44df50362a
- Add CSRF protection with cookie-based tokens - Add cookie-parser and csurf middleware - Create GET /api/csrf-token endpoint - Frontend automatically includes CSRF token in POST/PUT/DELETE requests - Add retry logic for expired CSRF tokens - Implement account lockout mechanism - Add database fields: failedLoginAttempts, lockedUntil - Track failed login attempts and lock accounts after max attempts (configurable) - Auto-unlock after lockout duration expires - Return helpful error messages with remaining time - Add comprehensive security environment variables - Rate limiting configuration (API, auth, email endpoints) - CSRF protection toggle - Password policy requirements - Account lockout settings - Logging levels - Add comprehensive test coverage - 6 new tests for account lockout functionality - 11 new tests for CSRF protection - All tests handle enabled/disabled states gracefully - Update documentation - Add Phase 3 security hardening to SESSION_CONTEXT.md - Document new database fields and migration - Update progress to 85% Files changed: - Backend: app.js, auth controller, security config, new migration - Frontend: api.js with CSRF token handling - Tests: auth.test.js (extended), csrf.test.js (new) - Config: .env examples with security variables - Docs: SESSION_CONTEXT.md updated
spotlight.cam Backend
Node.js + Express backend for spotlight.cam - P2P video exchange app for dance events.
Features
- ✅ Express REST API
- ✅ CORS enabled
- ✅ Health check endpoint
- ✅ Error handling
- ✅ Unit tests (Jest + Supertest)
- ⏳ PostgreSQL integration (planned)
- ⏳ JWT authentication (planned)
- ⏳ Socket.IO for real-time chat (planned)
- ⏳ WebRTC signaling (planned)
API Endpoints
Health Check
GET /api/health- Backend health status
Future Endpoints
POST /api/auth/register- Register new userPOST /api/auth/login- Login userGET /api/users/me- Get current userGET /api/events- List eventsPOST /api/matches- Create matchPOST /api/ratings- Rate partner
Development
Install dependencies
npm install
Run in development mode
npm run dev
Run tests
npm test
Run tests in watch mode
npm run test:watch
Run in production mode
npm start
Environment Variables
Create a .env file (see .env.example):
NODE_ENV=development
PORT=3000
CORS_ORIGIN=http://localhost:8080
Project Structure
backend/
├── src/
│ ├── __tests__/ # Unit tests
│ │ └── app.test.js
│ ├── routes/ # API routes (future)
│ ├── controllers/ # Business logic (future)
│ ├── middleware/ # Custom middleware (future)
│ ├── utils/ # Helper functions (future)
│ ├── app.js # Express app setup
│ └── server.js # Server entry point
├── .env # Environment variables (gitignored)
├── .env.example # Environment variables template
├── package.json
└── Dockerfile
Testing
Tests are written using:
- Jest - Test framework
- Supertest - HTTP assertions
Run tests:
npm test
Current test coverage:
- Health check endpoint
- 404 error handling
- CORS configuration
- JSON body parsing
Docker
Build and run with Docker Compose (from project root):
docker compose up --build
Backend will be available at:
- Internal: http://backend:3000
- Through nginx: http://localhost:8080/api
Next Steps
- ✅ Basic Express setup
- ✅ Health check endpoint
- ✅ Unit tests
- ⏳ PostgreSQL connection
- ⏳ Database schema and migrations
- ⏳ Authentication (JWT + bcrypt)
- ⏳ Socket.IO for real-time chat
- ⏳ WebRTC signaling
License
TBD