Commit Graph

2 Commits

Author SHA1 Message Date
simone a478462aa4 security: full hardening pass — auth guards, rate limiting, headers, internal secret
- Add requireAdmin() to all unprotected admin server actions
  (clients/new, clients/[id], timer-actions — 17 functions total)
- Protect /api/internal/* endpoints with X-Internal-Secret header
  (proxy.ts sends it; routes reject requests without it)
- Randomize auto-generated client slugs with 4-char suffix
  to prevent enumeration via predictable name-based slugs
- Add in-memory rate limiting to /api/client/approve (20/min)
  and /api/client/comment (10/min) per IP
- Add security headers: X-Frame-Options, X-Content-Type-Options,
  Referrer-Policy, Permissions-Policy, X-DNS-Prefetch-Control
- Reduce JWT session from 30 days to 7 days with daily rotation
- Remove hardcoded NEXTAUTH_URL from Dockerfile (pass via Coolify env)
- Genericize client API error messages to not leak data structure
- Update .env.example with all required variables including INTERNAL_SECRET

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 14:36:16 +02:00
Simone Cavalli 6b5609b0cb feat(01-01): install Drizzle ORM, postgres-js, and configure DB client
- drizzle-orm@0.45.2 + postgres@3.4.9 installed (postgres-js driver)
- drizzle-kit@0.31.10 installed as dev dependency
- nanoid@5, zod@4, react-hook-form, @hookform/resolvers installed
- src/db/index.ts: Drizzle client initialized with postgres-js driver
- drizzle.config.ts: configured for postgresql dialect + src/db/schema.ts
- .env.example: added as public template (no secrets)
- .gitignore: allow .env.example while blocking all other .env* files
2026-05-13 15:30:53 +02:00