Radosław Gierwiało
|
44df50362a
|
feat(security): implement comprehensive security hardening
- Add CSRF protection with cookie-based tokens
- Add cookie-parser and csurf middleware
- Create GET /api/csrf-token endpoint
- Frontend automatically includes CSRF token in POST/PUT/DELETE requests
- Add retry logic for expired CSRF tokens
- Implement account lockout mechanism
- Add database fields: failedLoginAttempts, lockedUntil
- Track failed login attempts and lock accounts after max attempts (configurable)
- Auto-unlock after lockout duration expires
- Return helpful error messages with remaining time
- Add comprehensive security environment variables
- Rate limiting configuration (API, auth, email endpoints)
- CSRF protection toggle
- Password policy requirements
- Account lockout settings
- Logging levels
- Add comprehensive test coverage
- 6 new tests for account lockout functionality
- 11 new tests for CSRF protection
- All tests handle enabled/disabled states gracefully
- Update documentation
- Add Phase 3 security hardening to SESSION_CONTEXT.md
- Document new database fields and migration
- Update progress to 85%
Files changed:
- Backend: app.js, auth controller, security config, new migration
- Frontend: api.js with CSRF token handling
- Tests: auth.test.js (extended), csrf.test.js (new)
- Config: .env examples with security variables
- Docs: SESSION_CONTEXT.md updated
|
2025-11-19 20:16:05 +01:00 |
|