fix(auth): harden session lifecycle, reset links, and OIDC logging
- Fix session store expiry: cookie.maxAge is already in milliseconds, so stored sessions outlived the cookie by 1000x - Regenerate the session ID on login, first-run setup, and OIDC login to prevent session fixation - Mark session cookies Secure on TLS connections (secure: 'auto') and add TRUST_PROXY support for reverse-proxy deployments - Build password reset links from APP_BASE_URL instead of the Host header to prevent reset-link poisoning - Rate-limit forgot-password requests (5 per IP per 15 minutes) - Strip OIDC debug logging that leaked authorization codes, subject IDs, and emails to logs
This commit is contained in:
@@ -6,6 +6,14 @@ SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days)
|
||||
PORT=3000
|
||||
DB_PATH=/app/data/check-printing.db
|
||||
|
||||
# Public base URL of the app — used to build password reset links.
|
||||
# Strongly recommended in production (prevents host-header link poisoning).
|
||||
APP_BASE_URL=https://checks.example.com
|
||||
|
||||
# Set to 1 when running behind a reverse proxy (TLS termination) so client IPs
|
||||
# and HTTPS detection work correctly. Leave unset for direct LAN access.
|
||||
TRUST_PROXY=
|
||||
|
||||
# OIDC / SSO (optional — omit or leave blank to disable)
|
||||
OIDC_ENABLED=false
|
||||
OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
|
||||
|
||||
Reference in New Issue
Block a user