member-console

Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC (multi-stakeholder co-operative).

Development notes:

• Make sure viper's 'env' key will work correctly in production
• Should session-secret and csrf-secret be generated on startup instead of in the config file? They should be persisted nonetheless. Do they need to be rotated?
• Add remove trailing slash middleware if we start using more custom handlers that don't end with a slash
• Add tests
  • CSRF
  • Logging
  • compression
  • recovery
  • request ID
  • timeout
  • secure headers and CORS
• Auth setup sanity check. Review code.
  • Remove keycloak specific code
  • Implement backchannel logout: When a user logs out of the application, the application should notify the identity provider to log the user out of the identity provider as well.
  • Auth session timeout should match security policy
  • Rate limiting on login attempts
  • Subresource Integrity (SRI) for CDN assets
• Serve HTMX assets not from CDN
• Find out if timeout middleware is actually needed or if net/http handles it