pediatric-ai-scribe-v3/public
Daniel fa16cb13cb Hybrid auth: cookie-only on web, Keychain Bearer on mobile
Runtime split driven by window.Capacitor.isNativePlatform():

  Web browser
    - No token in localStorage / sessionStorage — XSS can't read it
    - Server-set httpOnly cookie carries the session
    - fetch() default credentials='same-origin' sends the cookie
    - getAuthHeaders() returns Content-Type only, no Authorization
    - Middleware already falls back to cookie when Bearer is absent

  Capacitor native (iOS / Android)
    - Unchanged — Bearer token lives in Keychain / Keystore via the
      capacitor-secure-storage-plugin SecureStorage wrapper
    - Bearer header still sent on every request

enterApp() / clearSession() / getAuthHeaders() all now branch on
isNativeApp(). Legacy localStorage entries from the dual-mode era
are wiped on clearSession() for users migrating in.

Rollback: git reset --hard pre-httponly-only-2026-04-14
2026-04-14 04:11:55 +02:00
..
.well-known Add SHA256 fingerprint to assetlinks.json for TWA domain verification 2026-03-29 00:32:58 +00:00
components Growth chart age: three boxes (yr/mo/day), any combination 2026-04-14 03:21:27 +02:00
css Add automatic ICD-10 and CPT billing code suggestions 2026-04-11 01:50:17 +02:00
icons Feat: add stethoscope+pencil favicon in SVG, ICO, and PNG sizes 2026-03-22 14:09:18 -04:00
js Hybrid auth: cookie-only on web, Keychain Bearer on mobile 2026-04-14 04:11:55 +02:00
vendor Replace Quill with Tiptap rich text editor 2026-03-23 23:32:41 -04:00
404.html Add proper 404 handling and custom error page 2026-03-23 23:47:50 -04:00
favicon.ico Feat: add stethoscope+pencil favicon in SVG, ICO, and PNG sizes 2026-03-22 14:09:18 -04:00
index.html Security hardening: PHI encryption, argon2, DOMPurify, SRI 2026-04-14 02:49:38 +02:00
manifest.json v9: Major feature update — audio backup, SOAP save, Dragon memory, S3 docs, CI/CD, APK 2026-03-28 21:08:32 +00:00
sw.js Fix: bump SW cache to v12, switch JS/CSS to network-first 2026-03-29 20:02:34 -04:00