security: CORS hardening, path traversal fix, WebSocket auth + cleanup
- Restrict CORS to localhost origins (was allow_origins=[*])
- Require valid JWT on WebSocket /ws (anonymous no longer gets admin view)
- Fix path traversal in delete_cell(): resolve() + parent check
- Validate cell_id format in /charts/download-noaa/{cell_id}
- Exclude charts/ and Cartas/ from git (keep US1GC09M world overview)
- Add NOAA ENC Portal external link in charts catalog tab
- Untrack __pycache__/, .db, .claude/ session files
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -53,6 +53,16 @@ DEFAULTS: dict = {
|
||||
"smtp_from": "",
|
||||
"smtp_from_name": "AidsMonitoring",
|
||||
"smtp_use_tls": True,
|
||||
# ── Cluster / multi-server role ──────────────────────────────────────────
|
||||
# STANDALONE: single server (default)
|
||||
# MASTER : central aggregator — accepts connections from slave servers
|
||||
# SLAVE : field server — forwards all events to the master
|
||||
"server_role": os.getenv("SERVER_ROLE", "STANDALONE"),
|
||||
# URL of the master's slave WebSocket endpoint (required when SLAVE)
|
||||
# Example: "ws://10.0.0.1:8000/ws/slave"
|
||||
"master_url": os.getenv("MASTER_URL", ""),
|
||||
# Human-readable name for this slave (shown in master's status panel)
|
||||
"slave_name": os.getenv("SLAVE_NAME", ""),
|
||||
}
|
||||
|
||||
SETTINGS: dict = dict(DEFAULTS)
|
||||
|
||||
Reference in New Issue
Block a user