spotlightcam

radziel/spotlightcam

Fork 0

Commit Graph

Author	SHA1	Message	Date
Radosław Gierwiało	537dd112ff	feat(scheduler): in-process matching scheduler with audit + admin endpoints - Add in-process scheduler service triggered by ENABLE_SCHEDULER - Record runs in new matching_runs table; throttle per-event and log stats - Add admin endpoints: POST /api/admin/events/:slug/run-now and GET /api/admin/events/:slug/matching-runs - Wire scheduler start/stop in server and add ENV flags + compose defaults - Prisma schema: add MatchingRun model and relation - Update env examples for scheduler configuration	2025-11-30 13:14:02 +01:00
Radosław Gierwiało	44df50362a	feat(security): implement comprehensive security hardening - Add CSRF protection with cookie-based tokens - Add cookie-parser and csurf middleware - Create GET /api/csrf-token endpoint - Frontend automatically includes CSRF token in POST/PUT/DELETE requests - Add retry logic for expired CSRF tokens - Implement account lockout mechanism - Add database fields: failedLoginAttempts, lockedUntil - Track failed login attempts and lock accounts after max attempts (configurable) - Auto-unlock after lockout duration expires - Return helpful error messages with remaining time - Add comprehensive security environment variables - Rate limiting configuration (API, auth, email endpoints) - CSRF protection toggle - Password policy requirements - Account lockout settings - Logging levels - Add comprehensive test coverage - 6 new tests for account lockout functionality - 11 new tests for CSRF protection - All tests handle enabled/disabled states gracefully - Update documentation - Add Phase 3 security hardening to SESSION_CONTEXT.md - Document new database fields and migration - Update progress to 85% Files changed: - Backend: app.js, auth controller, security config, new migration - Frontend: api.js with CSRF token handling - Tests: auth.test.js (extended), csrf.test.js (new) - Config: .env examples with security variables - Docs: SESSION_CONTEXT.md updated	2025-11-19 20:16:05 +01:00
Radosław Gierwiało	b948b81f80	refactor: use environment-specific .env files - Rename .env.example to .env.development.example - Update docker-compose.yml to use env_file for dev backend - Update .gitignore to ignore .env.development and .env.production - Remove generic .env and .env.example in favor of: * .env.development (dev) + .env.development.example (template) * .env.production (prod) + .env.production.example (template)	2025-11-15 17:26:16 +01:00

Author

SHA1

Message

Date

Radosław Gierwiało

537dd112ff

feat(scheduler): in-process matching scheduler with audit + admin endpoints

- Add in-process scheduler service triggered by ENABLE_SCHEDULER
- Record runs in new matching_runs table; throttle per-event and log stats
- Add admin endpoints: POST /api/admin/events/:slug/run-now and GET /api/admin/events/:slug/matching-runs
- Wire scheduler start/stop in server and add ENV flags + compose defaults
- Prisma schema: add MatchingRun model and relation
- Update env examples for scheduler configuration

2025-11-30 13:14:02 +01:00

Radosław Gierwiało

44df50362a

feat(security): implement comprehensive security hardening

- Add CSRF protection with cookie-based tokens
  - Add cookie-parser and csurf middleware
  - Create GET /api/csrf-token endpoint
  - Frontend automatically includes CSRF token in POST/PUT/DELETE requests
  - Add retry logic for expired CSRF tokens

- Implement account lockout mechanism
  - Add database fields: failedLoginAttempts, lockedUntil
  - Track failed login attempts and lock accounts after max attempts (configurable)
  - Auto-unlock after lockout duration expires
  - Return helpful error messages with remaining time

- Add comprehensive security environment variables
  - Rate limiting configuration (API, auth, email endpoints)
  - CSRF protection toggle
  - Password policy requirements
  - Account lockout settings
  - Logging levels

- Add comprehensive test coverage
  - 6 new tests for account lockout functionality
  - 11 new tests for CSRF protection
  - All tests handle enabled/disabled states gracefully

- Update documentation
  - Add Phase 3 security hardening to SESSION_CONTEXT.md
  - Document new database fields and migration
  - Update progress to 85%

Files changed:
- Backend: app.js, auth controller, security config, new migration
- Frontend: api.js with CSRF token handling
- Tests: auth.test.js (extended), csrf.test.js (new)
- Config: .env examples with security variables
- Docs: SESSION_CONTEXT.md updated

2025-11-19 20:16:05 +01:00

Radosław Gierwiało

b948b81f80

refactor: use environment-specific .env files

- Rename .env.example to .env.development.example
- Update docker-compose.yml to use env_file for dev backend
- Update .gitignore to ignore .env.development and .env.production
- Remove generic .env and .env.example in favor of:
  * .env.development (dev) + .env.development.example (template)
  * .env.production (prod) + .env.production.example (template)

2025-11-15 17:26:16 +01:00

3 Commits