Please report security issues privately using GitHub's Security Advisories ("Report a vulnerability" on the Security tab) rather than opening a public issue.
These are deliberate simplifications documented for transparency, not oversights — see Authentication for how to replace them:
- Single shared admin password, not per-user accounts. Anyone with the password has full access to every project and QR code.
- Session tokens are stored in
localStorageon the admin dashboard, not anhttpOnlycookie — this is simpler to run without a backend-for-frontend proxy, but is more exposed to token theft via XSS than a cookie-based session would be. - No login rate limiting.
POST /auth/logincan be brute-forced; use a strongADMIN_PASSWORDand consider adding rate limiting (e.g. Cloudflare Turnstile or a KV-backed counter) if you expose this publicly. - The location-setup passcode (
LOCATION_SETUP_PASSCODE) is a single shared secret with no per-QR-code distinction, by design (it's meant for whoever is physically installing a QR code, not an authenticated user).