10 Commits

Author	SHA1	Message	Date
Gronod	c0dd93a1ab	feat: production hardening v1.2.0 ... Phase 1 - Licensing & Compliance: - Add MIT LICENSE file - Add copyright headers to server/index.js, poller.js, config.js, sanitizeError.js, and new loadSecrets.js Phase 2 - Security Hardening: - Add server/utils/loadSecrets.js: Docker secrets support via _FILE env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.) - Add SSRF/URL validation in config.js: validates all configured service instance URLs for scheme and well-formedness at startup - Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP connections, 10s force-exit fallback - Warn at startup if COOKIE_SECRET is shorter than 32 characters - Validate EMBY_URL scheme at startup - Improve sanitizeError: redact host:port from axios error URLs while preserving path/query for other redaction patterns Phase 3 - Config Robustness: - Weak COOKIE_SECRET warning (< 32 chars) - EMBY_URL validated via validateInstanceUrl on startup Phase 4 - Docker & Deployment: - .dockerignore: add tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json - docker-compose.yaml: add commented Option B (Docker secrets _FILE pattern) alongside existing plain-env Option A Phase 5 - Docs & Release Readiness: - Add CHANGELOG.md with entries from v1.0.0 to v1.2.0 - Update SECURITY.md: supported versions table, fix Docker secrets note to reflect _FILE support now implemented - Add public/.well-known/security.txt for responsible disclosure - Bump version to 1.2.0	2026-05-17 19:40:07 +01:00
Gronod	5fd55b4e1a	test: add comprehensive test suite (115 tests, Vitest + supertest + nock) ... Framework: - Vitest v4 as test runner (fast ESM/CJS support, V8 coverage built-in) - supertest for integration tests against createApp() factory - nock for HTTP interception (works with CJS require('axios'), unlike vi.mock) New files: - vitest.config.js — test config: node env, isolate, V8 coverage, per-file thresholds - tests/setup.js — isolated DATA_DIR per worker, SKIP_RATE_LIMIT, console suppression - tests/README.md — approach, structure, design decisions - server/app.js — testable Express factory (extracted from index.js side-effects) Unit tests (91 tests): - tests/unit/sanitizeError.test.js — secret redaction: apikey, token, bearer, basic-auth URLs - tests/unit/config.test.js — JSON array + legacy single-instance config parsing - tests/unit/requireAuth.test.js — valid/invalid/tampered cookies, schema validation - tests/unit/verifyCsrf.test.js — double-submit pattern, timing-safe compare, safe methods - tests/unit/qbittorrent.test.js — formatBytes, formatEta, mapTorrentToDownload state map - tests/unit/tokenStore.test.js — store/get/clear lifecycle, TTL expiry, atomic disk write Integration tests (24 tests): - tests/integration/health.test.js — /health and /ready endpoints - tests/integration/auth.test.js — full login/logout/me/csrf flows, input validation, cookie attributes, no token leakage, Emby mock via nock Production code changes (minimal, no behaviour change): - server/routes/auth.js: EMBY_URL captured at request-time (not module load) for testability - server/routes/auth.js: loginLimiter max → Number.MAX_SAFE_INTEGER when SKIP_RATE_LIMIT set - server/utils/sanitizeError.js: fix HEADER_PATTERN to redact full line (not just first token) CI: - .gitea/workflows/ci.yml: add parallel 'test' job (npm run test:coverage, artifact upload) - package.json: add test/test:watch/test:coverage/test:ui scripts - .gitignore: add coverage/	2026-05-17 07:45:33 +01:00
Gronod	37c1b64982	fix(docker): replace better-sqlite3 with pure-JS JSON token store ... better-sqlite3 is a native C++ addon that requires compilation on Alpine (musl libc, no pre-built binaries exist) and fails on Debian slim too because prebuild-install cannot detect the libc type correctly. Replace with a pure-JS JSON file token store (server/utils/tokenStore.js): - Atomic writes via temp file + rename (no corruption on crash) - Same API: storeToken/getToken/clearToken - TTL enforcement on read and hourly prune - Zero native code, zero build tools required Dockerfile: - Revert to node:22-alpine (was node:22-slim) - Remove build tools (python3/make/g++) — no longer needed - Restore wget HEALTHCHECK (available in Alpine busybox) docker-compose.yaml: restore wget healthcheck package.json: remove better-sqlite3 dependency	2026-05-17 07:13:56 +01:00
Gronod	2522bb3514	fix: rebuild package-lock for Node 22; upgrade dev environment ... - Deleted stale Node 12 node_modules and package-lock.json; reinstalled with Node 22.22.2 (upgraded from system Node 12 via nodesource repo) - better-sqlite3 native module rebuilt for Node 22 - All deps resolve cleanly: 0 vulnerabilities	2026-05-17 07:00:32 +01:00
Gronod	bdbbcabfbc	feat(security): production hardening for external deployment ... Container (Dockerfile): - Multi-stage build (deps + runtime) for minimal attack surface - Upgrade base image from node:18-alpine to node:22-alpine - Run as non-root 'node' user (UID 1000); source files owned by root - /app/data directory owned by node for SQLite + logs - Docker HEALTHCHECK: wget /health every 30s docker-compose.yaml: - Port bound to 127.0.0.1 only (expose via reverse proxy) - read_only: true filesystem; /tmp tmpfs for Node.js - no-new-privileges:true, cap_drop: ALL - Named volume sofarr-data for persistent data - TRUST_PROXY, COOKIE_SECRET, NODE_ENV added Helmet v7 + CSP nonce: - Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7 - CSP with per-request nonce injected into index.html script/link tags (replaces blanket unsafe-inline; nonce changes every request) - HSTS: max-age=1yr, includeSubDomains, preload - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: camera/mic/geolocation/payment/usb all off - index.html served dynamically with nonce injection; static assets served normally via express.static({index:false}) Trust proxy: - TRUST_PROXY env var configures app.set('trust proxy') so rate limiting and secure cookies work correctly behind Nginx/Caddy Session & auth: - Token store migrated from in-memory Map to SQLite via better-sqlite3 (server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL - CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js): POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching the csrf_token cookie; timing-safe comparison - CSRF token issued on login + GET /api/auth/csrf; cleared on logout - Login input validation: username/password length + type checked before hitting Emby - skipSuccessfulRequests:true on login rate limiter (only count failures) - express.json({ limit: '64kb' }) to reject oversized payloads Rate limiting: - General API limiter: 300 req/15min per IP on all /api/* routes - Login limiter unchanged (10 failures/15min) but now only counts fails Logging: - Log file moved from /app/server.log to DATA_DIR/server.log (writable by non-root node user in container) - Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3) - DATA_DIR defaults to ./data locally, /app/data in container Error handling: - Global Express error handler: catches unhandled errors, logs message, returns generic 500 (no stack traces to clients) Health/readiness: - GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK - GET /ready: returns 503 if EMBY_URL not configured Error sanitization (sanitizeError.js): - Added patterns for password= params, bearer tokens, Basic auth in URLs Supply chain: - Remove unused cors dependency - add better-sqlite3@^9 - CI: upgrade to Node 22, raise audit level to --audit-level=high - .gitignore: add data/, *.db, *.db-wal, *.db-shm Docs: - SECURITY.md: threat model, hardening checklist, proxy examples, header table, rate limit table, Docker secrets guidance - .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented	2026-05-17 06:47:25 +01:00
Gronod	031877e6a0	fix(ci): upgrade nodemon to ^3 to resolve semver ReDoS vulnerability ... nodemon@2 depends on simple-update-notifier which depends on a vulnerable range of semver (7.0.0-7.5.1, GHSA-c2qf-rxjj-qqgw). Upgrading to nodemon@3 pulls in a clean dependency tree. npm audit now reports 0 vulnerabilities.	2026-05-16 17:11:24 +01:00
Gronod	b608fa0337	fix(security #12): add helmet security response headers ... Adds X-DNS-Prefetch-Control, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection, HSTS (in prod) and others. CSP disabled for now as the SPA uses inline scripts/styles; a nonce/hash-based policy is a future hardening step.	2026-05-16 16:23:47 +01:00
Gronod	1f41114482	fix(security #11): remove unused node-cron dependency ... node-cron was listed in dependencies but never imported anywhere in the codebase. Removed via npm uninstall.	2026-05-16 16:22:36 +01:00
Gronod	1eadb30481	fix(security #6): add rate limiting to POST /api/auth/login ... Uses express-rate-limit@6 (pinned for Node 12 dev compat; Node 18 in prod container is unaffected). Limits each IP to 10 attempts per 15-minute window. Returns 429 with a safe error message on breach.	2026-05-16 16:18:34 +01:00
Gronod	f500f4db3b	feat: fix download-to-user matching, add cover art to downloads ... - Fix seriesMap key (use Sonarr internal id, not tvdbId) - Fix Sonarr tag resolution (use tag map like Radarr) - Use sourceTitle for history record matching - Fall back to embedded movie/series objects when API timeouts - Add includeMovie/includeSeries params to queue/history API calls - Add coverArt field to all download responses (TMDB poster URLs) - Add cover art display to frontend download cards - Fix user-summary route to use instance config and tag maps	2026-05-15 14:54:21 +01:00