From 82c31f8b0a80579b1059f0f9225075709c324c69 Mon Sep 17 00:00:00 2001
From: nfebe <fenn25.fn@gmail.com>
Date: Sat, 6 Jun 2026 14:53:35 +0100
Subject: [PATCH 1/3] fix(auth): Treat any unauthorized API response as an
 expired session

Only auth endpoints used to trigger a logout on 401. A dashboard tab
left open past session expiry kept polling with a dead token, and the
resulting stream of failed requests looked like a brute-force attack
to the security module, which repeatedly auto-blocked the operator's
IP. The first 401 outside the login and setup pages now clears the
session and returns to the login page, which also stops all pollers.
---
 src/services/api.ts | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/services/api.ts b/src/services/api.ts
index 9dc5c7a..778f176 100755
--- a/src/services/api.ts
+++ b/src/services/api.ts
@@ -36,10 +36,12 @@ apiClient.interceptors.request.use((config) => {
 apiClient.interceptors.response.use(
   (response) => response,
   (error) => {
-    if (error.response?.status === 401 && !window.location.pathname.includes("/setup")) {
+    if (error.response?.status === 401) {
       const failedURL: string = error.config?.url || "";
-      const isSessionEndpoint = /\/auth\/|\/users\/me(\b|\/)/.test(failedURL);
-      if (isSessionEndpoint) {
+      const isLoginAttempt = failedURL.includes("/auth/login");
+      const onAuthPage =
+        window.location.pathname.includes("/login") || window.location.pathname.includes("/setup");
+      if (!isLoginAttempt && !onAuthPage) {
         localStorage.removeItem("auth_token");
         window.location.href = "/login";
       }

From 0a393b887f58bdcb539099903a5a5fbd1705f236 Mon Sep 17 00:00:00 2001
From: nfebe <fenn25.fn@gmail.com>
Date: Sat, 6 Jun 2026 14:53:45 +0100
Subject: [PATCH 2/3] feat(security): Manage whitelist and detection thresholds
 from the dashboard

The security whitelist could only be edited through the API and the
detection thresholds only through the config file. The Security view
now lists whitelisted IPs, networks, and paths with add and remove
controls, and the settings tab exposes the detection window, per-window
limits, and auto-block duration. Threshold changes persist and apply to
the running detector immediately.
---
 src/services/api.ts        |  14 ++
 src/stores/security.ts     |  40 +++++-
 src/types/index.ts         |  20 +++
 src/views/SecurityView.vue | 273 ++++++++++++++++++++++++++++++++++++-
 4 files changed, 340 insertions(+), 7 deletions(-)

diff --git a/src/services/api.ts b/src/services/api.ts
index 778f176..9a02e66 100755
--- a/src/services/api.ts
+++ b/src/services/api.ts
@@ -13,6 +13,8 @@ import type {
   SecurityStats,
   BlockedIP,
   ProtectedRoute,
+  WhitelistEntry,
+  ConfigEntry,
   DeploymentSecurityConfig,
   DomainConfig,
   ProtectedModeConfig,
@@ -239,6 +241,13 @@ export const settingsApi = {
   generateSubdomain: () => apiClient.get<SubdomainResponse>("/subdomain/generate"),
 };
 
+export const configApi = {
+  list: () => apiClient.get<{ config: ConfigEntry[]; runtime: Record<string, boolean> }>("/config"),
+  get: (key: string) => apiClient.get<{ entry: ConfigEntry; runtime: boolean }>(`/config/${key}`),
+  set: (key: string, value: unknown) =>
+    apiClient.put<{ entry: ConfigEntry; applied: boolean }>(`/config/${key}`, { value }),
+};
+
 export const pluginsApi = {
   list: () => apiClient.get("/plugins"),
   get: (name: string) => apiClient.get(`/plugins/${name}`),
@@ -750,6 +759,11 @@ export const securityApi = {
   cleanup: (days?: number) =>
     apiClient.post<{ events_deleted: number; blocks_deleted: number }>("/security/cleanup", { days }),
 
+  getWhitelist: () => apiClient.get<{ whitelist: WhitelistEntry[] }>("/security/whitelist"),
+  addWhitelistEntry: (entry: { value: string; type: WhitelistEntry["type"]; reason?: string }) =>
+    apiClient.post<{ id: number }>("/security/whitelist", entry),
+  removeWhitelistEntry: (id: number) => apiClient.delete<{ message: string }>(`/security/whitelist/${id}`),
+
   getBlockedIPs: () => apiClient.get<{ blocked_ips: BlockedIP[] }>("/security/blocked-ips"),
   blockIP: (ip: string, reason?: string, duration?: number) =>
     apiClient.post<{ id: number; message: string }>("/security/blocked-ips", { ip, reason, duration }),
diff --git a/src/stores/security.ts b/src/stores/security.ts
index 5387af5..a05e9be 100644
--- a/src/stores/security.ts
+++ b/src/stores/security.ts
@@ -1,13 +1,14 @@
 import { defineStore } from "pinia";
 import { ref } from "vue";
 import { securityApi, type SecurityHealthCheck, type SecurityRefreshResponse } from "@/services/api";
-import type { SecurityEvent, SecurityStats, BlockedIP, ProtectedRoute } from "@/types";
+import type { SecurityEvent, SecurityStats, BlockedIP, ProtectedRoute, WhitelistEntry } from "@/types";
 
 export const useSecurityStore = defineStore("security", () => {
   const stats = ref<SecurityStats | null>(null);
   const events = ref<SecurityEvent[]>([]);
   const eventsTotal = ref(0);
   const blockedIPs = ref<BlockedIP[]>([]);
+  const whitelist = ref<WhitelistEntry[]>([]);
   const protectedRoutes = ref<ProtectedRoute[]>([]);
   const securityEnabled = ref(false);
   const realtimeCapture = ref(false);
@@ -82,6 +83,39 @@ export const useSecurityStore = defineStore("security", () => {
     }
   }
 
+  async function fetchWhitelist() {
+    loading.value = true;
+    error.value = null;
+    try {
+      const response = await securityApi.getWhitelist();
+      whitelist.value = response.data.whitelist || [];
+    } catch (e: any) {
+      error.value = e.response?.data?.error || e.message;
+    } finally {
+      loading.value = false;
+    }
+  }
+
+  async function addWhitelistEntry(entry: { value: string; type: WhitelistEntry["type"]; reason?: string }) {
+    try {
+      await securityApi.addWhitelistEntry(entry);
+      await fetchWhitelist();
+    } catch (e: any) {
+      error.value = e.response?.data?.error || e.message;
+      throw e;
+    }
+  }
+
+  async function removeWhitelistEntry(id: number) {
+    try {
+      await securityApi.removeWhitelistEntry(id);
+      await fetchWhitelist();
+    } catch (e: any) {
+      error.value = e.response?.data?.error || e.message;
+      throw e;
+    }
+  }
+
   async function fetchProtectedRoutes() {
     loading.value = true;
     error.value = null;
@@ -188,6 +222,7 @@ export const useSecurityStore = defineStore("security", () => {
     events,
     eventsTotal,
     blockedIPs,
+    whitelist,
     protectedRoutes,
     securityEnabled,
     realtimeCapture,
@@ -199,6 +234,9 @@ export const useSecurityStore = defineStore("security", () => {
     fetchBlockedIPs,
     blockIP,
     unblockIP,
+    fetchWhitelist,
+    addWhitelistEntry,
+    removeWhitelistEntry,
     fetchProtectedRoutes,
     addProtectedRoute,
     updateProtectedRoute,
diff --git a/src/types/index.ts b/src/types/index.ts
index c21ed3c..195d6d4 100644
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -226,6 +226,24 @@ export interface ProtectedRoute {
   created_at: string;
 }
 
+export interface WhitelistEntry {
+  id: number;
+  value: string;
+  type: "ip" | "cidr" | "path";
+  reason?: string;
+  is_internal: boolean;
+  created_at: string;
+}
+
+export interface ConfigEntry {
+  key: string;
+  type: string;
+  value: unknown;
+  default?: unknown;
+  description?: string;
+  sensitive?: boolean;
+}
+
 export interface SecurityStats {
   total_events: number;
   last_24_hours: number;
@@ -327,6 +345,8 @@ export type Permission =
   | "apikeys:delete"
   | "settings:read"
   | "settings:write"
+  | "config:read"
+  | "config:write"
   | "audit:read"
   | "containers:read"
   | "containers:write"
diff --git a/src/views/SecurityView.vue b/src/views/SecurityView.vue
index dda5589..a1771ce 100644
--- a/src/views/SecurityView.vue
+++ b/src/views/SecurityView.vue
@@ -384,6 +384,48 @@
         </div>
       </div>
 
+      <!-- Whitelist Tab -->
+      <div v-show="activeTab === 'whitelist'" class="tab-content">
+        <div class="section-header">
+          <h3>Whitelisted Sources</h3>
+          <button v-if="canWrite" class="btn btn-primary btn-sm" @click="showAddWhitelistDialog = true">
+            <i class="pi pi-plus" />
+            Add Entry
+          </button>
+        </div>
+
+        <div class="blocked-list">
+          <div v-if="whitelist.length === 0" class="empty-state">
+            <i class="pi pi-check-circle" />
+            <p>No whitelist entries</p>
+            <span class="empty-hint">Whitelisted IPs, networks, and paths never generate events or blocks</span>
+          </div>
+          <div v-else class="blocked-items">
+            <div v-for="entry in whitelist" :key="entry.id" class="blocked-item">
+              <div class="blocked-info">
+                <code class="blocked-ip">{{ entry.value }}</code>
+                <span v-if="entry.reason" class="blocked-reason">{{ entry.reason }}</span>
+                <div class="blocked-meta">
+                  <span class="badge">{{ entry.type.toUpperCase() }}</span>
+                  <span v-if="entry.is_internal" class="badge auto">Internal</span>
+                  <span class="blocked-time">Added {{ formatTime(entry.created_at) }}</span>
+                </div>
+              </div>
+              <button
+                v-if="canWrite && !entry.is_internal"
+                class="btn btn-danger-ghost btn-sm"
+                :disabled="removingWhitelistId === entry.id"
+                @click="handleRemoveWhitelistEntry(entry)"
+              >
+                <i v-if="removingWhitelistId === entry.id" class="pi pi-spin pi-spinner" />
+                <i v-else class="pi pi-times" />
+                Remove
+              </button>
+            </div>
+          </div>
+        </div>
+      </div>
+
       <!-- Protected Routes Tab -->
       <div v-show="activeTab === 'routes'" class="tab-content">
         <div class="section-header">
@@ -521,6 +563,46 @@
             </div>
           </div>
 
+          <div v-if="thresholdsLoaded" class="settings-card">
+            <div class="setting-item">
+              <div class="setting-info">
+                <h4>Detection Thresholds</h4>
+                <p>
+                  Limits applied per source IP within the detection window. When a limit is exceeded, the IP is
+                  automatically blocked for the configured duration. Changes apply immediately, no restart needed.
+                </p>
+              </div>
+            </div>
+            <div class="thresholds-grid">
+              <div v-for="field in thresholdFields" :key="field.key" class="form-group">
+                <label class="form-label">{{ field.label }}</label>
+                <input
+                  v-if="field.type === 'number'"
+                  v-model.number="thresholds[field.key]"
+                  type="number"
+                  min="1"
+                  class="form-input"
+                  :disabled="!canEditConfig"
+                />
+                <input
+                  v-else
+                  v-model="thresholds[field.key]"
+                  type="text"
+                  class="form-input"
+                  :placeholder="field.hint"
+                  :disabled="!canEditConfig"
+                />
+                <span v-if="field.hint" class="form-hint">{{ field.hint }}</span>
+              </div>
+            </div>
+            <div v-if="canEditConfig" class="thresholds-actions">
+              <button class="btn btn-primary" :disabled="savingThresholds" @click="saveThresholds">
+                <i v-if="savingThresholds" class="pi pi-spin pi-spinner" />
+                Save Thresholds
+              </button>
+            </div>
+          </div>
+
           <div class="settings-card">
             <div class="setting-item">
               <div class="setting-info">
@@ -573,6 +655,49 @@
       </div>
     </Teleport>
 
+    <!-- Add Whitelist Entry Dialog -->
+    <Teleport to="body">
+      <div v-if="showAddWhitelistDialog" class="modal-overlay" @click.self="showAddWhitelistDialog = false">
+        <div class="modal-dialog">
+          <div class="modal-header">
+            <h3>Add Whitelist Entry</h3>
+            <button class="btn btn-icon" @click="showAddWhitelistDialog = false">
+              <i class="pi pi-times" />
+            </button>
+          </div>
+          <div class="modal-body">
+            <div class="form-group">
+              <label class="form-label">Type</label>
+              <select v-model="whitelistForm.type" class="form-input">
+                <option value="ip">IP address</option>
+                <option value="cidr">Network (CIDR)</option>
+                <option value="path">Path prefix</option>
+              </select>
+            </div>
+            <div class="form-group">
+              <label class="form-label">Value</label>
+              <input v-model="whitelistForm.value" type="text" class="form-input" :placeholder="whitelistPlaceholder" />
+            </div>
+            <div class="form-group">
+              <label class="form-label">Reason (optional)</label>
+              <input v-model="whitelistForm.reason" type="text" class="form-input" placeholder="Office network" />
+            </div>
+          </div>
+          <div class="modal-footer">
+            <button class="btn btn-secondary" @click="showAddWhitelistDialog = false">Cancel</button>
+            <button
+              class="btn btn-primary"
+              :disabled="!whitelistForm.value || addingWhitelistEntry"
+              @click="handleAddWhitelistEntry"
+            >
+              <i v-if="addingWhitelistEntry" class="pi pi-spin pi-spinner" />
+              Add Entry
+            </button>
+          </div>
+        </div>
+      </div>
+    </Teleport>
+
     <!-- Add/Edit Route Dialog -->
     <Teleport to="body">
       <div v-if="showAddRouteDialog || showEditRouteDialog" class="modal-overlay" @click.self="closeRouteDialog">
@@ -642,12 +767,13 @@
 </template>
 
 <script setup lang="ts">
-import { ref, reactive, onMounted } from "vue";
+import { ref, reactive, computed, onMounted } from "vue";
 import { storeToRefs } from "pinia";
 import { useSecurityStore } from "@/stores/security";
 import { useNotificationsStore } from "@/stores/notifications";
 import { useAuthStore } from "@/stores/auth";
-import type { ProtectedRoute } from "@/types";
+import { configApi } from "@/services/api";
+import type { ProtectedRoute, WhitelistEntry } from "@/types";
 import SecurityHealthCard from "@/components/SecurityHealthCard.vue";
 import TrafficDashboard from "@/components/TrafficDashboard.vue";
 
@@ -655,6 +781,7 @@ const securityStore = useSecurityStore();
 const notifications = useNotificationsStore();
 const authStore = useAuthStore();
 const canWrite = authStore.hasPermission("security:write");
+const canEditConfig = authStore.hasPermission("config:write");
 
 const loading = ref(false);
 const activeTab = ref("stats");
@@ -664,12 +791,13 @@ const tabs = [
   { id: "traffic", label: "Traffic & Performance", icon: "pi pi-chart-line" },
   { id: "events", label: "Security Events", icon: "pi pi-list" },
   { id: "blocked", label: "Blocked IPs", icon: "pi pi-ban" },
+  { id: "whitelist", label: "Whitelist", icon: "pi pi-check-circle" },
   { id: "routes", label: "Rate Limits", icon: "pi pi-lock" },
   { id: "health", label: "Health", icon: "pi pi-heart" },
   { id: "settings", label: "Settings", icon: "pi pi-cog" },
 ];
 
-const { stats, events, eventsTotal, blockedIPs, protectedRoutes, securityEnabled, realtimeCapture } =
+const { stats, events, eventsTotal, blockedIPs, whitelist, protectedRoutes, securityEnabled, realtimeCapture } =
   storeToRefs(securityStore);
 const togglingRealtimeCapture = ref(false);
 const refreshingScripts = ref(false);
@@ -687,6 +815,44 @@ const blockForm = reactive({ ip: "", reason: "", duration: 0 });
 const blockingIP = ref(false);
 const unblockingIP = ref<string | null>(null);
 
+const showAddWhitelistDialog = ref(false);
+const whitelistForm = reactive({ value: "", type: "ip" as WhitelistEntry["type"], reason: "" });
+const addingWhitelistEntry = ref(false);
+const removingWhitelistId = ref<number | null>(null);
+
+const whitelistPlaceholder = computed(() => {
+  switch (whitelistForm.type) {
+    case "cidr":
+      return "203.0.113.0/24";
+    case "path":
+      return "/api/health";
+    default:
+      return "203.0.113.7";
+  }
+});
+
+interface ThresholdField {
+  key: string;
+  label: string;
+  type: "number" | "duration";
+  hint?: string;
+}
+
+const thresholdFields: ThresholdField[] = [
+  { key: "detection_window", label: "Detection Window", type: "duration", hint: "e.g. 2m" },
+  { key: "rate_threshold", label: "Max Requests per Window", type: "number" },
+  { key: "auth_failure_threshold", label: "Auth Failures (401/403) Before Block", type: "number" },
+  { key: "not_found_threshold", label: "404 Responses Before Block", type: "number" },
+  { key: "unique_paths_threshold", label: "Unique Paths Before Block", type: "number" },
+  { key: "repeated_hits_threshold", label: "Hits on Same Path Before Block", type: "number" },
+  { key: "auto_block_duration", label: "Auto-Block Duration", type: "duration", hint: "e.g. 24h" },
+];
+
+const thresholds = reactive<Record<string, string | number>>({});
+const loadedThresholds = ref<Record<string, string | number>>({});
+const thresholdsLoaded = ref(false);
+const savingThresholds = ref(false);
+
 const showAddRouteDialog = ref(false);
 const showEditRouteDialog = ref(false);
 const showDeleteRouteDialog = ref(false);
@@ -719,6 +885,48 @@ const fetchProtectedRoutes = async () => {
   await securityStore.fetchProtectedRoutes();
 };
 
+const fetchWhitelist = async () => {
+  await securityStore.fetchWhitelist();
+};
+
+const loadThresholds = async () => {
+  try {
+    const response = await configApi.list();
+    const entries = response.data.config || [];
+    for (const field of thresholdFields) {
+      const entry = entries.find((e) => e.key === `security.${field.key}`);
+      if (entry && entry.value != null) {
+        thresholds[field.key] = entry.value as string | number;
+        loadedThresholds.value[field.key] = entry.value as string | number;
+      }
+    }
+    thresholdsLoaded.value = true;
+  } catch {
+    thresholdsLoaded.value = false;
+  }
+};
+
+const saveThresholds = async () => {
+  savingThresholds.value = true;
+  try {
+    const changed = thresholdFields.filter((f) => thresholds[f.key] !== loadedThresholds.value[f.key]);
+    for (const field of changed) {
+      await configApi.set(`security.${field.key}`, thresholds[field.key]);
+      loadedThresholds.value[field.key] = thresholds[field.key];
+    }
+    if (changed.length > 0) {
+      notifications.success("Thresholds Saved", `${changed.length} setting(s) updated and applied`);
+    } else {
+      notifications.info("No Changes", "Thresholds are unchanged");
+    }
+  } catch (e: any) {
+    notifications.error("Failed", e.response?.data?.error || "Failed to save thresholds");
+    await loadThresholds();
+  } finally {
+    savingThresholds.value = false;
+  }
+};
+
 const fetchRealtimeCaptureStatus = async () => {
   await securityStore.fetchRealtimeCaptureStatus();
 };
@@ -729,8 +937,10 @@ const refreshData = async () => {
     fetchStats(),
     fetchEvents(),
     fetchBlockedIPs(),
+    fetchWhitelist(),
     fetchProtectedRoutes(),
     fetchRealtimeCaptureStatus(),
+    loadThresholds(),
   ]);
   loading.value = false;
   notifications.success("Refreshed", "Security data updated");
@@ -876,6 +1086,39 @@ const handleUnblockIP = async (ip: string) => {
   }
 };
 
+const handleAddWhitelistEntry = async () => {
+  if (!whitelistForm.value) return;
+  addingWhitelistEntry.value = true;
+  try {
+    await securityStore.addWhitelistEntry({
+      value: whitelistForm.value,
+      type: whitelistForm.type,
+      reason: whitelistForm.reason || undefined,
+    });
+    notifications.success("Entry Added", `${whitelistForm.value} has been whitelisted`);
+    showAddWhitelistDialog.value = false;
+    whitelistForm.value = "";
+    whitelistForm.type = "ip";
+    whitelistForm.reason = "";
+  } catch (e: any) {
+    notifications.error("Failed", e.response?.data?.error || "Failed to add whitelist entry");
+  } finally {
+    addingWhitelistEntry.value = false;
+  }
+};
+
+const handleRemoveWhitelistEntry = async (entry: WhitelistEntry) => {
+  removingWhitelistId.value = entry.id;
+  try {
+    await securityStore.removeWhitelistEntry(entry.id);
+    notifications.success("Entry Removed", `${entry.value} is no longer whitelisted`);
+  } catch (e: any) {
+    notifications.error("Failed", e.response?.data?.error || "Failed to remove whitelist entry");
+  } finally {
+    removingWhitelistId.value = null;
+  }
+};
+
 const editRoute = (route: ProtectedRoute) => {
   routeForm.id = route.id;
   routeForm.path_pattern = route.path_pattern;
@@ -1315,15 +1558,33 @@ onMounted(() => {
   color: #9ca3af;
 }
 
-.badge.auto {
-  background: #dbeafe;
-  color: #1d4ed8;
+.badge {
+  background: #f3f4f6;
+  color: #4b5563;
   padding: 0.125rem 0.375rem;
   border-radius: var(--radius-sm);
   font-size: 0.625rem;
   font-weight: 600;
 }
 
+.badge.auto {
+  background: #dbeafe;
+  color: #1d4ed8;
+}
+
+.thresholds-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(220px, 1fr));
+  gap: 1rem;
+  margin-top: 1rem;
+}
+
+.thresholds-actions {
+  display: flex;
+  justify-content: flex-end;
+  margin-top: 1rem;
+}
+
 .route-config {
   display: flex;
   gap: 1rem;

From a9910ee637522ad2ea70abadeab5b463220f8f11 Mon Sep 17 00:00:00 2001
From: nfebe <fenn25.fn@gmail.com>
Date: Sat, 6 Jun 2026 16:14:31 +0100
Subject: [PATCH 3/3] fix: Format session expiry check to satisfy prettier

---
 src/services/api.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/services/api.ts b/src/services/api.ts
index 9a02e66..2a54b43 100755
--- a/src/services/api.ts
+++ b/src/services/api.ts
@@ -41,8 +41,7 @@ apiClient.interceptors.response.use(
     if (error.response?.status === 401) {
       const failedURL: string = error.config?.url || "";
       const isLoginAttempt = failedURL.includes("/auth/login");
-      const onAuthPage =
-        window.location.pathname.includes("/login") || window.location.pathname.includes("/setup");
+      const onAuthPage = window.location.pathname.includes("/login") || window.location.pathname.includes("/setup");
       if (!isLoginAttempt && !onAuthPage) {
         localStorage.removeItem("auth_token");
         window.location.href = "/login";