summaryrefslogtreecommitdiff
path: root/food_project
AgeCommit message (Collapse)Author
2026-06-23auth: trust nginx HTTPS proxy for CSRF (SECURE_PROXY_SSL_HEADER + ↵HEADmasterauthTom Flux
CSRF_TRUSTED_ORIGINS) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23Phase 2: session auth for the web UITom Flux
Require login for /app/, with a long sliding session so you log in once per device and effectively stay in. - AppLoginRequiredMiddleware gates only /app/; /api/ keeps DRF token auth and /admin/ keeps its own login (a blanket LoginRequired would break token requests, whose user isn't resolved until the view runs). - Login page (styled to the dark palette) via django.contrib.auth.urls; logout control in the nav. - Session: ~1 year cookie, sliding (saved every request), survives browser close. - Dropped every @csrf_exempt now that a real session + CSRF token are in place (HTMX already sends X-CSRFToken). - SECRET_KEY and DEBUG now read from the environment (prod-safe defaults); systemd loads an optional /var/lib/food/.env. - Tests authenticate, plus new coverage: /app/ redirects when logged out, login grants access, /api/ is not caught by the app gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-04-02Add food.tomflux.xyz to ALLOWED_HOSTSCaine
2026-04-02Phase 4: HTMX frontend with dark paletteCaine
- 4 pages: Pantry, Recipes, Shopping List, Cook Log - HTMX-powered: add/delete pantry items, toggle shopping, generate smart list - Custom 13-colour palette from Lospec (dark bg, yellow accent) - Mobile-responsive - Whitenoise for static files in production - All routes under /app/ - API (/api/) stays internal, frontend (/app/) for browser use
2026-04-02Add API: URLs, token auth, what-can-i-cook endpoint, log-cook with pantry ↵Caine
deduction, browsable API
2026-04-01Configure settings: add kitchen app, DRF, timezone, allowed hostsCaine