bjoernch/FindMe v0.3.0

on GitHub

v0.3.0 — Security & Passkey Authentication

Security Fixes

• Device token leak fixed: /api/location/latest no longer exposes device tokens to shared circle members
• Security headers: Added CSP, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy via next.config.js
• JWT hardcoded fallback removed: JWT_SECRET is now required at runtime — docker-entrypoint.sh auto-generates one if not set

New Features

• Passkey authentication on mobile: "Sign in with passkey" button on login screen prompts for server URL, then opens Android credential manager for passwordless WebAuthn login
• Digital Asset Links: assetlinks.json ships with the Docker image, enabling passkey association between the app and any deployed instance

Technical

• JWT secret initialization changed from eager IIFE to lazy getter to fix Docker build failures