RyderTech/nlcc-itinerary
1
0
Fork 0
Code Issues Pull Requests Packages Activity
165 Commits 1 Branch 0 Tags
85c2aeb353b6c13331a783bc1a14f99f7e85259d
Commit Graph

15 Commits

Author SHA1 Message Date
Joshua Ryder
85c2aeb353 chore: Replace specific domain with generic example URL 
Changes:
- docker-compose.yml: https://nlcc.rydertech.ushttps://church.example.com
- Dockerfile: https://nlcc.rydertech.ushttps://church.example.com
- README.md: https://nlcc.rydertech.ushttps://church.example.com

Rationale:
- Makes the repository more generic and reusable
- Users won't be confused by site-specific URLs
- Follows standard documentation practices using example.com
- Clearer that SITE_URL needs to be customized for each deployment

The example.com domain is reserved by IANA for documentation purposes,
making it the perfect choice for configuration templates.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-05 17:48:16 -05:00
Joshua Ryder
3474ca7013 refactor: Use external Docker named volume for data persistence 
Changes:
- Replace bind mount (./data) with external named volume (nlcc-data)
- Volume must be created before first run: docker volume create nlcc-data
- Improves portability and follows Docker best practices
- Better separation between code and data

Benefits:
- Data persists across container rebuilds and updates
- Easier backup and restore operations
- Platform-agnostic (works same on Linux/Windows/macOS)
- Managed by Docker's volume system
- No permission issues with bind mounts

README Updates:
- Added volume creation step to installation instructions
- Documented volume management commands (create, inspect, backup, restore)
- Added backup/restore examples using alpine container
- Clarified data persistence behavior

Note: Existing deployments using ./data bind mount will need to:
1. Backup existing data: cp -r ./data ./data-backup
2. Create volume: docker volume create nlcc-data
3. Restart container: docker-compose up -d
4. Copy data to volume if needed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-05 17:46:07 -05:00
Joshua Ryder
2ff493d804 feat: Implement comprehensive security hardening 
Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
  - Cryptographically secure random generation
  - Stored in database for persistence
  - Logged once to container logs for admin retrieval

- Implement CSRF protection with double-submit cookie pattern
  - Three-way validation: cookie, header, and session database
  - Automatic client-side injection via plugin
  - Server middleware for automatic validation
  - Zero frontend code changes required

- Add session fixation prevention with automatic invalidation
  - Regenerate sessions on password changes
  - Keep current session active, invalidate others on profile password change
  - Invalidate ALL sessions on forgot-password reset
  - Invalidate ALL sessions on admin password reset

- Upgrade password reset codes to 8-char alphanumeric
  - Increased from 1M to 1.8 trillion combinations
  - Uses crypto.randomInt() for cryptographic randomness
  - Excluded confusing characters (I, O) for better UX
  - Case-insensitive verification

- Implement dual-layer account lockout
  - IP-based rate limiting (existing)
  - Per-account lockout: 10 attempts = 30 min lock
  - Automatic unlock after expiration
  - Admin manual unlock via UI
  - Visual status indicators in users table

Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch

New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint

Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation

All changes follow OWASP best practices and are production-ready.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-05 17:36:31 -05:00
Joshua Ryder
75b7a93bf9 Update image to use GitLab container registry 
Changed image reference from local tag to GitLab container registry at
glcr.rydertech.us/ryder/nlcc-itinerary:latest

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-04 14:41:05 -05:00
Joshua Ryder
b3eb32a688 Clean up docker-compose.yml 
Removed build configuration from docker-compose.yml. The image should be built
separately using 'docker build -t nlcc-itinerary:latest .' and the compose file
now just references the pre-built image with runtime configuration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-04 14:34:58 -05:00
Joshua Ryder
c127ea35f6 Self-service password reset 2025-10-06 18:26:01 -04:00
Joshua Ryder
067053525b Docker compose adjustments 2025-10-06 17:35:22 -04:00
Joshua Ryder
002302bb52 auth changes 2025-10-02 11:14:43 -04:00
Joshua Ryder
966f1bae5d Make SITE_URL and AUTH_SECRET configurable via environment variables for any deployment 2025-10-01 23:12:22 -04:00
Joshua Ryder
1b282c05fe Complete sermon itinerary application with Nuxt 3, SQLite, authentication, and Docker deployment 2025-10-01 22:15:01 -04:00
Joshua Ryder
793f395795 Starting over 2025-10-01 22:00:32 -04:00
Joshua Ryder
fe4394241e Fix deployment issues: native modules, volume mapping, Nuxt 4 config 2025-10-01 21:41:13 -04:00
Ryderjj89
7b8c30478a docker compose file 2025-10-01 20:41:44 -04:00
Ryderjj89
1b13ca77cf Remove deprecated version field from docker-compose.yml 2025-09-29 19:03:18 -04:00
Ryderjj89
c033410c2e Complete sermon management system with Nuxt 4, authentication, SQLite database, QR codes, and Docker deployment 2025-09-29 18:59:31 -04:00