df92ebefb8
fix: Use direct process.env access for email configuration
...
Simplified email configuration to always use process.env directly instead of
Nuxt runtime config. This ensures Docker environment variables are properly
read at runtime rather than being baked in at build time.
Changes:
- Removed Nuxt runtime config dependency from getEmailConfig()
- Always read EMAIL_* environment variables directly from process.env
- Added comprehensive debug logging to diagnose configuration issues
- Updated nuxt.config.ts with better documentation of runtime config behavior
This ensures environment variables set in docker-compose.yml are properly
used by the application at runtime.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-05 18:16:35 -05:00
2ff493d804
feat: Implement comprehensive security hardening
...
Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
- Cryptographically secure random generation
- Stored in database for persistence
- Logged once to container logs for admin retrieval
- Implement CSRF protection with double-submit cookie pattern
- Three-way validation: cookie, header, and session database
- Automatic client-side injection via plugin
- Server middleware for automatic validation
- Zero frontend code changes required
- Add session fixation prevention with automatic invalidation
- Regenerate sessions on password changes
- Keep current session active, invalidate others on profile password change
- Invalidate ALL sessions on forgot-password reset
- Invalidate ALL sessions on admin password reset
- Upgrade password reset codes to 8-char alphanumeric
- Increased from 1M to 1.8 trillion combinations
- Uses crypto.randomInt() for cryptographic randomness
- Excluded confusing characters (I, O) for better UX
- Case-insensitive verification
- Implement dual-layer account lockout
- IP-based rate limiting (existing)
- Per-account lockout: 10 attempts = 30 min lock
- Automatic unlock after expiration
- Admin manual unlock via UI
- Visual status indicators in users table
Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch
New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint
Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation
All changes follow OWASP best practices and are production-ready.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-05 17:36:31 -05:00
c127ea35f6
Self-service password reset
2025-10-06 18:26:01 -04:00
002302bb52
auth changes
2025-10-02 11:14:43 -04:00
71e39cceb1
Fix favicon and add authentication state to main page with logout/create sermon buttons
2025-10-01 22:25:35 -04:00
22f7c6f8ad
Remove @nuxt/ui dependency to fix build issues
2025-10-01 22:18:06 -04:00
1b282c05fe
Complete sermon itinerary application with Nuxt 3, SQLite, authentication, and Docker deployment
2025-10-01 22:15:01 -04:00
793f395795
Starting over
2025-10-01 22:00:32 -04:00
6d0f99507a
fix: Add PostCSS config and update NuxtUI configuration for proper styling
2025-10-01 21:56:14 -04:00
beddaede19
fix: Add Tailwind directives and import main.css in nuxt.config
2025-10-01 21:52:01 -04:00
64e73b3ee9
fix: Add alias for tailwindcss/colors to resolve module import error
2025-10-01 21:47:54 -04:00
fe4394241e
Fix deployment issues: native modules, volume mapping, Nuxt 4 config
2025-10-01 21:41:13 -04:00
b4f7da9101
fix: Externalize tailwindcss and tailwindcss/colors from Nitro build
2025-10-01 21:29:09 -04:00
a36a97c9f9
feat: Implement multi-stage Dockerfile for robust Nuxt build
2025-10-01 21:25:20 -04:00
8abff8a764
fix: Externalize tailwindcss from Nitro build to resolve module not found error
2025-10-01 21:22:09 -04:00
bf158bb83c
feat: Explicitly configure Tailwind CSS and PostCSS in nuxt.config.ts
2025-10-01 21:18:01 -04:00
108d144774
fix: Remove diagnostic Tailwind class from app.vue and explicit CSS import from nuxt.config.ts
2025-10-01 21:13:58 -04:00
dadea8b5d0
feat: Restore admin.vue content with proper width constraints and add favicon
2025-10-01 20:55:52 -04:00
Ryderjj89
a85f69d30f
fix: Configure Vite to externalize Node.js modules for client build
2025-10-01 19:11:25 -04:00
Ryderjj89
786126a271
fix: Configure Nitro externals for server-side dependencies
2025-10-01 19:05:42 -04:00
Ryderjj89
c818d43f4e
Fix logo size, improve CSS styling with universal selector, and add error handling
2025-09-29 19:43:53 -04:00
Ryderjj89
97daf164ee
Remove TailwindCSS completely and use Nuxt UI with custom CSS for styling
2025-09-29 19:21:34 -04:00
Ryderjj89
d11bdcfeaf
Simplify TailwindCSS config: remove PostCSS plugin and use standard Nuxt 4 integration
2025-09-29 19:17:41 -04:00
Ryderjj89
25b7c795a1
Fix Nuxt 4 TailwindCSS configuration: add Tailwind directives and proper config
2025-09-29 19:15:58 -04:00
Ryderjj89
c033410c2e
Complete sermon management system with Nuxt 4, authentication, SQLite database, QR codes, and Docker deployment
2025-09-29 18:59:31 -04:00
