fix: harden authentication security

2026-05-24 14:27:22 +03:00
parent 35c3554742
commit fb246e2e55
9 changed files with 371 additions and 51 deletions
--- a/.env.example
+++ b/.env.example
@@ -38,10 +38,11 @@ SESSION_SECRET=replace_with_32plus_char_random_secret
 # SESSION_COOKIE_NAME=__Host-sid
 # SESSION_COOKIE_SECURE=true
 # SESSION_TTL_DAYS=30
+# AUTH_CLEANUP_INTERVAL_HOURS=24

 # ─── Cloudflare Turnstile ────────────────────────────────────
 TURNSTILE_SECRET_KEY=replace_with_turnstile_secret
-# Local tests/dev only, never production:
+# Local tests/dev only, rejected in production:
 # TURNSTILE_BYPASS_TOKEN=mock-turnstile-token

 # ─── SMTP email ──────────────────────────────────────────────