mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-18 00:17:39 +01:00
12a5a98117
SSE Broadcaster: - Add per-client mutex to prevent concurrent writes to ResponseWriter - Fix data race in cleanupLoop reading LastActive without synchronization - Update LastActive in SendHeartbeat so clients aren't incorrectly pruned after 5 minutes of idle heartbeat traffic Alert Acknowledgements: - Extract authenticated user from X-Authenticated-User header instead of hardcoding 'admin' or trusting request body's User field - Prevents audit log spoofing and ensures accurate user attribution Security Status Endpoint: - Remove ?token= query param validation from public /api/security/status - Prevents endpoint from acting as a token validity oracle for attackers - Authentication still works via session cookies and X-API-Token header