steve/check-printing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix low-level security issues

Browse Source 
Content-Security-Policy: add header with default-src 'self',
unsafe-inline for styles (needed for JS-generated inline style attrs),
and data: for embedded logo/signature images.

JSON body limit: reduce from 10mb to 2mb (logo cap is 512KB base64).

Session maxAge: now configurable via SESSION_MAX_AGE_HOURS env var
(default 168h / 7 days). Documented in .env.example.

Password strength: centralize validation in auth.js and raise the bar
to 10+ characters with at least one letter and one non-letter. Applied
consistently to all four password-setting paths (initial setup,
login change-password, admin create user, admin edit user).
This commit is contained in:
Steve Dogiakos
2026-03-20 12:25:42 -06:00
parent 2939bfa608
commit bd3e66cd44
4 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/users.js
+5 -2
View File
@@ -5,6 +5,7 @@ const router = express.Router();
const bcrypt = require('bcryptjs');
const db = require('../db/database');
const { requireAuth, requireAdmin } = require('../middleware/auth');
const { validatePassword } = require('./auth');
// All /api/users routes require admin
router.use(requireAuth, requireAdmin);
@@ -30,7 +31,8 @@ router.post('/', async (req, res) => {
const { username, password, role, accounts } = req.body;
if (!username || !password) return res.status(400).json({ error: 'Username and password required.' });
if (!['admin', 'editor', 'viewer'].includes(role)) return res.status(400).json({ error: 'Invalid role.' });
if (password.length < 8) return res.status(400).json({ error: 'Password must be at least 8 characters.' });
const pwErr = validatePassword(password);
if (pwErr) return res.status(400).json({ error: pwErr });
const hash = await bcrypt.hash(password, 12);
@@ -80,7 +82,8 @@ router.put('/:id', async (req, res) => {
}
if (password) {
if (password.length < 8) return res.status(400).json({ error: 'Password must be at least 8 characters.' });
const pwErr = validatePassword(password);
if (pwErr) return res.status(400).json({ error: pwErr });
const hash = await bcrypt.hash(password, 12);
db.prepare("UPDATE users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?")
.run(hash, req.params.id);