spotlightcam

Files

Radosław Gierwiało 44df50362a feat(security): implement comprehensive security hardening

- Add CSRF protection with cookie-based tokens
  - Add cookie-parser and csurf middleware
  - Create GET /api/csrf-token endpoint
  - Frontend automatically includes CSRF token in POST/PUT/DELETE requests
  - Add retry logic for expired CSRF tokens

- Implement account lockout mechanism
  - Add database fields: failedLoginAttempts, lockedUntil
  - Track failed login attempts and lock accounts after max attempts (configurable)
  - Auto-unlock after lockout duration expires
  - Return helpful error messages with remaining time

- Add comprehensive security environment variables
  - Rate limiting configuration (API, auth, email endpoints)
  - CSRF protection toggle
  - Password policy requirements
  - Account lockout settings
  - Logging levels

- Add comprehensive test coverage
  - 6 new tests for account lockout functionality
  - 11 new tests for CSRF protection
  - All tests handle enabled/disabled states gracefully

- Update documentation
  - Add Phase 3 security hardening to SESSION_CONTEXT.md
  - Document new database fields and migration
  - Update progress to 85%

Files changed:
- Backend: app.js, auth controller, security config, new migration
- Frontend: api.js with CSRF token handling
- Tests: auth.test.js (extended), csrf.test.js (new)
- Config: .env examples with security variables
- Docs: SESSION_CONTEXT.md updated

2025-11-19 20:16:05 +01:00

20251119_add_account_lockout_fields

feat(security): implement comprehensive security hardening

2025-11-19 20:16:05 +01:00

20251112205214_init

feat: add PostgreSQL database with Prisma ORM

2025-11-12 21:56:11 +01:00

20251113151534_add_wsdc_and_email_verification

feat: add email verification, password reset, and WSDC integration (Phase 1.5)

2025-11-13 15:47:54 +01:00

20251113194011_add_social_media_links

feat: add social media links to user profile