funman300 7dbf34c163 fix(server): move bcrypt to spawn_blocking, async file I/O, validate JWT_SECRET ...

Three independent hardening changes:

1. bcrypt on a blocking thread: hash() and verify() are CPU-bound
   (~300 ms at cost 12). Running them directly on an async task starved
   the Tokio runtime under concurrent load. Wrapped in spawn_blocking.

2. Async avatar file I/O: std::fs::write/rename/remove_file in an async
   handler blocks the executor. Replaced with tokio::fs equivalents.

3. JWT_SECRET minimum length: a secret shorter than 32 bytes is fatally
   weak. validate_jwt_secret() now rejects it at startup with a clear
   message rather than silently accepting it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-08 11:05:45 -07:00

..

e2e

test: expand WASM unit tests and add web behavior e2e specs

2026-06-02 14:12:42 -07:00

migrations

feat(auth): add /api/me endpoint, avatar upload, and profile picture support

2026-05-14 17:14:42 -07:00

src

fix(server): move bcrypt to spawn_blocking, async file I/O, validate JWT_SECRET

2026-06-08 11:05:45 -07:00

tests

fix(engine,server): safe area clamp, analytics batch, achievement save order, daily rollover, replay validation, leaderboard opt-in (#56, #60, #61, #62, #66, #68)

2026-05-28 13:07:22 -07:00

web

feat(e2e): add window.__FERROUS_DEBUG__ bridge to /play for automation

2026-06-02 13:41:07 -07:00

.env.example

feat(sync): re-auth prompt on expired session + server deployment artifacts

2026-05-12 12:45:08 -07:00

Cargo.toml

feat(server): web replay viewer (HTML/CSS + WASM bindings)

2026-05-05 18:54:01 +00:00

docker-compose.yml

chore: rename app from Solitaire Quest to Ferrous Solitaire

2026-05-14 19:23:49 -07:00

Dockerfile

fix(ci): remove Quaternions registry auth; add canvas WASM drift guard

2026-06-02 12:20:56 -07:00