kiosk-guestbook

tmdinosaurcenter/kiosk-guestbook

Fork 0

mirror of https://github.com/tmdinosaurcenter/kiosk-guestbook.git synced 2026-06-04 05:08:39 -06:00

Commit Graph

Author	SHA1	Message	Date
steve	047f57513d	feat: add PWA support and mobile admin card layout All pages: manifest link, apple-mobile-web-app meta tags, theme-color, viewport-fit=cover, overscroll-behavior:none, safe-area padding, 16px input font-size to prevent iOS zoom, SW registration. admin.html: card-per-entry layout on small screens (d-md-none) with name, location, timestamp, newsletter status, email, comment, and delete button. Desktop table unchanged (d-none d-md-block).	2026-03-29 19:20:29 -06:00
steve	ecdcc044b7	feat: add CSRF protection to all POST forms Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token hidden fields to all four POST forms (login, delete entry, add user, delete user, and the public guestbook form). Exempts the API endpoint which uses header-based key auth instead.	2026-03-28 23:23:53 -06:00
steve	2d4eac6583	refactor: migrate admin auth from HTTP Basic to Flask-Login sessions Replaces browser-cached Basic Auth credentials with proper server-side session management. Logout now fully invalidates the session. Adds an HTML login form at /admin/login, SECRET_KEY env var support, and updates README with key generation instructions and role table.	2026-03-10 11:41:16 -06:00

Author

SHA1

Message

Date

steve

047f57513d

feat: add PWA support and mobile admin card layout

All pages: manifest link, apple-mobile-web-app meta tags, theme-color,
viewport-fit=cover, overscroll-behavior:none, safe-area padding, 16px
input font-size to prevent iOS zoom, SW registration.

admin.html: card-per-entry layout on small screens (d-md-none) with
name, location, timestamp, newsletter status, email, comment, and
delete button. Desktop table unchanged (d-none d-md-block).

2026-03-29 19:20:29 -06:00

steve

ecdcc044b7

feat: add CSRF protection to all POST forms

Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token
hidden fields to all four POST forms (login, delete entry, add user,
delete user, and the public guestbook form). Exempts the API endpoint
which uses header-based key auth instead.

2026-03-28 23:23:53 -06:00

steve

2d4eac6583

refactor: migrate admin auth from HTTP Basic to Flask-Login sessions

Replaces browser-cached Basic Auth credentials with proper server-side
session management. Logout now fully invalidates the session. Adds an
HTML login form at /admin/login, SECRET_KEY env var support, and updates
README with key generation instructions and role table.

2026-03-10 11:41:16 -06:00

3 Commits