radziel/spotlightcam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
248 Commits 1 Branch 0 Tags
d780b544b0ddcda0d76cdfe7bd51bbf50839d33b
Commit Graph

5 Commits

Author SHA1 Message Date
Radosław Gierwiało
f284eb3f2e feat(docker): protect production database with external volume 
- Mark postgres_data_prod as external volume (slc_postgres_prod_data)
- External volumes are NOT deleted by 'docker compose down -v'
- Add volume creation step to production deployment guide
- Document volume safety measures and dangerous commands
- Add shell alias examples for safe volume management
- Update security checklist with volume creation requirement

Protection: Production database now requires manual volume deletion,
preventing accidental data loss during container management.
 2025-12-06 12:36:27 +01:00
Radosław Gierwiało
d98222da12 docs: update documentation for Phase 3.7 changes 
- Update README.md with beta features, seed commands, resource limits
- Update SESSION_CONTEXT.md with Phase 3.7 changelog and new structure
- Update DEPLOYMENT.md with seeding instructions and resource requirements
- Document Makefile commands, environment reorganization, footer changes
- Update test accounts to use @spotlight.cam domain
- Add production resource allocation table (4 CPU / 8GB server)
- Last updated: 2025-12-06
 2025-12-06 12:33:01 +01:00
Radosław Gierwiało
975d258497 docs: reorganize documentation structure for better context efficiency 
Reorganization changes:
1. Moved from root → docs/:
   - QUICKSTART.md
   - QUICK_TEST.md
   - WEBRTC_TESTING_GUIDE.md

2. Created docs/archive/ and moved archival files:
   - COMPLETED.md (completed tasks archive)
   - PHASE_1.5.md (historical phase documentation)
   - RESOURCES.md (learning resources)
   - SECURITY_AUDIT.md (security audit)
   - ADMIN_CLI.md (CLI documentation)

3. Updated all references in:
   - README.md
   - docs/CONTEXT.md
   - docs/TODO.md
   - docs/SESSION_CONTEXT.md
   - docs/DEPLOYMENT.md
   - docs/QUICK_TEST.md

Active docs/ now contains only essential files:
- SESSION_CONTEXT.md (primary for context restoration)
- TODO.md
- CONTEXT.md
- ARCHITECTURE.md
- DEPLOYMENT.md
- MONITORING.md
- QUICKSTART.md
- QUICK_TEST.md
- WEBRTC_TESTING_GUIDE.md

Benefits:
- Reduced token usage when reading docs/ for context
- Clear separation between active and archived documentation
- Better organization for future maintenance
 2025-11-20 22:42:06 +01:00
Radosław Gierwiało
3ff966defc refactor: migrate to native Docker Compose profiles 
Simplified Docker Compose configuration by using native profiles
instead of override files, following best practices.

Changes:
- Consolidated docker-compose.yml with --profile dev/prod support
- Removed docker-compose.dev.yml and docker-compose.prod.yml
- Updated all documentation for new usage pattern
- Created comprehensive README.md and DEPLOYMENT.md
- Simplified commands: 'docker compose --profile dev up'

Environment-specific configurations:
- Development: relaxed security, hot reload, exposed ports
- Production: strict security, optimized builds, restricted access

This approach is cleaner, more maintainable, and follows Docker
Compose best practices.
 2025-11-13 18:00:08 +01:00
Radosław Gierwiało
bf8a9260bd security: implement CRITICAL and MEDIUM security fixes with environment profiles 
This commit addresses all CRITICAL and MEDIUM security vulnerabilities
identified in the security audit with environment-aware configuration.

## Docker Compose Profiles

- Added docker-compose.dev.yml for development (relaxed security)
- Added docker-compose.prod.yml for production (strict security)
- Environment-specific configurations for rate limiting, CSRF, logging

## CRITICAL Fixes (P0)

1. Fixed insecure random number generation
   - Replaced Math.random() with crypto.randomBytes() for verification codes
   - Now cryptographically secure

2. Implemented rate limiting
   - express-rate-limit for all endpoints
   - Strict limits on auth endpoints (5 attempts in dev=off, prod=5)
   - Email endpoint limits (20 in dev, 3 in prod)
   - API-wide rate limiting

3. Added request body size limits
   - Development: 50MB (for testing)
   - Production: 10KB (security)

4. Fixed user enumeration vulnerability
   - Generic error message for registration
   - No disclosure of which field exists

5. Added security headers
   - helmet.js with CSP, HSTS, XSS protection
   - No-sniff, hide powered-by headers

## MEDIUM Fixes (P1)

6. Strengthened password policy
   - Environment-aware validation (8+ chars)
   - Production: requires uppercase, lowercase, number
   - Development: relaxed for testing

7. Enhanced input validation
   - Validation for all auth endpoints
   - WSDC ID validation (numeric, max 10 digits)
   - Name validation (safe characters only)
   - Email normalization

8. Added input sanitization
   - DOMPurify for XSS prevention
   - Sanitize all user inputs in emails
   - Timing-safe string comparison for tokens

9. Improved error handling
   - Generic errors in production
   - Detailed errors only in development
   - Proper error logging

10. Enhanced CORS configuration
    - Whitelist-based origin validation
    - Environment-specific allowed origins
    - Credentials support

## New Files

- backend/src/config/security.js - Environment-aware security config
- backend/src/middleware/rateLimiter.js - Rate limiting middleware
- backend/src/utils/sanitize.js - Input sanitization utilities
- backend/.env.example - Development environment template
- backend/.env.production.example - Production environment template
- docker-compose.dev.yml - Development overrides
- docker-compose.prod.yml - Production configuration
- docs/DEPLOYMENT.md - Complete deployment guide
- docs/SECURITY_AUDIT.md - Full security audit report
- .gitignore - Updated to exclude .env files

## Dependencies Added

- helmet (^8.1.0) - Security headers
- express-rate-limit (^8.2.1) - Rate limiting
- dompurify (^3.3.0) - XSS prevention
- jsdom (^27.2.0) - DOM manipulation for sanitization

## Testing

-  Password validation works (weak passwords rejected)
-  User enumeration fixed (generic error messages)
-  WSDC lookup functional
-  Registration flow working
-  Rate limiting active (environment-aware)
-  Security headers present

## Usage

Development:
  docker compose -f docker-compose.yml -f docker-compose.dev.yml up

Production:
  docker compose -f docker-compose.yml -f docker-compose.prod.yml up

See docs/DEPLOYMENT.md for detailed instructions.
 2025-11-13 16:39:27 +01:00