Josh Hawkins 152e585206 Authentication improvements (#21194) ... * jwt permissions * add old password to body req * add model and migration need to track the datetime that passwords were changed for the jwt * auth api backend changes - use os.open to create jwt secret with restrictive permissions (0o600: read/write for owner only) - add backend validation for password strength - add iat claim to jwt so the server can determine when a token was issued and reject any jwts issued before a user's password_changed_at timestamp, ensuring old tokens are invalidated after a password change - set logout route to public to avoid 401 when logging out - issue new jwt for users who change their own password so they stay logged in * improve set password dialog - add field to verify old password - add password strength requirements * frontend tweaks for password dialog * i18n * use verify endpoint for existing password verification avoid /login side effects (creating a new session) * public logout * only check if password has changed on jwt refresh * fix tests Fix migration 030 by using raw sql to select usernames (avoid ORM selecting nonexistent columns) * add multi device warning to password dialog * remove password verification endpoint Just send old_password + new password in one request, let the backend handle verification in a single operation		2025-12-08 09:02:28 -07:00
..
fonts	Use Inter webfont instead of ttf (#10456)	2024-03-14 09:50:06 -06:00
images	Implement support for notifications (#12523)	2024-08-29 20:19:50 -06:00
locales	Authentication improvements (#21194)	2025-12-08 09:02:28 -07:00
notifications-worker.js	Miscellaneous Fixes (#20897)	2025-11-17 08:12:05 -06:00
robots.txt	feat: add robots.txt (#20093)	2025-09-16 06:14:27 -06:00