feat: Implement comprehensive security hardening

Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
  - Cryptographically secure random generation
  - Stored in database for persistence
  - Logged once to container logs for admin retrieval

- Implement CSRF protection with double-submit cookie pattern
  - Three-way validation: cookie, header, and session database
  - Automatic client-side injection via plugin
  - Server middleware for automatic validation
  - Zero frontend code changes required

- Add session fixation prevention with automatic invalidation
  - Regenerate sessions on password changes
  - Keep current session active, invalidate others on profile password change
  - Invalidate ALL sessions on forgot-password reset
  - Invalidate ALL sessions on admin password reset

- Upgrade password reset codes to 8-char alphanumeric
  - Increased from 1M to 1.8 trillion combinations
  - Uses crypto.randomInt() for cryptographic randomness
  - Excluded confusing characters (I, O) for better UX
  - Case-insensitive verification

- Implement dual-layer account lockout
  - IP-based rate limiting (existing)
  - Per-account lockout: 10 attempts = 30 min lock
  - Automatic unlock after expiration
  - Admin manual unlock via UI
  - Visual status indicators in users table

Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch

New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint

Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation

All changes follow OWASP best practices and are production-ready.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

server/api/auth/login.post.ts

@@ -1,5 +1,6 @@
-import { getUserByUsername, checkRateLimit, resetRateLimit, createSession } from '~/server/utils/database'
+import { getUserByUsername, checkRateLimit, resetRateLimit, createSession, isAccountLocked, incrementFailedAttempts, resetFailedAttempts } from '~/server/utils/database'
 import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
+import { generateCsrfToken, setCsrfCookie } from '~/server/utils/csrf'
 import bcrypt from 'bcrypt'
 
 export default defineEventHandler(async (event) => {
@@ -51,10 +52,22 @@ export default defineEventHandler(async (event) => {
     })
   }
 
+  // SECURITY: Check if account is locked due to too many failed attempts
+  if (isAccountLocked(username.toLowerCase())) {
+    console.log(`[LOGIN BLOCKED] Account locked - User: ${username.toLowerCase()}, IP: ${clientIp}`)
+    throw createError({
+      statusCode: 403,
+      message: 'Account temporarily locked due to too many failed login attempts. Please try again in 30 minutes or contact an administrator.'
+    })
+  }
+
   // Compare the provided password with the hashed password in the database
   const passwordMatch = await bcrypt.compare(password, user.password)
 
   if (!passwordMatch) {
+    // SECURITY: Increment failed login attempts for this account
+    incrementFailedAttempts(username.toLowerCase())
+
     // Check rate limit ONLY on failed attempt
     if (!checkRateLimit(clientIp, 'login', 5, 15)) {
       console.log(`[LOGIN BLOCKED] Rate limited - Invalid password for user: ${username.toLowerCase()}, IP: ${clientIp}`)
@@ -70,17 +83,26 @@ export default defineEventHandler(async (event) => {
     })
   }
 
-  // Generate session token and create session
+  // Generate session token and CSRF token
   const sessionToken = generateSessionToken()
+  const csrfToken = generateCsrfToken()
   const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
-  createSession(sessionToken, user.username, expiresAt)
-  
+
+  // Create session with CSRF token
+  createSession(sessionToken, user.username, expiresAt, csrfToken)
+
   // Set session cookie
   setAuthCookie(event, sessionToken)
-  
+
+  // Set CSRF cookie
+  setCsrfCookie(event, csrfToken)
+
+  // SECURITY: Reset failed login attempts on successful login
+  resetFailedAttempts(username.toLowerCase())
+
   // Reset rate limit on successful login
   resetRateLimit(clientIp, 'login')
-  
+
   // Log successful login
   console.log(`[LOGIN SUCCESS] User: ${user.username}, IP: ${clientIp}`)
 

server/api/auth/logout.post.ts

@@ -1,18 +1,20 @@
 import { clearAuthCookie, getAuthCookie } from '~/server/utils/auth'
+import { clearCsrfCookie } from '~/server/utils/csrf'
 import { deleteSession } from '~/server/utils/database'
 
 export default defineEventHandler(async (event) => {
   // Get session token from cookie
   const sessionToken = getAuthCookie(event)
-  
+
   // Delete session from database if it exists
   if (sessionToken) {
     deleteSession(sessionToken)
   }
-  
-  // Clear the cookie
+
+  // Clear both auth and CSRF cookies
   clearAuthCookie(event)
-  
+  clearCsrfCookie(event)
+
   return {
     success: true
   }

server/api/auth/register.post.ts

@@ -1,5 +1,6 @@
 import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSession } from '~/server/utils/database'
 import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
+import { generateCsrfToken, setCsrfCookie } from '~/server/utils/csrf'
 
 export default defineEventHandler(async (event) => {
   // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
@@ -107,15 +108,21 @@ export default defineEventHandler(async (event) => {
   try {
     // Create the new user with all fields
     createUser(username.toLowerCase(), password, email.toLowerCase(), firstName, lastName)
-    
-    // Generate session token and create session for auto-login
+
+    // Generate session token and CSRF token for auto-login
     const sessionToken = generateSessionToken()
+    const csrfToken = generateCsrfToken()
     const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
-    createSession(sessionToken, username.toLowerCase(), expiresAt)
-    
+
+    // Create session with CSRF token
+    createSession(sessionToken, username.toLowerCase(), expiresAt, csrfToken)
+
     // Set session cookie
     setAuthCookie(event, sessionToken)
-    
+
+    // Set CSRF cookie
+    setCsrfCookie(event, csrfToken)
+
     // Log successful registration
     console.log(`[REGISTER SUCCESS] User: ${username.toLowerCase()}, IP: ${clientIp}`)
 

server/api/auth/reset-password.post.ts

@@ -1,4 +1,4 @@
-import { getPasswordResetCode, resetPasswordByEmail, deletePasswordResetCode } from '~/server/utils/database'
+import { getPasswordResetCode, resetPasswordByEmail, deletePasswordResetCode, deleteAllUserSessions, getUserByEmail } from '~/server/utils/database'
 
 export default defineEventHandler(async (event) => {
   const body = await readBody(event)
@@ -31,7 +31,8 @@ export default defineEventHandler(async (event) => {
   }
 
   // Verify code exists and hasn't expired
-  const resetCode = getPasswordResetCode(email, code)
+  // Convert to uppercase for case-insensitive comparison
+  const resetCode = getPasswordResetCode(email, code.toUpperCase())
   
   if (!resetCode) {
     throw createError({
@@ -40,11 +41,27 @@ export default defineEventHandler(async (event) => {
     })
   }
 
+  // Get user info before resetting password
+  const user = getUserByEmail(email)
+  if (!user) {
+    throw createError({
+      statusCode: 404,
+      message: 'User not found',
+    })
+  }
+
   // Reset password
   resetPasswordByEmail(email, newPassword)
-  
+
+  // SECURITY: Invalidate ALL sessions when password is reset via forgot-password flow
+  // User must log in again with new password
+  deleteAllUserSessions(user.username)
+
   // Delete used reset code
   deletePasswordResetCode(email)
 
-  return { success: true, message: 'Password reset successfully' }
+  return {
+    success: true,
+    message: 'Password reset successfully. Please log in with your new password.'
+  }
 })

server/api/auth/verify-reset-code.post.ts

@@ -12,7 +12,8 @@ export default defineEventHandler(async (event) => {
   }
 
   // Verify code exists and hasn't expired
-  const resetCode = getPasswordResetCode(email, code)
+  // Convert to uppercase for case-insensitive comparison
+  const resetCode = getPasswordResetCode(email, code.toUpperCase())
   
   if (!resetCode) {
     throw createError({

server/api/profile/update.put.ts

@@ -1,5 +1,5 @@
-import { getUserByUsername, getUserByEmail } from '~/server/utils/database'
-import { getAuthUser } from '~/server/utils/auth'
+import { getUserByUsername, getUserByEmail, deleteOtherUserSessions } from '~/server/utils/database'
+import { getAuthUser, getAuthCookie } from '~/server/utils/auth'
 import bcrypt from 'bcrypt'
 
 export default defineEventHandler(async (event) => {
@@ -102,11 +102,25 @@ export default defineEventHandler(async (event) => {
     const hashedPassword = bcrypt.hashSync(newPassword, saltRounds)
     db.prepare('UPDATE users SET first_name = ?, last_name = ?, email = ?, password = ? WHERE id = ?')
       .run(firstName, lastName, email.toLowerCase(), hashedPassword, currentUser.id)
+
+    // SECURITY: Invalidate all other sessions when password changes
+    // This prevents session fixation and forces re-login on all other devices
+    const currentSessionToken = getAuthCookie(event)
+    if (currentSessionToken) {
+      // Keep current session active, but logout all other sessions
+      deleteOtherUserSessions(authUser.username, currentSessionToken)
+    }
+
+    return {
+      success: true,
+      message: 'Password updated successfully. Other sessions have been logged out for security.',
+      passwordChanged: true
+    }
   } else {
     // Update without changing password
     db.prepare('UPDATE users SET first_name = ?, last_name = ?, email = ? WHERE id = ?')
       .run(firstName, lastName, email.toLowerCase(), currentUser.id)
-  }
 
-  return { success: true, message: 'Profile updated successfully' }
+    return { success: true, message: 'Profile updated successfully' }
+  }
 })

server/api/users/password/[id].put.ts

@@ -1,4 +1,4 @@
-import { resetUserPassword, getUserByUsername } from '~/server/utils/database'
+import { resetUserPassword, getUserByUsername, deleteAllUserSessions, getDatabase } from '~/server/utils/database'
 import { getSessionUsername } from '~/server/utils/auth'
 
 export default defineEventHandler(async (event) => {
@@ -68,9 +68,34 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
+    // Get the target user's username before resetting password
+    const db = getDatabase()
+    const targetUser = db.prepare('SELECT username FROM users WHERE id = ?').get(id) as { username: string } | undefined
+
+    if (!targetUser) {
+      throw createError({
+        statusCode: 404,
+        message: 'User not found'
+      })
+    }
+
+    // Reset the password
     resetUserPassword(id, newPassword)
-    return { success: true }
-  } catch (error) {
+
+    // SECURITY: Invalidate ALL sessions when admin resets a user's password
+    // This prevents session fixation and forces user to log in with new password
+    deleteAllUserSessions(targetUser.username)
+
+    return {
+      success: true,
+      message: 'Password reset successfully. User will need to log in with the new password.'
+    }
+  } catch (error: any) {
+    // Re-throw createError instances
+    if (error.statusCode) {
+      throw error
+    }
+
     throw createError({
       statusCode: 500,
       message: 'Failed to reset password'

server/api/users/unlock/[id].post.ts

@@ -0,0 +1,58 @@
+import { unlockAccount, getUserByUsername, getDatabase } from '~/server/utils/database'
+import { getSessionUsername } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = await getSessionUsername(event)
+
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  // Get target user info
+  const db = getDatabase()
+  const targetUser = db.prepare('SELECT username, failed_login_attempts, locked_until FROM users WHERE id = ?')
+    .get(id) as { username: string, failed_login_attempts: number, locked_until: string | null } | undefined
+
+  if (!targetUser) {
+    throw createError({
+      statusCode: 404,
+      message: 'User not found'
+    })
+  }
+
+  // Unlock the account
+  unlockAccount(id)
+
+  console.log(`[ACCOUNT UNLOCKED] Admin ${username} unlocked account: ${targetUser.username}`)
+
+  return {
+    success: true,
+    message: `Account unlocked successfully. Failed attempts reset to 0.`,
+    user: {
+      username: targetUser.username,
+      previousAttempts: targetUser.failed_login_attempts,
+      wasLocked: !!targetUser.locked_until
+    }
+  }
+})