2ff493d804
feat: Implement comprehensive security hardening
...
Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
- Cryptographically secure random generation
- Stored in database for persistence
- Logged once to container logs for admin retrieval
- Implement CSRF protection with double-submit cookie pattern
- Three-way validation: cookie, header, and session database
- Automatic client-side injection via plugin
- Server middleware for automatic validation
- Zero frontend code changes required
- Add session fixation prevention with automatic invalidation
- Regenerate sessions on password changes
- Keep current session active, invalidate others on profile password change
- Invalidate ALL sessions on forgot-password reset
- Invalidate ALL sessions on admin password reset
- Upgrade password reset codes to 8-char alphanumeric
- Increased from 1M to 1.8 trillion combinations
- Uses crypto.randomInt() for cryptographic randomness
- Excluded confusing characters (I, O) for better UX
- Case-insensitive verification
- Implement dual-layer account lockout
- IP-based rate limiting (existing)
- Per-account lockout: 10 attempts = 30 min lock
- Automatic unlock after expiration
- Admin manual unlock via UI
- Visual status indicators in users table
Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch
New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint
Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation
All changes follow OWASP best practices and are production-ready.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-05 17:36:31 -05:00
66172e0baa
Add sermon retention policy feature
...
Implemented a configurable retention policy system for sermons with automatic cleanup:
- Added settings table to store retention policy configuration
- Created API endpoints for getting/setting retention policy
- Added Database Settings section to admin page with retention options (forever, 1-10 years)
- Implemented manual cleanup endpoint for on-demand deletion
- Added automated daily cleanup task via Nitro plugin
- Sermons are deleted based on their date field according to the retention policy
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-04 14:07:14 -05:00
587cefec41
profile deletion fixes
2025-10-12 13:14:04 -04:00
ffb72a7cbd
database fix
2025-10-12 01:08:49 -04:00
a505edcae7
created by for sermons
2025-10-12 01:01:01 -04:00
dfdb3e0840
security fixes
2025-10-12 00:24:27 -04:00
773ea92f5d
security & footer fix
2025-10-12 00:18:01 -04:00
740ff82642
delete profile fix
2025-10-12 00:10:00 -04:00
c4674a4c85
delete profile & login redirect fixes
2025-10-12 00:05:21 -04:00
056841dc5e
rate-limit fixes
2025-10-07 14:19:25 -04:00
ffb721a12c
more security improvements
2025-10-07 13:54:29 -04:00
329becfb08
security improvements
2025-10-07 13:39:53 -04:00
a4aca9c99d
Downloaded notes filename change
2025-10-07 10:31:39 -04:00
3faec06186
Notes saving fixes
2025-10-07 09:16:27 -04:00
2f505ad7e2
email formatting
2025-10-07 09:10:37 -04:00
8afcac954c
auth fixes
2025-10-07 09:02:28 -04:00
7fc1d79eeb
Saving notes and username fixes
2025-10-07 08:58:38 -04:00
c7b8735a90
Greeting fix
2025-10-06 18:56:26 -04:00
21b480021e
Profile enhancements & greeting
2025-10-06 18:54:58 -04:00
49a88f6634
SSPR fix
2025-10-06 18:43:38 -04:00
ee94b7aec1
SSPR fix
2025-10-06 18:39:18 -04:00
c127ea35f6
Self-service password reset
2025-10-06 18:26:01 -04:00
2dbd4f6ba0
Notes!
2025-10-06 17:20:26 -04:00
291b6743c5
Login watcher
2025-10-06 17:14:54 -04:00
a50791e74c
User creation and management
2025-10-06 17:04:34 -04:00
dfa857c131
encryption
2025-10-02 16:25:31 -04:00
002302bb52
auth changes
2025-10-02 11:14:43 -04:00
27fcedfcd5
Songs & dates
2025-10-02 08:59:05 -04:00
4daea87cd1
Add unarchive functionality and show archived status in admin dropdown
2025-10-02 00:05:45 -04:00
f1e0ac0a93
Fix archive functionality: change default includeArchived to false
2025-10-02 00:00:51 -04:00
4b47f56b30
Add archive functionality: database schema, API endpoint, and helper functions
2025-10-01 23:49:44 -04:00
f3d5fc68f3
Fix login UX: disable autocapitalization, make username case-insensitive, improve edit scroll position
2025-10-01 23:40:24 -04:00
4b2ae9482b
Add complete edit functionality for sermons with update API endpoint and enhanced Bible reference management
2025-10-01 23:00:51 -04:00
fbb0ec8469
Actually remove the conflicting [id].delete.ts file from git
2025-10-01 22:38:02 -04:00
af72305c80
Fix route conflict: move delete endpoint to /api/sermons/delete/[id] to avoid conflict with [slug].get
2025-10-01 22:33:39 -04:00
bd0539118c
Add sermon management functionality with delete capability to admin page
2025-10-01 22:29:50 -04:00
1b282c05fe
Complete sermon itinerary application with Nuxt 3, SQLite, authentication, and Docker deployment
2025-10-01 22:15:01 -04:00
793f395795
Starting over
2025-10-01 22:00:32 -04:00
Ryderjj89
eb7d2b6e8c
fix: Define generateSlug locally in server/api/sermons/index.post.ts
2025-10-01 19:13:00 -04:00
Ryderjj89
2f3b427477
fix: Move generateSlug to admin page to prevent client-side bundling of server utils
2025-10-01 19:09:17 -04:00
Ryderjj89
4e66e03702
fix: Update database import path in server/utils/auth.ts
2025-10-01 19:07:54 -04:00
Ryderjj89
c83cf7dd82
fix: Rename database utility to .server.ts and update imports
2025-10-01 19:07:02 -04:00
Ryderjj89
0361c3fbe6
Refactor admin form layout, improve bible reference input, re-enable client-side cookie access, and try manual focus on login modal
2025-10-01 18:51:02 -04:00
Ryderjj89
1e48717285
Fix bcryptjs import in database.ts to use static import
2025-10-01 18:36:45 -04:00
Ryderjj89
64d2c7245e
Fix bcrypt import in database.ts to use bcryptjs
2025-10-01 18:20:14 -04:00
Ryderjj89
55e5267ffa
Update to Node 22, use bcryptjs for better compatibility
2025-10-01 18:12:41 -04:00
Ryderjj89
d8c8c739fa
Set auth cookie to httpOnly true for security
2025-10-01 17:48:49 -04:00
Ryderjj89
a97c1955c8
Add autofocus to username input and change cookie sameSite to lax
2025-10-01 17:44:55 -04:00
Ryderjj89
4dbb6e040f
Fix modal interactivity and login persistence issues
2025-10-01 17:42:13 -04:00
Ryderjj89
89c75564cf
Add default admin user creation and fix modal overlay positioning
2025-09-29 20:21:55 -04:00
