feat: enforce secure-by-default authentication configuration

- Changed AUTH_COOKIE_SECURE to default to true (secure cookies) unless explicitly disabled with warning
- Made LOGIN_ATTEMPT_SALT required environment variable to ensure brute-force protection is properly configured
- Removed client-side JWT token storage in favor of HttpOnly cookies for improved security
- Added admin-only permission check for comment creation endpoint

Author: zerox80

.env.example

@@ -17,16 +17,16 @@ JWT_SECRET=your-super-secret-jwt-key-min-32-chars-change-me-in-production
 PORT=8489
 FRONTEND_ORIGINS=http://localhost:5173,http://localhost:3000
 
-# Auth Cookie Configuration
-# Set to "true" in production behind HTTPS so cookies are marked as Secure.
-AUTH_COOKIE_SECURE=false
-
 # Admin Credentials (used to bootstrap default admin user)
 # IMPORTANT: Password must be at least 12 characters long (NIST recommendation)!
 # Change these values for production use!
 ADMIN_USERNAME=admin
 ADMIN_PASSWORD=change-me-min-12-chars
 
+# Login Security Configuration
+# Required: high-entropy salt used to hash login attempt identifiers (protects rate limiting)
+LOGIN_ATTEMPT_SALT=generate-a-random-64-byte-string
+
 # Logging Configuration
 # Rust log level (trace, debug, info, warn, error)
 RUST_LOG=info

backend/src/auth.rs

@@ -199,9 +199,15 @@ fn secret_has_min_entropy(secret: &str) -> bool {
 }
 
 fn cookies_should_be_secure() -> bool {
-    env::var("AUTH_COOKIE_SECURE")
-        .map(|value| value.trim().eq_ignore_ascii_case("true"))
-        .unwrap_or(false)
+    match env::var("AUTH_COOKIE_SECURE") {
+        Ok(value) if value.trim().eq_ignore_ascii_case("false") => {
+            tracing::warn!(
+                "AUTH_COOKIE_SECURE explicitly set to false. Cookies will be sent over HTTP; only use this in trusted development environments."
+            );
+            false
+        }
+        _ => true,
+    }
 }
 
 fn extract_token(headers: &HeaderMap) -> Option<String> {

backend/src/handlers/auth.rs

@@ -20,8 +20,12 @@ fn hash_login_identifier(username: &str) -> String {
 
     let salt = SALT.get_or_init(|| {
         env::var("LOGIN_ATTEMPT_SALT").unwrap_or_else(|_| {
-            tracing::warn!("LOGIN_ATTEMPT_SALT not set; using default dev salt. Set a random value in production.");
-            "dev-login-attempt-salt".to_string()
+            tracing::error!(
+                "LOGIN_ATTEMPT_SALT environment variable is missing. Set a high-entropy value to enable secure brute-force protection."
+            );
+            panic!(
+                "LOGIN_ATTEMPT_SALT must be set to a random, high-entropy string. See .env.example for guidance."
+            );
         })
     });
 

backend/src/handlers/comments.rs

@@ -100,6 +100,15 @@ pub async fn create_comment(
     Path(tutorial_id): Path<String>,
     Json(payload): Json<CreateCommentRequest>,
 ) -> Result<Json<Comment>, (StatusCode, Json<ErrorResponse>)> {
+    if claims.role != "admin" {
+        return Err((
+            StatusCode::FORBIDDEN,
+            Json(ErrorResponse {
+                error: "Insufficient permissions".to_string(),
+            }),
+        ));
+    }
+
     if let Err(e) = validate_tutorial_id(&tutorial_id) {
         return Err((
             StatusCode::BAD_REQUEST,

src/api/client.js

@@ -56,45 +56,22 @@ const isBinaryBody = (body) => {
   return false
 }
 
-const isLikelyJwt = (token) => {
-  if (typeof token !== 'string') return false
-  const parts = token.split('.')
-  return parts.length === 3 && parts.every((part) => part.length > 0)
-}
-
 class ApiClient {
   constructor() {
     this.token = null
-    if (typeof window !== 'undefined') {
-      const stored = window.localStorage.getItem('ltcms_token')
-      if (isLikelyJwt(stored)) {
-        this.token = stored
-      }
-    }
   }
 
   setToken(token) {
-    if (token && !isLikelyJwt(token)) {
+    // Tokens are now managed exclusively via HttpOnly cookies.
+    // Retain method signature for backwards compatibility without storing client-side state.
+    if (token && typeof token !== 'string') {
       console.warn('Attempted to set invalid JWT token; ignoring')
-      this.token = null
-      return
-    }
-    this.token = token || null
-    if (typeof window !== 'undefined') {
-      if (this.token) {
-        window.localStorage.setItem('ltcms_token', this.token)
-      } else {
-        window.localStorage.removeItem('ltcms_token')
-      }
     }
+    this.token = null
   }
 
   getHeaders() {
-    const headers = {}
-    if (this.token) {
-      headers['Authorization'] = `Bearer ${this.token}`
-    }
-    return headers
+    return {}
   }
 
   async request(endpoint, options = {}) {