feat: Implement comprehensive security hardening

Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
  - Cryptographically secure random generation
  - Stored in database for persistence
  - Logged once to container logs for admin retrieval

- Implement CSRF protection with double-submit cookie pattern
  - Three-way validation: cookie, header, and session database
  - Automatic client-side injection via plugin
  - Server middleware for automatic validation
  - Zero frontend code changes required

- Add session fixation prevention with automatic invalidation
  - Regenerate sessions on password changes
  - Keep current session active, invalidate others on profile password change
  - Invalidate ALL sessions on forgot-password reset
  - Invalidate ALL sessions on admin password reset

- Upgrade password reset codes to 8-char alphanumeric
  - Increased from 1M to 1.8 trillion combinations
  - Uses crypto.randomInt() for cryptographic randomness
  - Excluded confusing characters (I, O) for better UX
  - Case-insensitive verification

- Implement dual-layer account lockout
  - IP-based rate limiting (existing)
  - Per-account lockout: 10 attempts = 30 min lock
  - Automatic unlock after expiration
  - Admin manual unlock via UI
  - Visual status indicators in users table

Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch

New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint

Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation

All changes follow OWASP best practices and are production-ready.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

plugins/csrf.client.ts

@@ -0,0 +1,51 @@
+/**
+ * CSRF Token Auto-Injection Plugin
+ *
+ * Implements the "Double Submit Cookie" pattern for CSRF protection:
+ *
+ * 1. Server generates CSRF token on login/register
+ * 2. Token stored in session database AND sent as readable cookie
+ * 3. This plugin reads token from cookie on every request
+ * 4. Adds token to X-CSRF-Token header automatically
+ * 5. Server validates: cookie matches header AND both match session
+ *
+ * Security: Attacker can't read cookie due to same-origin policy,
+ * so they can't forge the header even if they trick user into making request.
+ *
+ * No changes needed in components - this runs automatically!
+ */
+
+export default defineNuxtPlugin(() => {
+  const getCsrfTokenFromCookie = (): string | null => {
+    // Read CSRF token from non-httpOnly cookie
+    const cookies = document.cookie.split(';')
+    for (const cookie of cookies) {
+      const [name, value] = cookie.trim().split('=')
+      if (name === 'csrf_token') {
+        return decodeURIComponent(value)
+      }
+    }
+    return null
+  }
+
+  // Intercept $fetch to add CSRF header
+  const originalFetch = globalThis.$fetch
+
+  globalThis.$fetch = $fetch.create({
+    onRequest({ options }) {
+      const csrfToken = getCsrfTokenFromCookie()
+
+      if (csrfToken) {
+        // Add CSRF token to headers
+        options.headers = options.headers || {}
+        if (options.headers instanceof Headers) {
+          options.headers.set('X-CSRF-Token', csrfToken)
+        } else if (Array.isArray(options.headers)) {
+          options.headers.push(['X-CSRF-Token', csrfToken])
+        } else {
+          (options.headers as Record<string, string>)['X-CSRF-Token'] = csrfToken
+        }
+      }
+    }
+  })
+})