Enhance admin login security

Author: a-a-k

README.md

@@ -7,7 +7,7 @@ Static landing page + Supabase Edge Function backend for pilot onboarding. The U
 ```
 Visitor ─► GitHub Pages (index.html, admin.html)
                 │
-        fetch https://<project>.functions.supabase.co/applications
+        fetch https://<project>.functions.supabase.co/functions/v1/applications
                 │
          Supabase Edge Function
                 │
@@ -27,27 +27,34 @@ If the function is unreachable, the UI falls back to localStorage so leads are n
    ```
 2. Configure secrets (service role key, admin password, Mailgun, etc.):
    ```bash
-   supabase secrets set \
-     ADMIN_PASSWORD="set-a-strong-password" \
-     SUPABASE_URL="https://YOUR_PROJECT.supabase.co" \
-     SUPABASE_SERVICE_ROLE_KEY="service-role-key" \
-     MAIL_FROM="MB3R Lab <noreply@mb3r-lab.org>" \
-     MAILGUN_API_KEY="key-..." \
-     MAILGUN_DOMAIN="mg.example.com"
-   # Optional: MAILGUN_API_BASE_URL=https://api.eu.mailgun.net/v3
+    supabase secrets set \
+      ADMIN_PASSWORD="set-a-strong-password" \
+      SUPABASE_URL="https://YOUR_PROJECT.supabase.co" \
+      SUPABASE_SERVICE_ROLE_KEY="service-role-key" \
+      MAIL_FROM="MB3R Lab <noreply@mb3r-lab.org>" \
+      MAILGUN_API_KEY="key-..." \
+      MAILGUN_DOMAIN="mg.example.com" \
+      ALLOWED_ORIGINS="https://mb3r-lab.github.io,http://localhost:5500"
+    # Optional: MAILGUN_API_BASE_URL=https://api.eu.mailgun.net/v3
+    # Optional admin brute-force controls:
+    # ADMIN_MAX_FAILED_ATTEMPTS=8
+    # ADMIN_ATTEMPT_WINDOW_MS=600000
+    # ADMIN_BLOCK_MS=600000
+    # ADMIN_BASE_DELAY_MS=400
+    # ADMIN_MAX_DELAY_MS=5000
    ```
 3. Deploy the function:
    ```bash
    supabase functions deploy applications --project-ref YOUR_PROJECT_REF
    ```
-   The function ensures the `public.applications` table exists, so no manual migration is required.
+   The function expects an existing `public.applications` table (see SQL below).
 
 ### 2. Point the frontend at the function
 
 Edit `assets/js/config.js` and set the function URL (no trailing slash):
 
 ```js
-window.__MB3R_API_BASE__ = 'https://YOUR_PROJECT_ID.functions.supabase.co';
+window.__MB3R_API_BASE__ = 'https://YOUR_PROJECT_ID.functions.supabase.co/functions/v1';
 ```
 
 Push the static site (e.g., to GitHub Pages). The landing page and `/admin.html` will now send all API calls to the Supabase function.
@@ -65,8 +72,8 @@ Push the static site (e.g., to GitHub Pages). The landing page and `/admin.html`
 The deployed function handles:
 
 - `POST /applications` — validate payload, insert into `applications`, trigger Mailgun email, respond with the created ID.
-- `GET /applications` — require `x-admin-pass` header, return ordered submissions.
-- `OPTIONS` — CORS preflight (`*` origin, `content-type` + `x-admin-pass` headers).
+- `GET /applications` — require `x-admin-pass` header, validate request `Origin` against `ALLOWED_ORIGINS`, apply per-client failed-login throttling (delay + temporary block), return ordered submissions.
+- `OPTIONS` — CORS preflight for allowlisted origins (`content-type` + `x-admin-pass` headers).
 - **Schema requirement** — create the table once in Supabase (SQL editor):
   ```sql
   create table if not exists public.applications (
@@ -87,6 +94,6 @@ The deployed function handles:
    ```bash
    supabase functions serve applications --env-file .env.functions
    ```
-3. Update `assets/js/config.js` to point at the local URL printed by the CLI (e.g., `http://127.0.0.1:54321/functions/v1`), then open `index.html` directly and test the flow.
+3. Update `assets/js/config.js` to point at the local URL printed by the CLI (e.g., `http://127.0.0.1:54321/functions/v1`), run a local static server (for example `python -m http.server 5500`), and test via `http://localhost:5500/index.html`.
 
 Remember to switch `config.js` back to the production URL before committing.

assets/i18n/en.json

@@ -160,7 +160,7 @@
     }
   },
   "start": {
-    "title": "Start in 5 minutes",
+    "title": "Quick start",
     "steps": [
       {
         "title": "Install Bering and generate a first model artifact",
@@ -348,6 +348,7 @@
       "enterPassword": "Enter the password.",
       "refreshing": "Refreshing request list...",
       "incorrectPassword": "Incorrect password. Try again.",
+      "tooManyAttempts": "Too many failed attempts. Try again later.",
       "apiUnavailable": "API unavailable. Unable to load requests right now.",
       "apiUnavailableLater": "API unavailable. Try again later.",
       "showingCached": "API unavailable. Showing cached requests.",

assets/i18n/ru.json

@@ -160,7 +160,7 @@
     }
   },
   "start": {
-    "title": "Старт за 5 минут",
+    "title": "Быстрый старт",
     "steps": [
       {
         "title": "Установите Bering и получите первый модельный артефакт",
@@ -348,6 +348,7 @@
       "enterPassword": "Введите пароль.",
       "refreshing": "Обновляем список заявок...",
       "incorrectPassword": "Неверный пароль. Попробуйте ещё раз.",
+      "tooManyAttempts": "Слишком много неверных попыток. Попробуйте позже.",
       "apiUnavailable": "API недоступно. Сейчас не можем загрузить заявки.",
       "apiUnavailableLater": "API недоступно. Попробуйте позже.",
       "showingCached": "API недоступно. Показываем кэшированные заявки.",

assets/js/admin.js

@@ -8,7 +8,6 @@ document.addEventListener('DOMContentLoaded', () => {
     const tableBody = document.getElementById('applications-body');
     const tableWrapper = document.querySelector('.table-wrapper');
     const refreshButton = document.getElementById('refresh-button');
-    const ADMIN_PASS_STORAGE_KEY = 'mb3r-admin-pass';
     const storage = window.MB3RStorage;
     const getI18n = () => window.MB3RI18n;
     const t = (key) => (getI18n()?.t ? getI18n().t(key) : key);
@@ -36,7 +35,6 @@ document.addEventListener('DOMContentLoaded', () => {
         }
         return null;
     };
-    sessionStorage.removeItem(ADMIN_PASS_STORAGE_KEY);
     let currentPassword = '';
     let hasRemoteSuccess = false;
 
@@ -171,7 +169,8 @@ document.addEventListener('DOMContentLoaded', () => {
 
         try {
             const response = await fetch(endpoint, {
-                headers: { 'x-admin-pass': password }
+                headers: { 'x-admin-pass': password },
+                cache: 'no-store'
             });
 
             const data = await response.json().catch(() => ({}));
@@ -215,43 +214,58 @@ document.addEventListener('DOMContentLoaded', () => {
         try {
             const rows = await fetchApplications(password);
             currentPassword = password;
-            sessionStorage.setItem(ADMIN_PASS_STORAGE_KEY, password);
             renderTable(rows);
             unlockTable();
             closeModal();
             hasRemoteSuccess = true;
             setOverlayMessage(t('admin.table.overlayLocked'), 'admin.table.overlayLocked');
             return;
         } catch (error) {
-            if (error.status === 401 || error.status === 403) {
-                sessionStorage.removeItem(ADMIN_PASS_STORAGE_KEY);
+            if (error.status === 401 || error.status === 403 || error.status === 429) {
+                const isIncorrectPassword = /incorrect password/i.test(String(error.message || ''));
+                const isRateLimited = error.status === 429;
                 currentPassword = '';
                 lockTable();
-                setAuthStatus(error.message, 'error');
-                setOverlayMessage(t('admin.status.incorrectPassword'), 'admin.status.incorrectPassword');
+                setAuthStatus(
+                    isRateLimited ? t('admin.status.tooManyAttempts') : error.message,
+                    'error'
+                );
+                if (isRateLimited) {
+                    setOverlayMessage(t('admin.status.tooManyAttempts'), 'admin.status.tooManyAttempts');
+                } else if (isIncorrectPassword) {
+                    setOverlayMessage(t('admin.status.incorrectPassword'), 'admin.status.incorrectPassword');
+                } else {
+                    setOverlayMessage(error.message || t('admin.errors.loadFailed'));
+                }
                 openModal();
                 throw error;
             }
 
             if (error.offline) {
+                const cached = storage?.list?.() || [];
+                if (cached.length) {
+                    renderTable(cached);
+                    unlockTable();
+                    closeModal();
+                    setAuthStatus(t('admin.status.showingCached'), 'error');
+                    return;
+                }
+
                 if (!hasRemoteSuccess) {
                     setAuthStatus(
                         t('admin.status.apiUnavailable'),
                         'error'
                     );
-                    sessionStorage.removeItem(ADMIN_PASS_STORAGE_KEY);
                     currentPassword = '';
                     lockTable();
                     setOverlayMessage(t('admin.status.apiUnavailableLater'), 'admin.status.apiUnavailableLater');
                     openModal();
                     throw error;
                 }
 
-                const cached = storage?.list?.() || [];
-                renderTable(cached);
                 unlockTable();
                 closeModal();
-                setAuthStatus(t('admin.status.showingCached'), 'error');
+                setAuthStatus(t('admin.status.apiUnavailableLater'), 'error');
                 return;
             }
 
@@ -291,15 +305,49 @@ document.addEventListener('DOMContentLoaded', () => {
         loadApplications({ silent: true }).catch(() => {});
     });
 
+    const isModalOpen = () => modal?.classList.contains('is-open');
+
+    document.addEventListener('keydown', (event) => {
+        if (!isModalOpen()) {
+            return;
+        }
+
+        if (event.key === 'Escape') {
+            closeModal();
+            return;
+        }
+
+        if (event.key !== 'Tab' || !modal) {
+            return;
+        }
+
+        const focusable = Array.from(
+            modal.querySelectorAll(
+                'a[href], button:not([disabled]), input:not([disabled]), textarea:not([disabled]), select:not([disabled]), [tabindex]:not([tabindex="-1"])'
+            )
+        );
+
+        if (!focusable.length) {
+            return;
+        }
+
+        const firstEl = focusable[0];
+        const lastEl = focusable[focusable.length - 1];
+
+        if (event.shiftKey && document.activeElement === firstEl) {
+            event.preventDefault();
+            lastEl.focus();
+        } else if (!event.shiftKey && document.activeElement === lastEl) {
+            event.preventDefault();
+            firstEl.focus();
+        }
+    });
+
     if (!isApiConfigured) {
         whenI18nReady().then(() => {
             setTableMessage(t('admin.status.apiNotConfiguredHint'));
         });
     }
 
-    if (currentPassword && isApiConfigured) {
-        loadApplications({ silent: true }).catch(() => {});
-    } else {
-        openModal();
-    }
+    openModal();
 });

assets/js/config.js

@@ -1,4 +1,4 @@
-window.__MB3R_API_ENDPOINT__ =
-    window.__MB3R_API_ENDPOINT__ ||
-    'https://nkphoglftmnfikxzuyqr.supabase.co/functions/v1/database-access';
-window.__MB3R_API_BASE__ = window.__MB3R_API_BASE__ || '';
+window.__MB3R_API_ENDPOINT__ = window.__MB3R_API_ENDPOINT__ || '';
+window.__MB3R_API_BASE__ =
+    window.__MB3R_API_BASE__ ||
+    'https://nkphoglftmnfikxzuyqr.supabase.co/functions/v1';

index.html

@@ -307,7 +307,7 @@ <h3 data-i18n="audience.cards.enterprise.title">Larger organizations</h3>
 
         <section id="start" class="section" aria-labelledby="start-title">
             <div class="container narrow">
-                <h2 id="start-title" class="section-title" data-i18n="start.title">Start in 5 minutes</h2>
+                <h2 id="start-title" class="section-title" data-i18n="start.title">Quick start</h2>
                 <ol class="start-list">
                     <li>
                         <h3 data-i18n="start.steps.0.title">Install Bering and generate a first model artifact</h3>