow effects. Fixed JavaScript syntax errors in the event handling code. Removed unmatched closing div tags to ensure valid HTML structure.
2025-08-19 15:49:28 +02:00
herel a17065b280 fix: improve user authentication and account handling
Fixed issues with user display by fetching user info from userinfo endpoint

Improved error handling for JSON responses in schedule endpoint

Fixed account selection to use available accounts from config instead of default

Enhanced frontend to properly handle API responses and errors
2025-08-19 15:17:45 +02:00
herel 5f12fb08b8 fix: improve authentication handling and error management 2025-08-19 15:04:53 +02:00
herel a2e44b6f50 feat: implement OpenID Connect authentication with Infomaniak 2025-08-19 11:16:07 +02:00
herel 15c148e233 chore: bump version to v0.5.2 2025-08-19 10:48:55 +02:00
herel 7b6bf91502 fix: escape control characters in JSON output to make it jq compatible 2025-08-19 10:48:04 +02:00