feat: Implement comprehensive security hardening

Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
  - Cryptographically secure random generation
  - Stored in database for persistence
  - Logged once to container logs for admin retrieval

- Implement CSRF protection with double-submit cookie pattern
  - Three-way validation: cookie, header, and session database
  - Automatic client-side injection via plugin
  - Server middleware for automatic validation
  - Zero frontend code changes required

- Add session fixation prevention with automatic invalidation
  - Regenerate sessions on password changes
  - Keep current session active, invalidate others on profile password change
  - Invalidate ALL sessions on forgot-password reset
  - Invalidate ALL sessions on admin password reset

- Upgrade password reset codes to 8-char alphanumeric
  - Increased from 1M to 1.8 trillion combinations
  - Uses crypto.randomInt() for cryptographic randomness
  - Excluded confusing characters (I, O) for better UX
  - Case-insensitive verification

- Implement dual-layer account lockout
  - IP-based rate limiting (existing)
  - Per-account lockout: 10 attempts = 30 min lock
  - Automatic unlock after expiration
  - Admin manual unlock via UI
  - Visual status indicators in users table

Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch

New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint

Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation

All changes follow OWASP best practices and are production-ready.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

server/api/users/password/[id].put.ts

@@ -1,4 +1,4 @@
-import { resetUserPassword, getUserByUsername } from '~/server/utils/database'
+import { resetUserPassword, getUserByUsername, deleteAllUserSessions, getDatabase } from '~/server/utils/database'
 import { getSessionUsername } from '~/server/utils/auth'
 
 export default defineEventHandler(async (event) => {
@@ -68,9 +68,34 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
+    // Get the target user's username before resetting password
+    const db = getDatabase()
+    const targetUser = db.prepare('SELECT username FROM users WHERE id = ?').get(id) as { username: string } | undefined
+
+    if (!targetUser) {
+      throw createError({
+        statusCode: 404,
+        message: 'User not found'
+      })
+    }
+
+    // Reset the password
     resetUserPassword(id, newPassword)
-    return { success: true }
-  } catch (error) {
+
+    // SECURITY: Invalidate ALL sessions when admin resets a user's password
+    // This prevents session fixation and forces user to log in with new password
+    deleteAllUserSessions(targetUser.username)
+
+    return {
+      success: true,
+      message: 'Password reset successfully. User will need to log in with the new password.'
+    }
+  } catch (error: any) {
+    // Re-throw createError instances
+    if (error.statusCode) {
+      throw error
+    }
+
     throw createError({
       statusCode: 500,
       message: 'Failed to reset password'

server/api/users/unlock/[id].post.ts

@@ -0,0 +1,58 @@
+import { unlockAccount, getUserByUsername, getDatabase } from '~/server/utils/database'
+import { getSessionUsername } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = await getSessionUsername(event)
+
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  // Get target user info
+  const db = getDatabase()
+  const targetUser = db.prepare('SELECT username, failed_login_attempts, locked_until FROM users WHERE id = ?')
+    .get(id) as { username: string, failed_login_attempts: number, locked_until: string | null } | undefined
+
+  if (!targetUser) {
+    throw createError({
+      statusCode: 404,
+      message: 'User not found'
+    })
+  }
+
+  // Unlock the account
+  unlockAccount(id)
+
+  console.log(`[ACCOUNT UNLOCKED] Admin ${username} unlocked account: ${targetUser.username}`)
+
+  return {
+    success: true,
+    message: `Account unlocked successfully. Failed attempts reset to 0.`,
+    user: {
+      username: targetUser.username,
+      previousAttempts: targetUser.failed_login_attempts,
+      wasLocked: !!targetUser.locked_until
+    }
+  }
+})