fix(auth): harden session lifecycle, reset links, and OIDC logging

- Fix session store expiry: cookie.maxAge is already in milliseconds, so stored sessions outlived the cookie by 1000x - Regenerate the session ID on login, first-run setup, and OIDC login to prevent session fixation - Mark session cookies Secure on TLS connections (secure: 'auto') and add TRUST_PROXY support for reverse-proxy deployments - Build password reset links from APP_BASE_URL instead of the Host header to prevent reset-link poisoning - Rate-limit forgot-password requests (5 per IP per 15 minutes) - Strip OIDC debug logging that leaked authorization codes, subject IDs, and emails to logs
2026-06-11 21:54:35 -06:00
parent 427b064af1
commit 3fd3285c13
6 changed files with 109 additions and 84 deletions
@@ -14,6 +14,10 @@ services:
      - DB_PATH=/app/data/check-printing.db
      # Required in production — generate with: openssl rand -hex 32
      - SESSION_SECRET=${SESSION_SECRET}
+      # Public base URL for password reset links (recommended)
+      - APP_BASE_URL=${APP_BASE_URL:-}
+      # Set to 1 when behind a reverse proxy / TLS termination
+      - TRUST_PROXY=${TRUST_PROXY:-}
      # OIDC / SSO (optional — omit or leave blank to disable)
      - OIDC_ENABLED=${OIDC_ENABLED:-}
      - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-}