Skip to content

26.6.8

Highlights

  • Added production secret-file support for backend configuration and Docker Compose deployment overlays.
  • Migrated auth session handling to HttpOnly cookie-based token transport.

Security

  • Backend now supports file-based secret loading via:
    • DATABASE_URL_FILE
    • JWT_SECRET_KEY_FILE
  • Production deployments can use compose.prod.yaml with Docker secrets instead of repo-managed values.
  • Security backlog statuses updated to mark both secret-handling items complete.
  • Backend now accepts auth tokens from secure cookie transport in addition to bearer headers.
  • Auth endpoints now set/clear the nexus_access_token HttpOnly cookie for sign-in, sign-up, and sign-out.

Token Storage

  • Frontend no longer persists access tokens in local storage.
  • API requests now use credentials: include and rely on the HttpOnly session cookie.
  • Root-route session detection now checks /auth/me before deciding whether to route to dashboard or docs.

Session UX Reliability

  • Frontend now centralizes 401 handling for authenticated API requests.
  • Expired/invalid/signed-out session responses now immediately clear local auth state.
  • Protected routes now redirect to sign-in with a clear session-expired message instead of appearing signed in.

Docs and Operations

  • Added production secret setup and deployment guide:
    • docs/guide/production-secrets.md
  • Added docs navigation entry for the production secret guide.
  • README now references production secret storage workflow and production overlay usage.

Nexus by McGuire Technology