feat(callsign): per-user QRZ/HamQTH credentials on shared instances#1110
Merged
Conversation
Hosted users can now enter their own QRZ or HamQTH login in Settings and get full callbook data (name, QTH, grid) in the callsign popup — using only their own account, which is what the callbook terms of service require on a multi-user site. Credentials are stored only in the user's browser (localStorage, deliberately outside the synced config) and sent as base64 auth headers on /api/callsign lookups. The server exchanges them for QRZ/HamQTH session keys held in an in-memory LRU map (never persisted, never logged), and lookup results are cached per credential hash so one subscriber's callbook data is never served to another user. Lookup order: user QRZ → user HamQTH → instance QRZ → instance HamQTH → DXCC fallback → prefix estimate. A new POST /api/callsign/verify-credentials endpoint (write-rate- limited) validates a login before the browser stores it. The existing Settings sections for QRZ/HamQTH now work on shared instances: verified credentials get a "Your login (this browser)" badge and a Remove button; self-host server-side configuration is unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
CodeQL flagged the SHA-256 credential hash (js/insufficient-password- hash). The key only partitions the in-memory session map and lookup cache, but deriving it with a real password KDF costs little (async scrypt on the libuv pool, click-driven request rate) and means the key can never weaken the password it came from. Key derivation failures now degrade to an unauthenticated lookup instead of an unhandled rejection. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hosted users can now enter their own QRZ or HamQTH login in Settings and get full callbook data (name, QTH, grid) in the callsign popup — using only their own account, which is what the callbook terms require on a multi-user site.
How it works
/api/callsignlookups.POST /api/callsign/verify-credentials(write-rate-limited) validates a login before the browser stores it; the Settings QRZ/HamQTH sections now work on shared instances with a "Your login (this browser)" badge and Remove button. Self-host server-side config unchanged.Verified: exercised locally end-to-end (DXCC fallback unchanged, real HamQTH auth-failure round-trip, malformed/garbage headers fall through safely); 190 utils tests pass; tested on staging by Chris — names show up.
Cherry-pick of
0845d71cfrom Staging. Chris requested the port to production.🤖 Generated with Claude Code