RyderTech/nlcc-itinerary
1
0
Fork 0
Code Issues Pull Requests Packages Activity
171 Commits 1 Branch 0 Tags
4aaeb0d5790a7792ea967c6a710aa959654e23f1
Commit Graph

15 Commits

Author SHA1 Message Date
Joshua Ryder
4aaeb0d579 fix: Align account lockout threshold with IP rate limiting 
Fixed inconsistency between IP-based rate limiting and per-account lockout.
Previously, users would hit the IP rate limit at 5 attempts (15 min lockout)
but the account wouldn't be marked as locked until 10 attempts (30 min).
This caused confusion in the admin UI where locked accounts wouldn't show
the unlock button until 10 attempts were reached.

Changes:
- Reduced account lockout threshold from 10 to 5 failed attempts
- Reduced account lockout duration from 30 to 15 minutes
- Updated error message to reflect 15 minute lockout period
- Added detailed logging when account gets locked
- Updated README documentation to reflect correct limits

Both protection layers now work in harmony:
- IP-based rate limiting: 5 attempts = 15 min lockout
- Per-account lockout: 5 attempts = 15 min lock

This ensures the admin UI accurately shows account lock status and provides
the unlock option as soon as users hit the lockout threshold.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-05 18:32:17 -05:00
Joshua Ryder
2ff493d804 feat: Implement comprehensive security hardening 
Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
  - Cryptographically secure random generation
  - Stored in database for persistence
  - Logged once to container logs for admin retrieval

- Implement CSRF protection with double-submit cookie pattern
  - Three-way validation: cookie, header, and session database
  - Automatic client-side injection via plugin
  - Server middleware for automatic validation
  - Zero frontend code changes required

- Add session fixation prevention with automatic invalidation
  - Regenerate sessions on password changes
  - Keep current session active, invalidate others on profile password change
  - Invalidate ALL sessions on forgot-password reset
  - Invalidate ALL sessions on admin password reset

- Upgrade password reset codes to 8-char alphanumeric
  - Increased from 1M to 1.8 trillion combinations
  - Uses crypto.randomInt() for cryptographic randomness
  - Excluded confusing characters (I, O) for better UX
  - Case-insensitive verification

- Implement dual-layer account lockout
  - IP-based rate limiting (existing)
  - Per-account lockout: 10 attempts = 30 min lock
  - Automatic unlock after expiration
  - Admin manual unlock via UI
  - Visual status indicators in users table

Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch

New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint

Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation

All changes follow OWASP best practices and are production-ready.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-05 17:36:31 -05:00
Joshua Ryder
056841dc5e rate-limit fixes 2025-10-07 14:19:25 -04:00
Joshua Ryder
ffb721a12c more security improvements 2025-10-07 13:54:29 -04:00
Joshua Ryder
329becfb08 security improvements 2025-10-07 13:39:53 -04:00
Joshua Ryder
7fc1d79eeb Saving notes and username fixes 2025-10-07 08:58:38 -04:00
Joshua Ryder
dfa857c131 encryption 2025-10-02 16:25:31 -04:00
Joshua Ryder
f3d5fc68f3 Fix login UX: disable autocapitalization, make username case-insensitive, improve edit scroll position 2025-10-01 23:40:24 -04:00
Joshua Ryder
1b282c05fe Complete sermon itinerary application with Nuxt 3, SQLite, authentication, and Docker deployment 2025-10-01 22:15:01 -04:00
Joshua Ryder
793f395795 Starting over 2025-10-01 22:00:32 -04:00
Ryderjj89
0361c3fbe6 Refactor admin form layout, improve bible reference input, re-enable client-side cookie access, and try manual focus on login modal 2025-10-01 18:51:02 -04:00
Ryderjj89
d8c8c739fa Set auth cookie to httpOnly true for security 2025-10-01 17:48:49 -04:00
Ryderjj89
a97c1955c8 Add autofocus to username input and change cookie sameSite to lax 2025-10-01 17:44:55 -04:00
Ryderjj89
4dbb6e040f Fix modal interactivity and login persistence issues 2025-10-01 17:42:13 -04:00
Ryderjj89
c033410c2e Complete sermon management system with Nuxt 4, authentication, SQLite database, QR codes, and Docker deployment 2025-09-29 18:59:31 -04:00