security: CORS hardening, path traversal fix, WebSocket auth + cleanup
- Restrict CORS to localhost origins (was allow_origins=[*])
- Require valid JWT on WebSocket /ws (anonymous no longer gets admin view)
- Fix path traversal in delete_cell(): resolve() + parent check
- Validate cell_id format in /charts/download-noaa/{cell_id}
- Exclude charts/ and Cartas/ from git (keep US1GC09M world overview)
- Add NOAA ENC Portal external link in charts catalog tab
- Untrack __pycache__/, .db, .claude/ session files
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+11
-7
@@ -17,13 +17,11 @@ build/
|
||||
*.db
|
||||
*.sqlite
|
||||
|
||||
# ENC / chart binary exchange sets (large S-57 binaries)
|
||||
Cartas/*/ENC_ROOT/**/*.000
|
||||
Cartas/*/ENC_ROOT/**/*.001
|
||||
Cartas/*/ENC_ROOT/**/*.002
|
||||
Cartas/*/ENC_ROOT/**/*.003
|
||||
Cartas/*/ENC_ROOT/**/*.004
|
||||
Cartas/*/ENC_ROOT/**/*.005
|
||||
# ENC / S-57 chart data — large binary + GeoJSON, rebuilt on demand.
|
||||
# Keep only the single world-overview cell (US1GC09M) as base reference.
|
||||
Cartas/
|
||||
charts/
|
||||
!charts/US1GC09M/
|
||||
|
||||
# Generated GeoJSON (rebuilt on demand)
|
||||
backend/cache/
|
||||
@@ -34,3 +32,9 @@ node_modules/
|
||||
# OS
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# IDE / session files
|
||||
.claude/
|
||||
*.log
|
||||
logs/
|
||||
.nextcloudsync.log
|
||||
|
||||
Reference in New Issue
Block a user