derekc
3022bc328b
- TV tokens upgraded from 4 to 6 digits; Regen Token button in Admin - Nginx rate limiting on TV dashboard and WebSocket endpoints - Login lockout after 5 failed attempts (15 min); clears on admin password reset - HSTS header added; CSP unsafe-inline removed from script-src; CORS restricted to explicit methods/headers - Dependency CVE fixes: PyJWT 2.12.0, aiomysql 0.3.0, cryptography 46.0.5, python-multipart 0.0.22 - datetime.utcnow() replaced with datetime.now(timezone.utc) throughout - SQL identifier whitelist for startup migration queries - README updated: security notes section, lockout docs, token regen, NPM proxy guidance Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 lines
248 B
Plaintext
13 lines
248 B
Plaintext
fastapi==0.115.0
|
|
uvicorn[standard]==0.30.6
|
|
sqlalchemy[asyncio]==2.0.35
|
|
aiomysql==0.3.0
|
|
PyJWT==2.12.0
|
|
cryptography==46.0.5
|
|
passlib[bcrypt]==1.7.4
|
|
bcrypt==3.2.2
|
|
pydantic-settings==2.5.2
|
|
alembic==1.13.3
|
|
python-multipart==0.0.22
|
|
email-validator==2.2.0
|