26.6.8
Highlights
- Added production secret-file support for backend configuration and Docker Compose deployment overlays.
- Migrated auth session handling to HttpOnly cookie-based token transport.
Security
- Backend now supports file-based secret loading via:
DATABASE_URL_FILEJWT_SECRET_KEY_FILE
- Production deployments can use
compose.prod.yamlwith Docker secrets instead of repo-managed values. - Security backlog statuses updated to mark both secret-handling items complete.
- Backend now accepts auth tokens from secure cookie transport in addition to bearer headers.
- Auth endpoints now set/clear the
nexus_access_tokenHttpOnly cookie for sign-in, sign-up, and sign-out.
Token Storage
- Frontend no longer persists access tokens in local storage.
- API requests now use
credentials: includeand rely on the HttpOnly session cookie. - Root-route session detection now checks
/auth/mebefore deciding whether to route to dashboard or docs.
Session UX Reliability
- Frontend now centralizes 401 handling for authenticated API requests.
- Expired/invalid/signed-out session responses now immediately clear local auth state.
- Protected routes now redirect to sign-in with a clear session-expired message instead of appearing signed in.
Docs and Operations
- Added production secret setup and deployment guide:
docs/guide/production-secrets.md
- Added docs navigation entry for the production secret guide.
- README now references production secret storage workflow and production overlay usage.