Joshua Ryder
2ff493d804
feat: Implement comprehensive security hardening
Security Improvements:
- Auto-generate AUTH_SECRET and admin credentials on first launch
- Cryptographically secure random generation
- Stored in database for persistence
- Logged once to container logs for admin retrieval
- Implement CSRF protection with double-submit cookie pattern
- Three-way validation: cookie, header, and session database
- Automatic client-side injection via plugin
- Server middleware for automatic validation
- Zero frontend code changes required
- Add session fixation prevention with automatic invalidation
- Regenerate sessions on password changes
- Keep current session active, invalidate others on profile password change
- Invalidate ALL sessions on forgot-password reset
- Invalidate ALL sessions on admin password reset
- Upgrade password reset codes to 8-char alphanumeric
- Increased from 1M to 1.8 trillion combinations
- Uses crypto.randomInt() for cryptographic randomness
- Excluded confusing characters (I, O) for better UX
- Case-insensitive verification
- Implement dual-layer account lockout
- IP-based rate limiting (existing)
- Per-account lockout: 10 attempts = 30 min lock
- Automatic unlock after expiration
- Admin manual unlock via UI
- Visual status indicators in users table
Database Changes:
- Add csrf_token column to sessions table
- Add failed_login_attempts and locked_until columns to users table
- Add settings table for persistent AUTH_SECRET storage
- All migrations backward-compatible with try-catch
New Files:
- server/utils/csrf.ts - CSRF protection utilities
- server/middleware/csrf.ts - Automatic CSRF validation middleware
- plugins/csrf.client.ts - Automatic CSRF header injection
- server/api/users/unlock/[id].post.ts - Admin unlock endpoint
Modified Files:
- server/utils/database.ts - Core security functions and schema updates
- server/utils/email.ts - Enhanced reset code generation
- server/api/auth/login.post.ts - CSRF + account lockout logic
- server/api/auth/register.post.ts - CSRF token generation
- server/api/auth/logout.post.ts - CSRF cookie cleanup
- server/api/auth/reset-password.post.ts - Session invalidation
- server/api/auth/verify-reset-code.post.ts - Case-insensitive codes
- server/api/profile/update.put.ts - Session invalidation on password change
- server/api/users/password/[id].put.ts - Session invalidation on admin reset
- pages/users.vue - Lock status display and unlock functionality
- docker-compose.yml - Removed default credentials
- nuxt.config.ts - Support auto-generation
All changes follow OWASP best practices and are production-ready.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-05 17:36:31 -05:00
..
2025-11-05 17:36:31 -05:00
2025-11-05 17:36:31 -05:00
2025-11-04 14:07:14 -05:00
2025-11-05 17:36:31 -05:00