fix architecture and write new tests

This commit is contained in:
root
2026-06-10 00:40:19 -04:00
parent 560da1cadf
commit 80a597bc10
377 changed files with 84020 additions and 1337 deletions
+3 -5
View File
@@ -28,13 +28,13 @@ We do not use analytics cookies, advertising cookies, or third-party tracking co
| Field | Value |
|---|---|
| **Name** | `employee_token` |
| **Name** | `employee_session` |
| **Category** | Strictly necessary |
| **Duration** | 8 hours (session) |
| **Scope** | All pages (`path=/`) |
| **Third-party** | No |
**Purpose:** This cookie is set when an employee or administrator signs in to the RentalDriveGo workspace. It stores a cryptographically signed token (JWT) that proves your identity to the platform. Without this cookie, the dashboard and protected API endpoints cannot verify who you are and will redirect you to the sign-in page.
**Purpose:** This cookie is set when an employee signs in to the RentalDriveGo workspace. Admins receive a separate `admin_session` cookie. It stores a cryptographically signed token (JWT) that proves your identity to the platform. Without this cookie, the dashboard and protected API endpoints cannot verify who you are and will redirect you to the sign-in page.
**When it is set:** On a successful sign-in.
**When it is removed:** When you sign out, or automatically after 8 hours of inactivity.
@@ -148,9 +148,7 @@ Browser-specific instructions:
## 7. Security
The authentication cookie (`employee_token`) is signed and expires after 8 hours. It is transmitted over HTTPS in production. We recommend using the platform on trusted devices only and signing out when you are finished.
Note for our technical team: the `HttpOnly` and `Secure` flags should be added to `employee_token` in a future release to further limit exposure to XSS and mixed-content attacks.
The authentication cookies (`employee_session` and `admin_session`) are signed, HttpOnly, and expire after the configured session window. They use `Secure` in production and are not readable by JavaScript. We recommend using the platform on trusted devices only and signing out when you are finished.
---