Add Authentication Constraints section - APIv2 stateless JWT, no CSRF, no cookies, forbidden patterns

2025-12-28 22:27:49 +00:00 · 2025-12-28 22:27:49 +00:00 · 6e353c381f
commit 6e353c381f
parent d47e1c52a8
1 changed files with 10 additions and 1 deletions
--- a/CONSTRAINTS.md
+++ b/CONSTRAINTS.md
@ -40,4 +40,13 @@ They exist to prevent architectural drift, instability, and "demo-ware" UI patte
 ## Branding
 - Brand: **ZeroLagHub**
 - Shorthand: **ZLH**
- Gaming heritage is acceptable, esports aesthetic is not.
+- Gaming heritage is acceptable, esports aesthetic is not.
+
+## Authentication Constraints (APIv2)
+
+- APIv2 authentication is stateless
+- JWT tokens are issued by APIv2 only
+- No CSRF protection is allowed
+- No cookies are allowed for auth
+- Portal stores tokens client-side (sessionStorage)
+- APIv1 and Pterodactyl auth patterns are forbidden