8 Commits

Author	SHA1	Message	Date
Gronod	da0898f52a	feat: native HTTPS support with bundled snakeoil default cert ... server/index.js: - Import http and https modules - Resolve TLS_ENABLED early (before Helmet) so upgradeInsecureRequests CSP directive fires when TLS is active directly (not only via proxy) - loadTlsCredentials() reads TLS_CERT/TLS_KEY (defaulting to bundled snakeoil) and returns null on failure (graceful HTTP fallback) - Start https.createServer or http.createServer depending on credentials - Startup banner now shows protocol, TLS cert path, and snakeoil warning certs/: - Add bundled snakeoil self-signed certificate (RSA 2048, 10yr, SAN for localhost + 127.0.0.1) for out-of-the-box HTTPS without configuration - .gitignore allows only snakeoil.{crt,key} — real certs must not be committed Dockerfile: - COPY certs/ into image so snakeoil default is always available - HEALTHCHECK updated to https:// with --no-check-certificate docker-compose.yaml: - Port now exposes HTTPS directly by default - TLS_CERT/TLS_KEY/TLS_ENABLED/TRUST_PROXY documented with Option A/B - cert volume mount examples added (commented out) - healthcheck updated to https with --no-check-certificate .env.sample: - New TLS/HTTPS section with TLS_ENABLED, TLS_CERT, TLS_KEY - openssl self-signed cert generation example included docs/ARCHITECTURE.md: - Configuration table: TLS_ENABLED, TLS_CERT, TLS_KEY env vars added - Docker image section: TLS default behaviour documented - Docker Compose example: Option A (direct TLS) / Option B (proxy) layout - Security checklist: HTTPS now first item, updated for TLS modes	2026-05-17 10:50:38 +01:00
Gronod	8c829f9651	docs: audit and update all documentation to reflect current codebase ... ARCHITECTURE.md: - Node version: 18+ → 22 (Alpine) - Tech stack: add helmet, express-rate-limit, cookie-parser, testing tools - Directory structure: add server/app.js, verifyCsrf.js, tokenStore.js, sanitizeError.js, tests/, docs/, .gitea/workflows/, vitest.config.js - §4.1: document app.js factory (createApp) vs index.js entry point; CSP nonce, rate limiters, CSRF middleware, trust proxy - §4.2: add CSRF Required column; document verifyCsrf; fix auth note - §4.3: add tokenStore.js and sanitizeError.js descriptions - §6 Auth flow: add rememberMe, rate limiter, stable DeviceId, server-side token store, CSRF token issuance, correct cookie TTL (session/30d not 24h) - §9 API: add csrfToken to login response, rememberMe field, 400/429 codes; add GET /api/auth/csrf endpoint; fix /me response; fix /logout CSRF note - §11 Config: add DATA_DIR, COOKIE_SECRET, TRUST_PROXY, NODE_ENV; split into Core / Emby / Service Instances / Tuning sections - §12 Deployment: update Dockerfile description to multi-stage node:22-alpine; add COOKIE_SECRET, TRUST_PROXY, named volume to compose example; add security hardening checklist; add CI/CD table diagrams/seq-auth.puml: - Add TokenStore participant - Add rememberMe, CSRF token issuance, stable DeviceId note - Add login rate limiter note - Add GET /csrf refresh flow - Add server-side token revocation on logout diagrams/class-server.puml: - Add app.js createApp() factory class - Add verifyCsrf middleware class - Add TokenStore and SanitizeError utility classes - Update auth.js routes (add GET /csrf) - Fix relationships: entry → appfn → routes diagrams/component.puml: - Add app.js factory component - Add helmet, express-rate-limit components - Add verifyCsrf middleware component - Add tokenStore.js and sanitizeError.js utility components - Fix wiring: entry → createApp() → mounts routes Dockerfile: - Fix stale comments referencing better-sqlite3 and SQLite server/routes/auth.js: - Fix stale comment: SQLite-backed → JSON file-backed	2026-05-17 08:05:08 +01:00
Gronod	37c1b64982	fix(docker): replace better-sqlite3 with pure-JS JSON token store ... better-sqlite3 is a native C++ addon that requires compilation on Alpine (musl libc, no pre-built binaries exist) and fails on Debian slim too because prebuild-install cannot detect the libc type correctly. Replace with a pure-JS JSON file token store (server/utils/tokenStore.js): - Atomic writes via temp file + rename (no corruption on crash) - Same API: storeToken/getToken/clearToken - TTL enforcement on read and hourly prune - Zero native code, zero build tools required Dockerfile: - Revert to node:22-alpine (was node:22-slim) - Remove build tools (python3/make/g++) — no longer needed - Restore wget HEALTHCHECK (available in Alpine busybox) docker-compose.yaml: restore wget healthcheck package.json: remove better-sqlite3 dependency	2026-05-17 07:13:56 +01:00
Gronod	49327cf9ae	fix(docker): switch alpine to node:22-slim for pre-built better-sqlite3 ... Alpine uses musl libc; better-sqlite3 has no pre-built musl binaries so it always compiles from source (installs 300 MB of gcc/g++/python3, takes 3-5 min). node:22-slim (Debian) has glibc so prebuild-install downloads a pre-built binary instead — build stays under 1 minute. Changes: - Both stages: node:22-alpine -> node:22-slim - deps stage: remove apk/build-tool installation (not needed) - runtime stage: remove apk libstdc++ install (present in debian-slim) - HEALTHCHECK: wget -> node built-in http (wget absent from debian-slim) - docker-compose.yaml: same healthcheck fix	2026-05-17 07:10:41 +01:00
Gronod	898ca9199b	fix(docker): compile better-sqlite3 native addon in build stage ... --ignore-scripts prevented the C++ addon from being compiled, causing a 'Could not locate bindings file' crash on startup. - deps stage: add python3/make/g++ build tools, remove --ignore-scripts - runtime stage: add libstdc++ so the compiled .node binary can load - build tools are discarded with the deps layer; runtime image stays lean	2026-05-17 07:03:06 +01:00
Gronod	bdbbcabfbc	feat(security): production hardening for external deployment ... Container (Dockerfile): - Multi-stage build (deps + runtime) for minimal attack surface - Upgrade base image from node:18-alpine to node:22-alpine - Run as non-root 'node' user (UID 1000); source files owned by root - /app/data directory owned by node for SQLite + logs - Docker HEALTHCHECK: wget /health every 30s docker-compose.yaml: - Port bound to 127.0.0.1 only (expose via reverse proxy) - read_only: true filesystem; /tmp tmpfs for Node.js - no-new-privileges:true, cap_drop: ALL - Named volume sofarr-data for persistent data - TRUST_PROXY, COOKIE_SECRET, NODE_ENV added Helmet v7 + CSP nonce: - Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7 - CSP with per-request nonce injected into index.html script/link tags (replaces blanket unsafe-inline; nonce changes every request) - HSTS: max-age=1yr, includeSubDomains, preload - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: camera/mic/geolocation/payment/usb all off - index.html served dynamically with nonce injection; static assets served normally via express.static({index:false}) Trust proxy: - TRUST_PROXY env var configures app.set('trust proxy') so rate limiting and secure cookies work correctly behind Nginx/Caddy Session & auth: - Token store migrated from in-memory Map to SQLite via better-sqlite3 (server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL - CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js): POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching the csrf_token cookie; timing-safe comparison - CSRF token issued on login + GET /api/auth/csrf; cleared on logout - Login input validation: username/password length + type checked before hitting Emby - skipSuccessfulRequests:true on login rate limiter (only count failures) - express.json({ limit: '64kb' }) to reject oversized payloads Rate limiting: - General API limiter: 300 req/15min per IP on all /api/* routes - Login limiter unchanged (10 failures/15min) but now only counts fails Logging: - Log file moved from /app/server.log to DATA_DIR/server.log (writable by non-root node user in container) - Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3) - DATA_DIR defaults to ./data locally, /app/data in container Error handling: - Global Express error handler: catches unhandled errors, logs message, returns generic 500 (no stack traces to clients) Health/readiness: - GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK - GET /ready: returns 503 if EMBY_URL not configured Error sanitization (sanitizeError.js): - Added patterns for password= params, bearer tokens, Basic auth in URLs Supply chain: - Remove unused cors dependency - add better-sqlite3@^9 - CI: upgrade to Node 22, raise audit level to --audit-level=high - .gitignore: add data/, *.db, *.db-wal, *.db-shm Docs: - SECURITY.md: threat model, hardening checklist, proxy examples, header table, rate limit table, Docker secrets guidance - .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented	2026-05-17 06:47:25 +01:00
Gronod	a3dbe8b6c0	docs: add Docker deployment instructions and OCI labels ... - Add LABEL tags to Dockerfile (OCI standard + custom.hardware.requirement) - Add dynamic version/created labels in CI workflow - Add Docker deployment section to README with docker run, compose, and update instructions - Registry pull source: docker.i3omb.com/sofarr	2026-05-15 16:50:50 +01:00
Gronod	87f8c2d42b	ci: add Dockerfile and Gitea Actions workflow for automated image builds ... - Dockerfile based on node:18-alpine - Gitea Actions workflow triggers on push to release/* branches - Builds and pushes to Gitea container registry with version tags	2026-05-15 15:15:09 +01:00