Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
95 Commits 17 Branches 15 Tags
2522bb351428b161246a7cff25b52c4f386018a4
Commit Graph

7 Commits

Author SHA1 Message Date
Gronod
2522bb3514 fix: rebuild package-lock for Node 22; upgrade dev environment
Some checks failed
Build and Push Docker Image / build (push) Successful in 39s
Details
CI / Security audit (push) Has been cancelled
Details 
- Deleted stale Node 12 node_modules and package-lock.json; reinstalled
  with Node 22.22.2 (upgraded from system Node 12 via nodesource repo)
- better-sqlite3 native module rebuilt for Node 22
- All deps resolve cleanly: 0 vulnerabilities
 2026-05-17 07:00:32 +01:00
Gronod
bdbbcabfbc feat(security): production hardening for external deployment
All checks were successful
Build and Push Docker Image / build (push) Successful in 1m2s
Details
CI / Security audit (push) Successful in 3m29s
Details 
Container (Dockerfile):
- Multi-stage build (deps + runtime) for minimal attack surface
- Upgrade base image from node:18-alpine to node:22-alpine
- Run as non-root 'node' user (UID 1000); source files owned by root
- /app/data directory owned by node for SQLite + logs
- Docker HEALTHCHECK: wget /health every 30s

docker-compose.yaml:
- Port bound to 127.0.0.1 only (expose via reverse proxy)
- read_only: true filesystem; /tmp tmpfs for Node.js
- no-new-privileges:true, cap_drop: ALL
- Named volume sofarr-data for persistent data
- TRUST_PROXY, COOKIE_SECRET, NODE_ENV added

Helmet v7 + CSP nonce:
- Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7
- CSP with per-request nonce injected into index.html script/link tags
  (replaces blanket unsafe-inline; nonce changes every request)
- HSTS: max-age=1yr, includeSubDomains, preload
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera/mic/geolocation/payment/usb all off
- index.html served dynamically with nonce injection; static assets
  served normally via express.static({index:false})

Trust proxy:
- TRUST_PROXY env var configures app.set('trust proxy') so rate
  limiting and secure cookies work correctly behind Nginx/Caddy

Session & auth:
- Token store migrated from in-memory Map to SQLite via better-sqlite3
  (server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL
- CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js):
  POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching
  the csrf_token cookie; timing-safe comparison
- CSRF token issued on login + GET /api/auth/csrf; cleared on logout
- Login input validation: username/password length + type checked before
  hitting Emby
- skipSuccessfulRequests:true on login rate limiter (only count failures)
- express.json({ limit: '64kb' }) to reject oversized payloads

Rate limiting:
- General API limiter: 300 req/15min per IP on all /api/* routes
- Login limiter unchanged (10 failures/15min) but now only counts fails

Logging:
- Log file moved from /app/server.log to DATA_DIR/server.log (writable
  by non-root node user in container)
- Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3)
- DATA_DIR defaults to ./data locally, /app/data in container

Error handling:
- Global Express error handler: catches unhandled errors, logs message,
  returns generic 500 (no stack traces to clients)

Health/readiness:
- GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK
- GET /ready: returns 503 if EMBY_URL not configured

Error sanitization (sanitizeError.js):
- Added patterns for password= params, bearer tokens, Basic auth in URLs

Supply chain:
- Remove unused cors dependency
- add better-sqlite3@^9
- CI: upgrade to Node 22, raise audit level to --audit-level=high
- .gitignore: add data/, *.db, *.db-wal, *.db-shm

Docs:
- SECURITY.md: threat model, hardening checklist, proxy examples,
  header table, rate limit table, Docker secrets guidance
- .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented
 2026-05-17 06:47:25 +01:00
Gronod
031877e6a0 fix(ci): upgrade nodemon to ^3 to resolve semver ReDoS vulnerability
All checks were successful
Build and Push Docker Image / build (push) Successful in 32s
Details
CI / npm audit (push) Successful in 49s
Details 
nodemon@2 depends on simple-update-notifier which depends on a
vulnerable range of semver (7.0.0-7.5.1, GHSA-c2qf-rxjj-qqgw).
Upgrading to nodemon@3 pulls in a clean dependency tree.
npm audit now reports 0 vulnerabilities.
 2026-05-16 17:11:24 +01:00
Gronod
b608fa0337 fix(security #12): add helmet security response headers 
Adds X-DNS-Prefetch-Control, X-Frame-Options, X-Content-Type-Options,
Referrer-Policy, X-XSS-Protection, HSTS (in prod) and others.
CSP disabled for now as the SPA uses inline scripts/styles; a
nonce/hash-based policy is a future hardening step.
 2026-05-16 16:23:47 +01:00
Gronod
1f41114482 fix(security #11): remove unused node-cron dependency 
node-cron was listed in dependencies but never imported anywhere in
the codebase. Removed via npm uninstall.
 2026-05-16 16:22:36 +01:00
Gronod
1eadb30481 fix(security #6): add rate limiting to POST /api/auth/login 
Uses express-rate-limit@6 (pinned for Node 12 dev compat; Node 18
in prod container is unaffected). Limits each IP to 10 attempts per
15-minute window. Returns 429 with a safe error message on breach.
 2026-05-16 16:18:34 +01:00
Gronod
f500f4db3b feat: fix download-to-user matching, add cover art to downloads 
- Fix seriesMap key (use Sonarr internal id, not tvdbId)
- Fix Sonarr tag resolution (use tag map like Radarr)
- Use sourceTitle for history record matching
- Fall back to embedded movie/series objects when API timeouts
- Add includeMovie/includeSeries params to queue/history API calls
- Add coverArt field to all download responses (TMDB poster URLs)
- Add cover art display to frontend download cards
- Fix user-summary route to use instance config and tag maps
 2026-05-15 14:54:21 +01:00