|
|
2ff493d804
|
feat: Implement comprehensive security hardening
Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
- Cryptographically secure random generation
- Stored in database for persistence
- Logged once to container logs for admin retrieval
- Implement CSRF protection with double-submit cookie pattern
- Three-way validation: cookie, header, and session database
- Automatic client-side injection via plugin
- Server middleware for automatic validation
- Zero frontend code changes required
- Add session fixation prevention with automatic invalidation
- Regenerate sessions on password changes
- Keep current session active, invalidate others on profile password change
- Invalidate ALL sessions on forgot-password reset
- Invalidate ALL sessions on admin password reset
- Upgrade password reset codes to 8-char alphanumeric
- Increased from 1M to 1.8 trillion combinations
- Uses crypto.randomInt() for cryptographic randomness
- Excluded confusing characters (I, O) for better UX
- Case-insensitive verification
- Implement dual-layer account lockout
- IP-based rate limiting (existing)
- Per-account lockout: 10 attempts = 30 min lock
- Automatic unlock after expiration
- Admin manual unlock via UI
- Visual status indicators in users table
Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch
New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint
Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation
All changes follow OWASP best practices and are production-ready.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
|
2025-11-05 17:36:31 -05:00 |
|
|
|
c127ea35f6
|
Self-service password reset
|
2025-10-06 18:26:01 -04:00 |
|
|
|
002302bb52
|
auth changes
|
2025-10-02 11:14:43 -04:00 |
|
|
|
71e39cceb1
|
Fix favicon and add authentication state to main page with logout/create sermon buttons
|
2025-10-01 22:25:35 -04:00 |
|
|
|
22f7c6f8ad
|
Remove @nuxt/ui dependency to fix build issues
|
2025-10-01 22:18:06 -04:00 |
|
|
|
1b282c05fe
|
Complete sermon itinerary application with Nuxt 3, SQLite, authentication, and Docker deployment
|
2025-10-01 22:15:01 -04:00 |
|
|
|
793f395795
|
Starting over
|
2025-10-01 22:00:32 -04:00 |
|
|
|
6d0f99507a
|
fix: Add PostCSS config and update NuxtUI configuration for proper styling
|
2025-10-01 21:56:14 -04:00 |
|
|
|
beddaede19
|
fix: Add Tailwind directives and import main.css in nuxt.config
|
2025-10-01 21:52:01 -04:00 |
|
|
|
64e73b3ee9
|
fix: Add alias for tailwindcss/colors to resolve module import error
|
2025-10-01 21:47:54 -04:00 |
|
|
|
fe4394241e
|
Fix deployment issues: native modules, volume mapping, Nuxt 4 config
|
2025-10-01 21:41:13 -04:00 |
|
|
|
b4f7da9101
|
fix: Externalize tailwindcss and tailwindcss/colors from Nitro build
|
2025-10-01 21:29:09 -04:00 |
|
|
|
a36a97c9f9
|
feat: Implement multi-stage Dockerfile for robust Nuxt build
|
2025-10-01 21:25:20 -04:00 |
|
|
|
8abff8a764
|
fix: Externalize tailwindcss from Nitro build to resolve module not found error
|
2025-10-01 21:22:09 -04:00 |
|
|
|
bf158bb83c
|
feat: Explicitly configure Tailwind CSS and PostCSS in nuxt.config.ts
|
2025-10-01 21:18:01 -04:00 |
|
|
|
108d144774
|
fix: Remove diagnostic Tailwind class from app.vue and explicit CSS import from nuxt.config.ts
|
2025-10-01 21:13:58 -04:00 |
|
|
|
dadea8b5d0
|
feat: Restore admin.vue content with proper width constraints and add favicon
|
2025-10-01 20:55:52 -04:00 |
|
Ryderjj89
|
a85f69d30f
|
fix: Configure Vite to externalize Node.js modules for client build
|
2025-10-01 19:11:25 -04:00 |
|
Ryderjj89
|
786126a271
|
fix: Configure Nitro externals for server-side dependencies
|
2025-10-01 19:05:42 -04:00 |
|
Ryderjj89
|
c818d43f4e
|
Fix logo size, improve CSS styling with universal selector, and add error handling
|
2025-09-29 19:43:53 -04:00 |
|
Ryderjj89
|
97daf164ee
|
Remove TailwindCSS completely and use Nuxt UI with custom CSS for styling
|
2025-09-29 19:21:34 -04:00 |
|
Ryderjj89
|
d11bdcfeaf
|
Simplify TailwindCSS config: remove PostCSS plugin and use standard Nuxt 4 integration
|
2025-09-29 19:17:41 -04:00 |
|
Ryderjj89
|
25b7c795a1
|
Fix Nuxt 4 TailwindCSS configuration: add Tailwind directives and proper config
|
2025-09-29 19:15:58 -04:00 |
|
Ryderjj89
|
c033410c2e
|
Complete sermon management system with Nuxt 4, authentication, SQLite database, QR codes, and Docker deployment
|
2025-09-29 18:59:31 -04:00 |
|
