updating documentation
Some checks failed
Build and Deploy / build-and-deploy (push) Failing after 1m27s
Some checks failed
Build and Deploy / build-and-deploy (push) Failing after 1m27s
This commit is contained in:
lila
parent
98c59f33c5
commit
fd9667c1fd
2 changed files with 351 additions and 6 deletions
|
|
@ -8,15 +8,9 @@ Labels: `[feature]` `[infra]` `[security]` `[ux]` `[debt]`
|
|||
|
||||
Things that are actively in progress or should be picked up immediately. Mostly operational risk and the remaining phase 7 hardening work.
|
||||
|
||||
- **Google OAuth publishing** `[infra]`
|
||||
Only test users can currently log in via Google. Publish the OAuth consent screen so any Google user can sign in — requires branding verification in Google Cloud Console.
|
||||
|
||||
- **Hetzner domain migration check** `[infra]`
|
||||
Verify whether the lilastudy.com domain needs to be migrated following a Hetzner DNS change. Check Hetzner dashboard for any pending migration notice.
|
||||
|
||||
- **Conditionally register OAuth providers** `[debt]`
|
||||
Better Auth logs warnings when social providers are registered without credentials (`Social provider google is missing clientId or clientSecret`). Instead of registering all providers unconditionally, only add a provider to the config when its credentials are present in the environment. Keeps local dev clean for contributors who don't have OAuth apps set up.
|
||||
|
||||
---
|
||||
|
||||
## next
|
||||
|
|
@ -69,6 +63,9 @@ Clearly planned work, not yet started. No hard ordering — sequence based on wh
|
|||
- **Tighten CSP to remove unsafe-inline** `[security]`
|
||||
Current script-src uses 'unsafe-inline' to accommodate framework-injected inline scripts (likely TanStack Router hydration). Tightening this would require nonce-based CSP, which needs server-rendered HTML or a Caddy layer that injects per-request nonces. Not urgent — pragmatic CSP with 'unsafe-inline' is mainstream for SPAs at this scale. Revisit if the app handles more sensitive data or grows a meaningful user base
|
||||
|
||||
- **Publish Google OAuth consent screen** `[infra]`
|
||||
App is currently in testing mode, which caps OAuth sign-ins at 100 users. Before hitting that limit, publish the consent screen in Google Cloud Console. Basic scopes (email, profile, openid) require no Google review — just fill in branding fields (app name, logo, support email, privacy policy URL) and click publish. Trigger: do this before reaching 80 users.
|
||||
|
||||
---
|
||||
|
||||
## later
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue