chore: bump version to 0.5.0

Merge pull request #18 from snachodog/fix/qs-dos-advisory
fix(deps): force qs >= 6.15.2 to resolve DoS advisory
2026-06-11 22:56:20 -06:00 · 2026-06-11 22:30:50 -06:00 · 2026-06-11 22:29:52 -06:00 · 2026-06-11 22:25:30 -06:00 · 2026-06-11 22:03:56 -06:00 · 2026-06-11 21:57:39 -06:00
23 changed files with 661 additions and 175 deletions
@@ -0,0 +1,15 @@
+.git
+.github
+node_modules
+data
+*.db
+*.db-shm
+*.db-wal
+.env
+.env.*
+!.env.example
+*.log
+.claude
+CLAUDE.md
+TODO.md
+docker-compose.yml
@@ -6,6 +6,14 @@ SESSION_MAX_AGE_HOURS=168   # default: 168 (7 days)
 PORT=3000
 DB_PATH=/app/data/check-printing.db

+# Public base URL of the app — used to build password reset links.
+# Strongly recommended in production (prevents host-header link poisoning).
+APP_BASE_URL=https://checks.example.com
+
+# Set to 1 when running behind a reverse proxy (TLS termination) so client IPs
+# and HTTPS detection work correctly. Leave unset for direct LAN access.
+TRUST_PROXY=
+
 # OIDC / SSO (optional — omit or leave blank to disable)
 OIDC_ENABLED=false
 OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
@@ -0,0 +1,35 @@
+---
+name: Bug Report
+about: Report a bug in the system
+title: "[Bug]: "
+labels: bug
+assignees: ''
+---
+
+### Description
+
+A clear and concise description of the bug.
+
+### Steps to Reproduce
+
+1. Go to '...'
+2. Click on '...'
+3. See the error.
+
+### Expected Behavior
+
+Explain what you expected to happen.
+
+### Screenshots
+
+Add screenshots if applicable.
+
+### Environment
+
+- OS: [e.g., Windows, macOS, Linux]
+- Browser: [e.g., Chrome, Firefox]
+- Version: [e.g., 1.0.0]
+
+### Additional Context
+
+Add any other context about the problem here.
@@ -0,0 +1,22 @@
+blank_issues_enabled: false
+issue_templates:
+  - name: "Bug Report"
+    description: "Report a bug in the system."
+    title: "[Bug]: "
+    labels: ["bug"]
+    body: "./ISSUE_TEMPLATE/bug_report.md"
+  - name: "Feature Request"
+    description: "Propose a new feature or improvement."
+    title: "[Feature]: "
+    labels: ["enhancement"]
+    body: "./ISSUE_TEMPLATE/feature_request.md"
+  - name: "Documentation"
+    description: "Suggest updates or additions to the documentation."
+    title: "[Docs]: "
+    labels: ["documentation"]
+    body: "./ISSUE_TEMPLATE/documentation.md"
+  - name: "General Report"
+    description: "Provide general feedback or inquiries."
+    title: "[General]: "
+    labels: ["general"]
+    body: "./ISSUE_TEMPLATE/general_report.md"
@@ -0,0 +1,23 @@
+--
+name: Documentation
+about: Suggest updates or additions to documentation
+title: "[Docs]: "
+labels: documentation
+assignees: ''
+---
+
+### Documentation Update
+
+What part of the documentation needs to be updated or added?
+
+### Why Is This Needed?
+
+Explain the importance of this update.
+
+### Suggested Changes
+
+Provide a detailed description of the changes.
+
+### Additional Context
+
+Include any related resources.
@@ -0,0 +1,23 @@
+---
+name: Feature Request
+about: Suggest a new feature or improvement
+title: "[Feature]: "
+labels: enhancement
+assignees: ''
+---
+
+### Feature Description
+
+What feature would you like to see?
+
+### Why Is This Needed?
+
+Explain the problem or need for this feature.
+
+### Suggested Solutions
+
+Describe how this feature could be implemented.
+
+### Additional Context
+
+Add any relevant screenshots, links, or resources.
@@ -0,0 +1,15 @@
+---
+name: General Report
+about: Provide general feedback or inquiries
+title: "[General]: "
+labels: general
+assignees: ''
+---
+
+### Feedback or Inquiry
+
+Provide your feedback or inquiry.
+
+### Additional Information
+
+Add any other relevant details here.
@@ -46,6 +46,17 @@ docker compose up -d

 4. Use the setup wizard to configure your first checking account (organization info, bank info, routing/account numbers), or import an existing ezCheckPrinting `.mdb` file.

+#### Upgrading from images before v0.5
+
+The container now runs as the unprivileged `node` user (UID 1000). Existing data
+volumes were written as root, so fix ownership once before upgrading:
+
+```bash
+docker compose down
+docker run --rm -v check-printing-data:/data alpine chown -R 1000:1000 /data
+docker compose up -d
+```
+
 ### Development (local)

 ```bash
@@ -162,6 +173,8 @@ docker exec -it check-printing node migrations/import-mdb.js \
 | `SESSION_MAX_AGE_HOURS` | `168` | Session lifetime in hours (default 7 days) |
 | `PORT` | `3000` | HTTP listen port |
 | `DB_PATH` | `/app/data/check-printing.db` | SQLite database file path |
+| `APP_BASE_URL` | *(empty)* | Public base URL used in password reset links, e.g. `https://checks.example.com`. Recommended in production |
+| `TRUST_PROXY` | *(empty)* | Set to `1` when running behind a reverse proxy so client IPs and HTTPS detection work correctly |
 | `OIDC_ENABLED` | *(empty)* | Set to `true` or `1` to enable OIDC login |
 | `OIDC_DISCOVERY_URL` | *(empty)* | Provider's `.well-known/openid-configuration` URL |
 | `OIDC_CLIENT_ID` | *(empty)* | OIDC client ID |
@@ -185,6 +198,9 @@ services:
      - check-printing-data:/app/data
    environment:
      - SESSION_SECRET=${SESSION_SECRET}
+      # Optional: public base URL for reset links, reverse-proxy support
+      - APP_BASE_URL=${APP_BASE_URL:-}
+      - TRUST_PROXY=${TRUST_PROXY:-}
      # Optional: OIDC / SSO
      - OIDC_ENABLED=${OIDC_ENABLED:-}
      - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-}
@@ -14,6 +14,10 @@ services:
      - DB_PATH=/app/data/check-printing.db
      # Required in production — generate with: openssl rand -hex 32
      - SESSION_SECRET=${SESSION_SECRET}
+      # Public base URL for password reset links (recommended)
+      - APP_BASE_URL=${APP_BASE_URL:-}
+      # Set to 1 when behind a reverse proxy / TLS termination
+      - TRUST_PROXY=${TRUST_PROXY:-}
      # OIDC / SSO (optional — omit or leave blank to disable)
      - OIDC_ENABLED=${OIDC_ENABLED:-}
      - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-}
@@ -1,5 +1,7 @@
 FROM node:20-slim

+ENV NODE_ENV=production
+
 # mdbtools for migration script (only needed on first run, stays in image for convenience)
 RUN apt-get update && apt-get install -y --no-install-recommends mdbtools && rm -rf /var/lib/apt/lists/*

@@ -10,9 +12,13 @@ RUN npm ci --omit=dev

 COPY . .

-# Data volume: SQLite database and any runtime uploads
+# Data volume: SQLite database and any runtime uploads.
+# Pre-create it owned by the unprivileged user so named volumes inherit ownership.
+RUN mkdir -p /app/data && chown -R node:node /app
 VOLUME ["/app/data"]

+USER node
+
 EXPOSE 3000

 CMD ["node", "src/app.js"]
@@ -1,12 +1,12 @@
 {
  "name": "ezcheck",
-  "version": "0.4.5",
+  "version": "0.5.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "ezcheck",
-      "version": "0.4.5",
+      "version": "0.5.0",
      "dependencies": {
        "bcryptjs": "^3.0.3",
        "better-sqlite3": "^9.4.3",
@@ -1915,9 +1915,9 @@
      }
    },
    "node_modules/qs": {
-      "version": "6.14.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
-      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "version": "6.15.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
+      "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
      "license": "BSD-3-Clause",
      "dependencies": {
        "side-channel": "^1.1.0"
@@ -1,6 +1,6 @@
 {
  "name": "ezcheck",
-  "version": "0.4.5",
+  "version": "0.5.0",
  "description": "Self-hosted check printing web app",
  "main": "src/app.js",
  "scripts": {
@@ -21,6 +21,9 @@
  "devDependencies": {
    "nodemon": "^3.1.0"
  },
+  "overrides": {
+    "qs": "^6.15.2"
+  },
  "engines": {
    "node": ">=20"
  }
@@ -679,7 +679,7 @@ input[type="file"] {
  right: 0;
  width: 560px;
  max-width: 98vw;
-  height: 100vh;
+  height: 100dvh;
  background: var(--surface);
  z-index: 101;
  box-shadow: -4px 0 24px rgba(0,0,0,0.15);
@@ -687,7 +687,7 @@ input[type="file"] {
  transition: transform 0.2s ease;
  display: flex;
  flex-direction: column;
-  overflow-y: auto;
+  overflow: hidden;
 }
 #deposit-panel.open { transform: translateX(0); }

@@ -697,6 +697,8 @@ input[type="file"] {
  flex-direction: column;
  gap: 14px;
  flex: 1;
+  overflow-y: auto;
+  min-height: 0;
 }

 .dep-summary {
@@ -886,7 +886,8 @@
          </div>
        </div>
        <div id="layout-save-status" style="font-size:11px;color:var(--text-muted);min-width:56px"></div>
-        <div style="margin-left:auto">
+        <div style="margin-left:auto;display:flex;gap:8px;align-items:center">
+          <button id="btn-layout-preview" class="btn-secondary btn-sm">⎙ Preview PDF</button>
          <button id="btn-layout-reset" class="btn-secondary btn-sm" data-admin-only>↺ Reset to Default</button>
        </div>
      </div>
@@ -780,6 +780,18 @@ async function deleteCheck(id) {
  }
 }

+// Firefox on iOS blocks window.open(blob:) in a new tab; use a temporary <a download> instead.
+function openPdfBlob(blob, filename) {
+  const url = URL.createObjectURL(blob);
+  const a = document.createElement('a');
+  a.href = url;
+  a.download = filename;
+  document.body.appendChild(a);
+  a.click();
+  document.body.removeChild(a);
+  setTimeout(() => URL.revokeObjectURL(url), 10000);
+}
+
 async function generatePdf() {
  const ids = [...state.selected];
  if (ids.length === 0) return;
@@ -801,7 +813,7 @@ async function generatePdf() {
      throw new Error(err.error || res.statusText);
    }
    const blob = await res.blob();
-    window.open(URL.createObjectURL(blob), '_blank');
+    openPdfBlob(blob, 'checks.pdf');
    await loadChecks(); // refresh to show printed status
  } catch (err) {
    countSpan.textContent = savedCount;
@@ -1430,14 +1442,18 @@ async function openDepositPanel(id = null) {
      document.getElementById('dep-coin').value     = dep.coin      || '';
      document.getElementById('dep-cashback').value = dep.cash_back || '';
      depState.items = (dep.items || []).map(it => ({ ...it }));
+      while (depState.items.length < 30) depState.items.push(newDepItem());
    } catch (err) {
      alert('Error loading deposit: ' + err.message);
      return;
    }
  } else {
-    depState.items = [newDepItem()];
+    depState.items = [];
  }

+  // Always start with at least 30 slots (one full deposit slip page)
+  while (depState.items.length < 30) depState.items.push(newDepItem());
+
  renderDepItems();
  recalcDepTotals();

@@ -1463,6 +1479,13 @@ function newDepItem() {
 }

 function renderDepItems() {
+  const addBtn = document.getElementById('btn-add-dep-item');
+  if (addBtn) {
+    const count = depState.items.length;
+    addBtn.hidden   = count >= 60;  // hide once back page rows are added
+    addBtn.disabled = count >= 60;
+    addBtn.textContent = 'Add Back Page Rows';
+  }
  const tbody = document.getElementById('dep-items-tbody');
  tbody.innerHTML = depState.items.map((item, i) => `
    <tr data-idx="${i}">
@@ -1485,6 +1508,8 @@ function renderDepItems() {
  tbody.querySelectorAll('.dep-item-remove').forEach(btn => {
    btn.addEventListener('click', () => {
      depState.items.splice(parseInt(btn.dataset.idx, 10), 1);
+      // Maintain 30-slot minimum (one full slip page)
+      while (depState.items.length < 30) depState.items.push(newDepItem());
      renderDepItems();
      recalcDepTotals();
    });
@@ -1595,7 +1620,7 @@ async function generateDepositPdf(type) {
      throw new Error(err.error || res.statusText);
    }
    const blob = await res.blob();
-    window.open(URL.createObjectURL(blob), '_blank');
+    openPdfBlob(blob, type === 'slip' ? 'deposit-slip.pdf' : 'deposit-report.pdf');
    if (type === 'slip') await loadDeposits();
  } catch (err) {
    alert('PDF error: ' + err.message);
@@ -1888,7 +1913,7 @@ async function init() {
  document.getElementById('dep-panel-overlay').addEventListener('click', closeDepositPanel);
  document.getElementById('btn-save-deposit').addEventListener('click', saveDeposit);
  document.getElementById('btn-add-dep-item').addEventListener('click', () => {
-    depState.items.push(newDepItem());
+    while (depState.items.length < 60) depState.items.push(newDepItem());
    renderDepItems();
  });
  document.getElementById('btn-dep-slip').addEventListener('click',   () => generateDepositPdf('slip'));
@@ -1982,6 +2007,7 @@ async function init() {
  document.getElementById('nudge-left').addEventListener('click',  () => nudgeLayoutField(-1,  0));
  document.getElementById('nudge-right').addEventListener('click', () => nudgeLayoutField( 1,  0));
  document.getElementById('btn-layout-reset').addEventListener('click', resetLayoutToDefault);
+  document.getElementById('btn-layout-preview').addEventListener('click', previewLayoutPdf);

  // Initial auth check → loads app if already signed in
  const authed = await checkAuth();
@@ -2431,6 +2457,31 @@ async function saveLayoutField(f) {
  }
 }

+async function previewLayoutPdf() {
+  const btn = document.getElementById('btn-layout-preview');
+  const orig = btn.textContent;
+  btn.disabled = true;
+  btn.textContent = '…';
+  try {
+    const res = await fetch('/api/pdf/preview', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ account_id: state.activeAccountId }),
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({ error: res.statusText }));
+      throw new Error(err.error || res.statusText);
+    }
+    const blob = await res.blob();
+    openPdfBlob(blob, 'layout-preview.pdf');
+  } catch (err) {
+    alert('Preview error: ' + err.message);
+  } finally {
+    btn.disabled = false;
+    btn.textContent = orig;
+  }
+}
+
 async function resetLayoutToDefault() {
  if (!confirm('Reset all layout fields to default positions? This cannot be undone.')) return;
  try {
@@ -4,7 +4,6 @@ const express   = require('express');
 const path      = require('path');
 const fs        = require('fs');
 const os        = require('os');
-const crypto    = require('crypto');
 const { execFileSync } = require('child_process');
 const multer    = require('multer');
 const session   = require('express-session');
@@ -14,7 +13,14 @@ const { seedLayoutFields } = require('./db/database');
 const { requireAuth, requireAdmin, canAccessAccount, isEditorForAccount } = require('./middleware/auth');

 const app    = express();
-const upload = multer({ dest: os.tmpdir() });
+app.disable('x-powered-by');
+const upload = multer({ dest: os.tmpdir(), limits: { fileSize: 50 * 1024 * 1024 } });
+
+// US ABA routing numbers are exactly 9 digits (spaces/dashes tolerated on input)
+function normalizeRoutingNumber(value) {
+  const digits = String(value || '').replace(/[\s-]/g, '');
+  return /^\d{9}$/.test(digits) ? digits : null;
+}

 // ── Session store (SQLite-backed, no extra packages) ──────────────────────────
 const SessionStore = require('./lib/SessionStore');
@@ -27,12 +33,20 @@ const SESSION_SECRET = process.env.SESSION_SECRET;

 const SESSION_MAX_AGE_MS = (parseInt(process.env.SESSION_MAX_AGE_HOURS, 10) || 168) * 60 * 60 * 1000;

+// Behind a reverse proxy (TLS termination), set TRUST_PROXY=1 so req.ip and
+// req.protocol reflect the original client instead of the proxy.
+if (process.env.TRUST_PROXY === '1' || process.env.TRUST_PROXY === 'true') {
+  app.set('trust proxy', 1);
+}
+
 app.use(session({
  store: new SessionStore(db),
  secret: SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
-  cookie: { httpOnly: true, sameSite: 'strict', maxAge: SESSION_MAX_AGE_MS },
+  // secure: 'auto' marks the cookie Secure only on TLS connections, so plain-HTTP
+  // LAN deployments keep working while proxied HTTPS deployments get Secure cookies
+  cookie: { httpOnly: true, sameSite: 'strict', secure: 'auto', maxAge: SESSION_MAX_AGE_MS },
 }));

 // Security headers
@@ -112,6 +126,10 @@ app.put('/api/account/:id', requireAdmin, (req, res) => {
  if (!company1 || !routing_number || !account_number) {
    return res.status(400).json({ error: 'Organization name, routing number, and account number are required.' });
  }
+  const normalizedRouting = normalizeRoutingNumber(routing_number);
+  if (!normalizedRouting) {
+    return res.status(400).json({ error: 'Routing number must be exactly 9 digits.' });
+  }
  const MAX_IMAGE_BYTES = 512 * 1024; // 512 KB base64 limit
  if (logo_data && Buffer.byteLength(logo_data, 'utf8') > MAX_IMAGE_BYTES) {
    return res.status(400).json({ error: 'Logo image must be smaller than 512 KB.' });
@@ -133,7 +151,7 @@ app.put('/api/account/:id', requireAdmin, (req, res) => {
  `).run(
    company1 || null, company2 || null, company3 || null, company4 || null,
    bank_name || '', bank_info1 || null, bank_info2 || null, bank_info3 || null, transit_code || null,
-    routing_number, account_number,
+    normalizedRouting, account_number,
    parseFloat(offset_left) || 0, parseFloat(offset_right) || 0,
    parseFloat(offset_up) || 0, parseFloat(offset_down) || 0,
    second_signature ? 1 : 0, resolvedPosition,
@@ -206,6 +224,10 @@ app.post('/api/account/setup', requireAdmin, (req, res) => {
  if (!company1 || !routing_number || !account_number || !start_check_no) {
    return res.status(400).json({ error: 'Organization name, routing number, account number, and starting check number are required.' });
  }
+  const normalizedRouting = normalizeRoutingNumber(routing_number);
+  if (!normalizedRouting) {
+    return res.status(400).json({ error: 'Routing number must be exactly 9 digits.' });
+  }
  const checkNo = parseInt(start_check_no, 10);
  if (isNaN(checkNo) || checkNo < 1) {
    return res.status(400).json({ error: 'Starting check number must be a positive integer.' });
@@ -226,7 +248,7 @@ app.post('/api/account/setup', requireAdmin, (req, res) => {
    bank_info1:       bank_info1 || null,
    bank_info2:       bank_info2 || null,
    transit_code:     transit_code || null,
-    routing_number,
+    routing_number:   normalizedRouting,
    account_number,
    start_check_no:   checkNo,
    current_check_no: checkNo,
@@ -304,6 +326,22 @@ app.get('*', (req, res) => {
  res.sendFile(path.join(__dirname, '../public/index.html'));
 });

+// JSON error handler — keeps stack traces out of responses
+// eslint-disable-next-line no-unused-vars
+app.use((err, req, res, next) => {
+  if (err.code === 'LIMIT_FILE_SIZE') {
+    return res.status(413).json({ error: 'Uploaded file is too large.' });
+  }
+  if (err.type === 'entity.too.large') {
+    return res.status(413).json({ error: 'Request body is too large.' });
+  }
+  if (err.type === 'entity.parse.failed') {
+    return res.status(400).json({ error: 'Invalid JSON in request body.' });
+  }
+  console.error('[error]', err);
+  res.status(500).json({ error: 'Internal server error.' });
+});
+
 const PORT = process.env.PORT || 3000;
 app.listen(PORT, () => {
  console.log(`ezcheck running on http://localhost:${PORT}`);
@@ -7,16 +7,20 @@ const { Store } = require('express-session');
 class SessionStore extends Store {
  constructor(db) {
    super();
-    this.db = db;
+    // Prepared once — get/set run on every request
+    this.getStmt   = db.prepare('SELECT sess, expired FROM sessions WHERE sid = ?');
+    this.setStmt   = db.prepare('INSERT OR REPLACE INTO sessions (sid, sess, expired) VALUES (?, ?, ?)');
+    this.delStmt   = db.prepare('DELETE FROM sessions WHERE sid = ?');
+    this.purgeStmt = db.prepare('DELETE FROM sessions WHERE expired < ?');
    // Purge expired sessions every 10 minutes
    setInterval(() => {
-      try { db.prepare('DELETE FROM sessions WHERE expired < ?').run(Date.now()); } catch (_) {}
+      try { this.purgeStmt.run(Date.now()); } catch (_) {}
    }, 10 * 60 * 1000).unref();
  }

  get(sid, cb) {
    try {
-      const row = this.db.prepare('SELECT sess, expired FROM sessions WHERE sid = ?').get(sid);
+      const row = this.getStmt.get(sid);
      if (!row) return cb(null, null);
      if (Date.now() > row.expired) {
        this.destroy(sid, () => {});
@@ -28,20 +32,19 @@ class SessionStore extends Store {

  set(sid, sess, cb) {
    try {
+      // cookie.maxAge is already in milliseconds
      const maxAge = (sess.cookie && sess.cookie.maxAge)
-        ? sess.cookie.maxAge * 1000
+        ? sess.cookie.maxAge
        : 7 * 24 * 60 * 60 * 1000;
      const expired = Date.now() + maxAge;
-      this.db.prepare(
-        'INSERT OR REPLACE INTO sessions (sid, sess, expired) VALUES (?, ?, ?)'
-      ).run(sid, JSON.stringify(sess), expired);
+      this.setStmt.run(sid, JSON.stringify(sess), expired);
      cb(null);
    } catch (e) { cb(e); }
  }

  destroy(sid, cb) {
    try {
-      this.db.prepare('DELETE FROM sessions WHERE sid = ?').run(sid);
+      this.delStmt.run(sid);
      cb(null);
    } catch (e) { cb(e); }
  }
@@ -2,6 +2,11 @@

 const db = require('../db/database');

+// Prepared once — this lookup runs on nearly every authenticated request
+const accountRoleStmt = db.prepare(
+  'SELECT role FROM user_accounts WHERE user_id = ? AND account_id = ?'
+);
+
 function requireAuth(req, res, next) {
  if (!req.session || !req.session.userId) {
    return res.status(401).json({ error: 'Not authenticated.' });
@@ -28,10 +33,7 @@ function requireEditor(req, res, next) {
 function canAccessAccount(session, accountId) {
  if (!session || !session.userId) return false;
  if (session.role === 'admin') return true;
-  const row = db.prepare(
-    'SELECT 1 FROM user_accounts WHERE user_id = ? AND account_id = ?'
-  ).get(session.userId, accountId);
-  return !!row;
+  return !!accountRoleStmt.get(session.userId, accountId);
 }

 // Returns true if the user has editor (write) access to the given account.
@@ -39,9 +41,7 @@ function canAccessAccount(session, accountId) {
 function isEditorForAccount(session, accountId) {
  if (!session || !session.userId) return false;
  if (session.role === 'admin') return true;
-  const row = db.prepare(
-    "SELECT role FROM user_accounts WHERE user_id = ? AND account_id = ?"
-  ).get(session.userId, accountId);
+  const row = accountRoleStmt.get(session.userId, accountId);
  return !!(row && row.role === 'editor');
 }

@@ -15,45 +15,57 @@ function validatePassword(password) {
  return null;
 }

-// ── Login rate limiter ────────────────────────────────────────────────────────
-// Tracks failed login attempts per IP. After 10 failures within 15 minutes,
+// ── Rate limiting ─────────────────────────────────────────────────────────────
+// Sliding-window counter per key (IP). After `max` hits within `windowMs`,
 // further attempts are blocked until the window resets.
-const loginAttempts = new Map(); // ip -> { count, resetAt }
-const RATE_WINDOW_MS  = 15 * 60 * 1000; // 15 minutes
-const RATE_MAX_FAILS  = 10;
-
-function checkLoginRate(ip) {
-  const now  = Date.now();
-  const entry = loginAttempts.get(ip);
-  if (!entry || now > entry.resetAt) {
-    loginAttempts.set(ip, { count: 0, resetAt: now + RATE_WINDOW_MS });
-    return true; // allow
-  }
-  return entry.count < RATE_MAX_FAILS;
-}
-
-function recordLoginFailure(ip) {
-  const now   = Date.now();
-  const entry = loginAttempts.get(ip);
-  if (!entry || now > entry.resetAt) {
-    loginAttempts.set(ip, { count: 1, resetAt: now + RATE_WINDOW_MS });
-  } else {
-    entry.count++;
-  }
-}
-
-function clearLoginFailures(ip) {
-  loginAttempts.delete(ip);
-}
+function makeRateLimiter(max, windowMs) {
+  const attempts = new Map(); // key -> { count, resetAt }

  // Purge stale entries every 30 minutes to prevent unbounded memory growth
  setInterval(() => {
    const now = Date.now();
-  for (const [ip, entry] of loginAttempts) {
-    if (now > entry.resetAt) loginAttempts.delete(ip);
+    for (const [key, entry] of attempts) {
+      if (now > entry.resetAt) attempts.delete(key);
    }
  }, 30 * 60 * 1000).unref();

+  return {
+    allowed(key) {
+      const entry = attempts.get(key);
+      if (!entry || Date.now() > entry.resetAt) return true;
+      return entry.count < max;
+    },
+    record(key) {
+      const now   = Date.now();
+      const entry = attempts.get(key);
+      if (!entry || now > entry.resetAt) {
+        attempts.set(key, { count: 1, resetAt: now + windowMs });
+      } else {
+        entry.count++;
+      }
+    },
+    clear(key) {
+      attempts.delete(key);
+    },
+  };
+}
+
+// 10 failed logins per IP per 15 minutes
+const loginLimiter = makeRateLimiter(10, 15 * 60 * 1000);
+// 5 reset emails per IP per 15 minutes (counts every request, success or not)
+const resetLimiter = makeRateLimiter(5, 15 * 60 * 1000);
+
+// Regenerates the session ID before establishing a login (prevents session fixation)
+function establishSession(req, user, cb) {
+  req.session.regenerate(err => {
+    if (err) return cb(err);
+    req.session.userId   = user.id;
+    req.session.username = user.username;
+    req.session.role     = user.role;
+    cb(null);
+  });
+}
+
 // GET /api/auth/setup-needed — true when no users exist (first-run)
 router.get('/setup-needed', (req, res) => {
  const { n } = db.prepare('SELECT COUNT(*) AS n FROM users').get();
@@ -75,18 +87,18 @@ router.post('/setup', async (req, res) => {
    "INSERT INTO users (username, password_hash, role) VALUES (?, ?, 'admin')"
  ).run(username.trim(), hash);

-  req.session.userId   = result.lastInsertRowid;
-  req.session.username = username.trim();
-  req.session.role     = 'admin';
-
-  res.status(201).json({ id: result.lastInsertRowid, username: username.trim(), role: 'admin' });
+  const user = { id: result.lastInsertRowid, username: username.trim(), role: 'admin' };
+  establishSession(req, user, err => {
+    if (err) return res.status(500).json({ error: 'Failed to create session.' });
+    res.status(201).json(user);
+  });
 });

 // POST /api/auth/login
 router.post('/login', async (req, res) => {
  const ip = req.ip || req.socket.remoteAddress || 'unknown';

-  if (!checkLoginRate(ip)) {
+  if (!loginLimiter.allowed(ip)) {
    return res.status(429).json({ error: 'Too many failed login attempts. Please try again later.' });
  }

@@ -95,23 +107,22 @@ router.post('/login', async (req, res) => {

  const user = db.prepare('SELECT * FROM users WHERE username = ? COLLATE NOCASE').get(username.trim());
  if (!user) {
-    recordLoginFailure(ip);
+    loginLimiter.record(ip);
    return res.status(401).json({ error: 'Invalid username or password.' });
  }

  const match = await bcrypt.compare(password, user.password_hash);
  if (!match) {
-    recordLoginFailure(ip);
+    loginLimiter.record(ip);
    return res.status(401).json({ error: 'Invalid username or password.' });
  }

-  clearLoginFailures(ip);
-  req.session.userId   = user.id;
-  req.session.username = user.username;
-  req.session.role     = user.role;
-
+  loginLimiter.clear(ip);
+  establishSession(req, user, err => {
+    if (err) return res.status(500).json({ error: 'Failed to create session.' });
    res.json({ id: user.id, username: user.username, role: user.role });
  });
+});

 // POST /api/auth/logout
 router.post('/logout', (req, res) => {
@@ -154,6 +165,12 @@ router.post('/change-password', async (req, res) => {

 // POST /api/auth/forgot-password — always 200 to avoid user enumeration
 router.post('/forgot-password', async (req, res) => {
+  const ip = req.ip || req.socket.remoteAddress || 'unknown';
+  if (!resetLimiter.allowed(ip)) {
+    return res.status(429).json({ error: 'Too many reset requests. Please try again later.' });
+  }
+  resetLimiter.record(ip);
+
  const { email } = req.body;
  if (!email) return res.status(400).json({ error: 'Email is required.' });

@@ -168,7 +185,9 @@ router.post('/forgot-password', async (req, res) => {
      db.prepare('INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, ?, ?)').run(user.id, tokenHash, expiresAt);
    })();

-    const baseUrl   = `${req.protocol}://${req.get('host')}`;
+    // Prefer the configured base URL; deriving it from the Host header lets an
+    // attacker poison reset links (host header injection)
+    const baseUrl   = (process.env.APP_BASE_URL || `${req.protocol}://${req.get('host')}`).replace(/\/+$/, '');
    const resetLink = `${baseUrl}/#reset?token=${token}`;

    try {
@@ -221,17 +240,13 @@ function getOidcSettings() {

 async function getOidcClient(settings) {
  const { Issuer } = require('openid-client');
-  console.log('[oidc] discovering issuer from:', settings.discovery_url);
  const issuer = await Issuer.discover(settings.discovery_url);
-  console.log('[oidc] discovered issuer:', issuer.issuer);
-  const client = new issuer.Client({
+  return new issuer.Client({
    client_id:     settings.client_id,
    client_secret: settings.client_secret,
    redirect_uris: [settings.redirect_uri],
    response_types: ['code'],
  });
-  console.log('[oidc] client created, redirect_uri:', settings.redirect_uri);
-  return client;
 }

 // GET /api/auth/oidc/config — public, returns whether OIDC is enabled + button label
@@ -244,8 +259,6 @@ router.get('/oidc/config', (req, res) => {
 router.get('/oidc/authorize', async (req, res) => {
  try {
    const settings = getOidcSettings();
-    console.log('[oidc] authorize: enabled=%s, discovery_url=%s, client_id=%s, redirect_uri=%s',
-      settings.enabled, settings.discovery_url, settings.client_id, settings.redirect_uri);
    if (!settings.enabled) return res.status(400).json({ error: 'OIDC is not enabled.' });

    const { generators } = require('openid-client');
@@ -266,11 +279,10 @@ router.get('/oidc/authorize', async (req, res) => {
      code_challenge_method: 'S256',
    });

-    console.log('[oidc] authorize: redirecting to:', authUrl.substring(0, 200) + '...');
    // Ensure session is persisted before redirecting (saveUninitialized is false)
    req.session.save(() => res.redirect(authUrl));
  } catch (err) {
-    console.error('[oidc] authorize error:', err.message, err.stack);
+    console.error('[oidc] authorize error:', err.message);
    res.redirect('/#oidc-error=' + encodeURIComponent('Failed to initiate SSO login.'));
  }
 });
@@ -278,7 +290,6 @@ router.get('/oidc/authorize', async (req, res) => {
 // GET /api/auth/oidc/callback — handles the provider redirect
 router.get('/oidc/callback', async (req, res) => {
  try {
-    console.log('[oidc] callback: query params:', JSON.stringify(req.query));
    const settings = getOidcSettings();
    if (!settings.enabled) return res.redirect('/#oidc-error=' + encodeURIComponent('OIDC is not enabled.'));

@@ -287,12 +298,9 @@ router.get('/oidc/callback', async (req, res) => {
      console.error('[oidc] callback: no oidc session data found — session may have expired or cookie lost');
      return res.redirect('/#oidc-error=' + encodeURIComponent('Session expired. Please try again.'));
    }
-    console.log('[oidc] callback: session has oidc data, linking=%s, linkUserId=%s',
-      !!oidcSession.linking, oidcSession.linkUserId || 'n/a');

    const client = await getOidcClient(settings);
    const params = client.callbackParams(req);
-    console.log('[oidc] callback: exchanging code for tokens...');

    const tokenSet = await client.callback(settings.redirect_uri, params, {
      code_verifier: oidcSession.code_verifier,
@@ -303,25 +311,21 @@ router.get('/oidc/callback', async (req, res) => {
    const claims = tokenSet.claims();
    const sub    = claims.sub;
    const issuer = claims.iss;
-    console.log('[oidc] callback: token exchange OK, sub=%s, iss=%s, email=%s, name=%s',
-      sub, issuer, claims.email || 'n/a', claims.name || 'n/a');

    delete req.session.oidc;

    // Self-service linking flow
    if (oidcSession.linking && oidcSession.linkUserId) {
-      console.log('[oidc] callback: linking flow for userId=%s', oidcSession.linkUserId);
      const existing = db.prepare(
        'SELECT id FROM users WHERE oidc_issuer = ? AND oidc_sub = ? AND id != ?'
      ).get(issuer, sub, oidcSession.linkUserId);
      if (existing) {
-        console.warn('[oidc] callback: identity already linked to userId=%s', existing.id);
        return res.redirect('/#oidc-error=' + encodeURIComponent('This identity is already linked to another account.'));
      }

      db.prepare("UPDATE users SET oidc_sub = ?, oidc_issuer = ?, updated_at = datetime('now') WHERE id = ?")
        .run(sub, issuer, oidcSession.linkUserId);
-      console.log('[oidc] callback: linked sub=%s to userId=%s', sub, oidcSession.linkUserId);
+      console.log('[oidc] linked identity to userId=%s', oidcSession.linkUserId);
      return res.redirect('/#oidc-linked');
    }

@@ -331,26 +335,23 @@ router.get('/oidc/callback', async (req, res) => {
    ).get(issuer, sub);

    if (!user) {
-      console.warn('[oidc] callback: no user found for iss=%s sub=%s — not linked', issuer, sub);
+      console.warn('[oidc] callback: identity not linked to any user');
      return res.redirect('/#oidc-error=' + encodeURIComponent(
        'No account is linked to this identity. Ask an admin to link your account, or sign in with your password and link it yourself.'
      ));
    }

-    console.log('[oidc] callback: login success, userId=%s, username=%s, role=%s', user.id, user.username, user.role);
-    req.session.userId   = user.id;
-    req.session.username = user.username;
-    req.session.role     = user.role;
-
+    console.log('[oidc] login success for userId=%s', user.id);
+    establishSession(req, user, err => {
+      if (err) return res.redirect('/#oidc-error=' + encodeURIComponent('SSO login failed. Please try again.'));
      // Load account access into session (mirrors login behavior)
      if (user.role !== 'admin') {
-      const accts = db.prepare('SELECT account_id, role FROM user_accounts WHERE user_id = ?').all(user.id);
-      req.session.accounts = accts;
+        req.session.accounts = db.prepare('SELECT account_id, role FROM user_accounts WHERE user_id = ?').all(user.id);
      }
-
      res.redirect('/');
+    });
  } catch (err) {
-    console.error('[oidc] callback error:', err.message, err.stack);
+    console.error('[oidc] callback error:', err.message);
    res.redirect('/#oidc-error=' + encodeURIComponent('SSO login failed. Please try again.'));
  }
 });
@@ -362,7 +363,6 @@ router.get('/oidc/link', async (req, res) => {
  }

  try {
-    console.log('[oidc] link: userId=%s initiating linking flow', req.session.userId);
    const settings = getOidcSettings();
    if (!settings.enabled) return res.redirect('/#oidc-error=' + encodeURIComponent('OIDC is not enabled.'));

@@ -384,10 +384,9 @@ router.get('/oidc/link', async (req, res) => {
      code_challenge_method: 'S256',
    });

-    console.log('[oidc] link: redirecting to provider');
    req.session.save(() => res.redirect(authUrl));
  } catch (err) {
-    console.error('[oidc] link error:', err.message, err.stack);
+    console.error('[oidc] link error:', err.message);
    res.redirect('/#oidc-error=' + encodeURIComponent('Failed to initiate SSO linking.'));
  }
 });
@@ -4,7 +4,7 @@ const express = require('express');
 const router = express.Router();
 const db = require('../db/database');
 const { generateCheckPdf } = require('../services/pdfService');
-const { isEditorForAccount } = require('../middleware/auth');
+const { canAccessAccount, isEditorForAccount } = require('../middleware/auth');

 /**
 * POST /api/pdf
@@ -30,10 +30,11 @@ router.post('/', async (req, res) => {
  }

  // Fetch checks in the order provided; verify each belongs to the declared account
+  const checkStmt = db.prepare('SELECT * FROM checks WHERE id = ?');
  let checks;
  try {
    checks = checkIds.map(id => {
-      const check = db.prepare('SELECT * FROM checks WHERE id = ?').get(id);
+      const check = checkStmt.get(id);
      if (!check) throw new Error(`Check ID ${id} not found`);
      if (check.account_id !== resolvedAccountId) throw new Error(`Check ID ${id} does not belong to this account`);
      return check;
@@ -70,4 +71,60 @@ router.post('/', async (req, res) => {
  }
 });

+/**
+ * POST /api/pdf/preview
+ * Body: { account_id: X }
+ *
+ * Generates a layout preview PDF using dummy check data — no real checks touched.
+ * Shows all three slots filled with sample data so every visible field is visible.
+ */
+router.post('/preview', async (req, res) => {
+  const resolvedAccountId = parseInt(req.body.account_id, 10);
+  if (!resolvedAccountId) return res.status(400).json({ error: 'account_id required' });
+  // The preview renders the MICR line (routing + account number) — same access
+  // rules as reading the account itself
+  if (!canAccessAccount(req.session, resolvedAccountId)) {
+    return res.status(403).json({ error: 'Access denied.' });
+  }
+
+  const account = db.prepare('SELECT * FROM account WHERE id = ?').get(resolvedAccountId);
+  if (!account) return res.status(404).json({ error: 'Account not found.' });
+
+  const fields = db.prepare('SELECT * FROM layout_fields WHERE account_id = ?').all(resolvedAccountId);
+
+  const DUMMY_CHECK = {
+    id: 0,
+    check_no: 1001,
+    payee: 'Sample Payee Name',
+    amount: 1234.56,
+    check_date: new Date().toISOString().slice(0, 10),
+    memo: 'Sample Memo',
+    payee_address1: '123 Sample Street',
+    payee_address2: 'City, ST 12345',
+    payee_address3: null,
+    payee_address4: null,
+    printed: 0,
+    account_id: resolvedAccountId,
+  };
+
+  const checks = [
+    { ...DUMMY_CHECK, check_no: 1001 },
+    { ...DUMMY_CHECK, check_no: 1002 },
+    { ...DUMMY_CHECK, check_no: 1003 },
+  ];
+
+  try {
+    const pdfBuffer = await generateCheckPdf(account, checks, fields);
+    res.set({
+      'Content-Type': 'application/pdf',
+      'Content-Disposition': 'inline; filename="layout-preview.pdf"',
+      'Content-Length': pdfBuffer.length,
+    });
+    res.send(pdfBuffer);
+  } catch (err) {
+    console.error('Preview PDF error:', err);
+    res.status(500).json({ error: 'Preview generation failed.' });
+  }
+});
+
 module.exports = router;
@@ -6,7 +6,7 @@ const multer  = require('multer');
 const os      = require('os');
 const fs      = require('fs');

-const upload = multer({ dest: os.tmpdir() });
+const upload = multer({ dest: os.tmpdir(), limits: { fileSize: 10 * 1024 * 1024 } });
 const { isEditorForAccount } = require('../middleware/auth');

 // ── CSV helpers ───────────────────────────────────────────────────────────────
@@ -165,6 +165,29 @@ function extractRows(text, type) {

 // ── Confirm helpers ───────────────────────────────────────────────────────────

+// Records come back from the client as JSON, not from the parsed file —
+// re-validate them server-side. Normalizes amount/check_no in place.
+// Returns an error string, or null if all records are valid.
+function validateRecords(records, type) {
+  for (const rec of records) {
+    if (!rec || typeof rec !== 'object') return 'Invalid record.';
+    if (!/^\d{4}-\d{2}-\d{2}$/.test(rec.date || '')) {
+      return 'Each record must have a date in YYYY-MM-DD format.';
+    }
+    const amount = Number(rec.amount);
+    if (!isFinite(amount) || amount <= 0) {
+      return 'Each record amount must be a positive number.';
+    }
+    rec.amount = Math.round(amount * 100) / 100;
+    if (type === 'checks' && rec.check_no !== null && rec.check_no !== undefined) {
+      const n = parseInt(rec.check_no, 10);
+      if (!Number.isInteger(n) || n < 1) return 'Check numbers must be positive integers.';
+      rec.check_no = n;
+    }
+  }
+  return null;
+}
+
 function confirmChecks(db, records, account_id) {
  const existing = new Set(
    db.prepare('SELECT check_no FROM checks WHERE account_id = ?').all(account_id).map(r => r.check_no)
@@ -312,6 +335,8 @@ router.post('/confirm', express.json(), (req, res) => {
  if (records.length > 1000) {
    return res.status(400).json({ error: 'Cannot import more than 1000 records at a time.' });
  }
+  const validationError = validateRecords(records, type);
+  if (validationError) return res.status(400).json({ error: validationError });

  const db = require('../db/database');
  try {
@@ -57,77 +57,86 @@ router.post('/', async (req, res) => {

 // PUT /api/users/:id
 router.put('/:id', async (req, res) => {
-  const user = db.prepare('SELECT id, role FROM users WHERE id = ?').get(req.params.id);
+  const userId = parseInt(req.params.id, 10);
+  const user = db.prepare('SELECT id, role FROM users WHERE id = ?').get(userId);
  if (!user) return res.status(404).json({ error: 'User not found.' });

  const { username, password, role, accounts, email, oidc_sub, oidc_issuer } = req.body;

+  // ── Validate everything before writing anything ──
  if (role && !['admin', 'editor', 'viewer'].includes(role)) {
    return res.status(400).json({ error: 'Invalid role.' });
  }
-
-  if (username && username.trim() !== '') {
-    try {
-      db.prepare("UPDATE users SET username = ?, updated_at = datetime('now') WHERE id = ?")
-        .run(username.trim(), req.params.id);
-    } catch (err) {
-      if (err.message.includes('UNIQUE')) return res.status(409).json({ error: 'Username already taken.' });
-      throw err;
+  if (role && role !== 'admin' && user.role === 'admin') {
+    const { n } = db.prepare("SELECT COUNT(*) AS n FROM users WHERE role = 'admin' AND id != ?").get(userId);
+    if (n === 0) return res.status(400).json({ error: 'Cannot demote the last admin.' });
  }
-  }
-
-  if (role) {
-    db.prepare("UPDATE users SET role = ?, updated_at = datetime('now') WHERE id = ?")
-      .run(role, req.params.id);
-  }
-
-  if (email !== undefined) {
-    db.prepare("UPDATE users SET email = ?, updated_at = datetime('now') WHERE id = ?")
-      .run(email ? email.trim() : null, req.params.id);
-  }
-
  if (password) {
    const pwErr = validatePassword(password);
    if (pwErr) return res.status(400).json({ error: pwErr });
-    const hash = await bcrypt.hash(password, 12);
-    db.prepare("UPDATE users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?")
-      .run(hash, req.params.id);
  }

-  // OIDC linking — admin can set or clear oidc_sub/oidc_issuer
+  let newSub, newIssuer;
  if (oidc_sub !== undefined) {
-    const newSub    = oidc_sub    ? oidc_sub.trim()    : null;
-    const newIssuer = oidc_issuer ? oidc_issuer.trim() : null;
+    newSub    = oidc_sub    ? oidc_sub.trim()    : null;
+    newIssuer = oidc_issuer ? oidc_issuer.trim() : null;
    if (newSub && !newIssuer) {
      return res.status(400).json({ error: 'OIDC issuer is required when setting OIDC subject.' });
    }
    if (newSub) {
      const existing = db.prepare(
        'SELECT id FROM users WHERE oidc_issuer = ? AND oidc_sub = ? AND id != ?'
-      ).get(newIssuer, newSub, req.params.id);
+      ).get(newIssuer, newSub, userId);
      if (existing) return res.status(409).json({ error: 'This OIDC identity is already linked to another user.' });
    }
-    db.prepare("UPDATE users SET oidc_sub = ?, oidc_issuer = ?, updated_at = datetime('now') WHERE id = ?")
-      .run(newSub, newSub ? newIssuer : null, req.params.id);
  }

+  const passwordHash = password ? await bcrypt.hash(password, 12) : null;
+
+  // ── Apply all changes atomically ──
+  try {
+    db.transaction(() => {
+      if (username && username.trim() !== '') {
+        db.prepare("UPDATE users SET username = ?, updated_at = datetime('now') WHERE id = ?")
+          .run(username.trim(), userId);
+      }
+      if (role) {
+        db.prepare("UPDATE users SET role = ?, updated_at = datetime('now') WHERE id = ?")
+          .run(role, userId);
+      }
+      if (email !== undefined) {
+        db.prepare("UPDATE users SET email = ?, updated_at = datetime('now') WHERE id = ?")
+          .run(email ? email.trim() : null, userId);
+      }
+      if (passwordHash) {
+        db.prepare("UPDATE users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?")
+          .run(passwordHash, userId);
+      }
+      if (oidc_sub !== undefined) {
+        db.prepare("UPDATE users SET oidc_sub = ?, oidc_issuer = ?, updated_at = datetime('now') WHERE id = ?")
+          .run(newSub, newSub ? newIssuer : null, userId);
+      }
      if (Array.isArray(accounts)) {
-    db.prepare('DELETE FROM user_accounts WHERE user_id = ?').run(req.params.id);
+        db.prepare('DELETE FROM user_accounts WHERE user_id = ?').run(userId);
        const effectiveRole = role || user.role;
        if (effectiveRole !== 'admin' && accounts.length > 0) {
          const stmt = db.prepare('INSERT OR IGNORE INTO user_accounts (user_id, account_id, role) VALUES (?, ?, ?)');
-      accounts.forEach(a => stmt.run(req.params.id, a.id, a.role === 'editor' ? 'editor' : 'viewer'));
+          accounts.forEach(a => stmt.run(userId, a.id, a.role === 'editor' ? 'editor' : 'viewer'));
        }
      }
-
-  // If role or account assignments changed, invalidate all active sessions for this user
-  // so the new permissions take effect immediately rather than at session expiry.
+      // If role or account assignments changed, invalidate all active sessions for
+      // this user so the new permissions take effect immediately.
      if (role || Array.isArray(accounts)) {
        db.prepare("DELETE FROM sessions WHERE CAST(json_extract(sess, '$.userId') AS INTEGER) = ?")
-      .run(parseInt(req.params.id, 10));
+          .run(userId);
+      }
+    })();
+  } catch (err) {
+    if (err.message.includes('UNIQUE')) return res.status(409).json({ error: 'Username already taken.' });
+    throw err;
  }

-  res.json(userWithAccounts(req.params.id));
+  res.json(userWithAccounts(userId));
 });

 // DELETE /api/users/:id
@@ -44,7 +44,7 @@ const SL = {
  cX: 0.65,

  // ── Depositor block ───────────────────────────────────────────────────────
-  depositorY: 0.28,   // Y of company name (first depositor line)
+  depositorY: 0.42,   // Y of company name (first depositor line)

  // ── Date ─────────────────────────────────────────────────────────────────
  dateY:      1.38,   // Y of DATE label
@@ -87,8 +87,8 @@ const SL = {
  checkCountValY:   6.1,    // check count value start

  // ── Colours ───────────────────────────────────────────────────────────────
-  bgLineColor:   '#888888',
-  bgLabelColor:  '#444444',
+  bgLineColor:   '#333333',
+  bgLabelColor:  '#111111',
  bgHeaderColor: '#000000',
 };

@@ -238,7 +238,17 @@ function generateDepositSlip(account, deposit, items) {
    const depositTotal = subTotal - (deposit.cash_back || 0);
    const checkCount   = items.length;

-    const totalRows  = SL.firstCheckRow + SL.maxChecks;
+    // Split items: first 30 on front, up to 30 more on back
+    const frontItems  = items.slice(0, SL.maxChecks);
+    const backItems   = items.slice(SL.maxChecks, SL.maxChecks * 2);
+    const hasBackPage = backItems.some(it => (it.amount || 0) > 0 || it.check_no || it.payee);
+    const backTotal   = hasBackPage ? backItems.reduce((s, i) => s + (i.amount || 0), 0) : 0;
+
+    // When back page exists, add one extra row on front for "FROM REVERSE"
+    const fromReverseRow = hasBackPage ? SL.firstCheckRow + SL.maxChecks : null;
+    const totalRows  = fromReverseRow != null
+      ? SL.firstCheckRow + SL.maxChecks + 1
+      : SL.firstCheckRow + SL.maxChecks;
    const totalRowY_ = rowTopY(totalRows);
    const gridBottom = totalRowY_ + SL.rowH;

@@ -304,7 +314,7 @@ function generateDepositSlip(account, deposit, items) {
    doc.text('TOTAL $', SL.cX * PT, rowY(totalRows) * PT - 5, { lineBreak: false });

    // Top disclaimer (above grid)
-    doc.font('Helvetica').fontSize(5).fillColor('#666666')
+    doc.font('Helvetica').fontSize(5).fillColor('#333333')
       .text(
         'DEPOSITS MAY NOT BE AVAILABLE FOR IMMEDIATE WITHDRAWAL',
         SL.cX * PT, SL.disclaimerY * PT,
@@ -312,7 +322,7 @@ function generateDepositSlip(account, deposit, items) {
       );

    // Bottom disclaimer (below grid)
-    doc.font('Helvetica').fontSize(5).fillColor('#666666')
+    doc.font('Helvetica').fontSize(5).fillColor('#333333')
       .text(
         'Checks and other items are received for deposit subject to the provisions of the Uniform Commercial Code or any applicable collection agreements.',
         SL.cX * PT, (gridBottom + 0.05) * PT,
@@ -321,7 +331,7 @@ function generateDepositSlip(account, deposit, items) {

    // DEPOSIT TICKET header
    doc.font('Helvetica-Bold').fontSize(9).fillColor(SL.bgHeaderColor)
-       .text('D E P O S I T   T I C K E T', SL.cX * PT, 0.08 * PT,
+       .text('D E P O S I T   T I C K E T', SL.cX * PT, 0.20 * PT,
             { width: (SL.W - SL.cX - 0.05) * PT, align: 'center', lineBreak: false });

    // ── Depositor block — account info, then bank info stacked below ────────
@@ -368,25 +378,32 @@ function generateDepositSlip(account, deposit, items) {

    function drawAmountRow(amount, rowIdx) {
      const y = (rowY(rowIdx) - 0.015) * PT;
-      doc.font('Courier').fontSize(8).fillColor('#000000');
+      doc.font('Courier-Bold').fontSize(8).fillColor('#000000');
      drawDigitAmount(doc, amount, dollarsRightX, y);
    }

    drawAmountRow(deposit.currency || 0, SL.currencyRow);
    drawAmountRow(deposit.coin     || 0, SL.coinRow);

-    items.slice(0, SL.maxChecks).forEach((item, i) => {
+    frontItems.forEach((item, i) => {
      const r = SL.firstCheckRow + i;
      const y = (rowY(r) - 0.015) * PT;
      if (item.check_no) {
-        doc.font('Courier').fontSize(7).fillColor('#000000')
+        doc.font('Courier-Bold').fontSize(7).fillColor('#000000')
           .text(String(item.check_no).slice(0, 8),
-                 (SL.cX + 0.16) * PT, y,
+                 (SL.cX + 0.28) * PT, y,
                 { width: SL.checkNoW * PT, lineBreak: false });
      }
      drawAmountRow(item.amount || 0, r);
    });

+    // "FROM REVERSE" row carries back-page subtotal onto the front
+    if (fromReverseRow != null) {
+      doc.font('Courier').fontSize(6).fillColor(SL.bgLabelColor)
+         .text('FROM REVERSE', SL.cX * PT, rowY(fromReverseRow) * PT - 4, { lineBreak: false });
+      drawAmountRow(backTotal, fromReverseRow);
+    }
+
    drawAmountRow(depositTotal, totalRows);

    // ── Rotated left strip elements ─────────────────────────────────────────
@@ -440,10 +457,124 @@ function generateDepositSlip(account, deposit, items) {

    doc.restore(); // end slip position translate

+    if (hasBackPage) {
+      doc.addPage();
+      renderDepositBackPage(doc, backItems, backTotal);
+    }
+
    doc.end();
  });
 }

+// ── Back page renderer ────────────────────────────────────────────────────────
+
+function renderDepositBackPage(doc, backItems, backTotal) {
+  // Same slip position and width as front (slipX=0, W=3.375").
+  // No left strip elements; grid starts near the top.
+  // Vertically center the grid on the 8.5" page.
+  // Grid height = (checksRow + maxChecks + 1 TOTAL row + 1 border) * rowH = 33 * 0.175 = 5.775"
+  // Allow ~0.45" above grid for title + column headers; remainder splits top/bottom.
+  const BK_GRID_HEIGHT = (1 + SL.maxChecks + 1 + 1) * SL.rowH; // 33 rows
+  const BK_TITLE_AREA  = 0.45;
+  const BK_GRID_TOP    = (SL.H - BK_GRID_HEIGHT - BK_TITLE_AREA) / 2 + BK_TITLE_AREA;
+  const BK_TITLE_Y     = (SL.H - BK_GRID_HEIGHT - BK_TITLE_AREA) / 2;
+  const BK = {
+    gridTop:   BK_GRID_TOP,
+    titleY:    BK_TITLE_Y,
+    checksRow: 0,
+    firstRow:  1,
+    maxChecks: SL.maxChecks,  // 30
+  };
+  const totalRows  = BK.firstRow + BK.maxChecks;  // "TOTAL $" row index
+
+  const bkRowTopY = r => BK.gridTop + r * SL.rowH;
+  const bkRowY    = r => BK.gridTop + r * SL.rowH + SL.rowH * 0.7;
+
+  const gridTopPt = bkRowTopY(0) * PT;
+  const gridBotPt = (bkRowTopY(totalRows) + SL.rowH) * PT;
+
+  doc.save();
+  doc.translate(SL.slipX * PT, 0);
+
+  // ── Title ─────────────────────────────────────────────────────────────────
+  doc.font('Helvetica-Bold').fontSize(9).fillColor(SL.bgHeaderColor)
+     .text('A D D I T I O N A L   C H E C K   L I S T I N G',
+           SL.cX * PT, BK.titleY * PT,
+           { width: (SL.W - SL.cX - 0.05) * PT, align: 'center', lineBreak: false });
+
+  // ── Grid verticals (same column positions as front) ───────────────────────
+  const dollarsRightX  = SL.colCentsR - SL.colCentsW - SL.colDollarSep;
+  const dividerX       = (dollarsRightX - 7 * SL.digitW) * PT;
+  const dollarsCentsX  = dollarsRightX * PT;
+
+  doc.moveTo(dividerX,       gridTopPt).lineTo(dividerX,       gridBotPt).lineWidth(0.5).stroke(SL.bgLineColor);
+  doc.moveTo(dollarsCentsX,  gridTopPt).lineTo(dollarsCentsX,  gridBotPt).lineWidth(0.5).stroke(SL.bgLineColor);
+  doc.moveTo(SL.colCentsR * PT, gridTopPt).lineTo(SL.colCentsR * PT, gridBotPt).lineWidth(0.5).stroke(SL.bgLineColor);
+
+  // Column headers
+  doc.font('Helvetica').fontSize(6).fillColor(SL.bgLabelColor);
+  const hdrY = (BK.gridTop - 0.10) * PT;
+  doc.text('DOLLARS', dollarsCentsX - 7 * SL.digitW * PT, hdrY,
+           { width: 7 * SL.digitW * PT, align: 'center', lineBreak: false });
+  doc.text('CENTS', (SL.colCentsR - SL.colCentsW) * PT, hdrY,
+           { width: SL.colCentsW * PT, align: 'center', lineBreak: false });
+
+  // "CHECKS:" header label
+  doc.font('Courier').fontSize(7).fillColor(SL.bgLabelColor)
+     .text('CHECKS:', SL.cX * PT, bkRowY(BK.checksRow) * PT - 5, { lineBreak: false });
+
+  // ── Horizontal grid lines ─────────────────────────────────────────────────
+  for (let r = 0; r <= totalRows + 1; r++) {
+    const y = bkRowTopY(r) * PT;
+    const isOuter = r === 0 || r === totalRows + 1;
+    doc.moveTo(SL.stripX * PT, y).lineTo(SL.colCentsR * PT, y)
+       .lineWidth(isOuter ? 0.75 : 0.3).stroke(SL.bgLineColor);
+  }
+
+  // ── Row numbers (continuing from front: 31–60) ────────────────────────────
+  doc.font('Courier').fontSize(6).fillColor(SL.bgLabelColor);
+  for (let i = 0; i < BK.maxChecks; i++) {
+    const r = BK.firstRow + i;
+    doc.text(String(SL.maxChecks + i + 1), SL.cX * PT, bkRowY(r) * PT - 4,
+             { width: 14, align: 'right', lineBreak: false });
+  }
+
+  // ── "TOTAL $" footer label ────────────────────────────────────────────────
+  doc.font('Courier-Bold').fontSize(7).fillColor('#000000')
+     .text('T O T A L  $', SL.cX * PT, bkRowY(totalRows) * PT - 5, { lineBreak: false });
+
+  // ── "Forward to other side" in left strip (rotated) ───────────────────────
+  const fwdY = bkRowTopY(totalRows) + SL.rowH * 0.5;
+  doc.save();
+  doc.translate(SL.stripCenterX * PT, fwdY * PT);
+  doc.rotate(90);
+  doc.font('Helvetica').fontSize(6).fillColor(SL.bgLabelColor)
+     .text('Forward to other side', 0, 0, { lineBreak: false });
+  doc.restore();
+
+  // ── Amount data ───────────────────────────────────────────────────────────
+  backItems.forEach((item, i) => {
+    const r = BK.firstRow + i;
+    const y = (bkRowY(r) - 0.015) * PT;
+    if (item.check_no) {
+      doc.font('Courier-Bold').fontSize(7).fillColor('#000000')
+         .text(String(item.check_no).slice(0, 8),
+               (SL.cX + 0.28) * PT, y,
+               { width: SL.checkNoW * PT, lineBreak: false });
+    }
+    if ((item.amount || 0) > 0) {
+      doc.font('Courier-Bold').fontSize(8).fillColor('#000000');
+      drawDigitAmount(doc, item.amount, dollarsRightX, y);
+    }
+  });
+
+  // Back page total
+  doc.font('Courier-Bold').fontSize(8).fillColor('#000000');
+  drawDigitAmount(doc, backTotal, dollarsRightX, (bkRowY(totalRows) - 0.015) * PT);
+
+  doc.restore();
+}
+
 // ── Amount rendering helpers ──────────────────────────────────────────────────

 /**
Author	SHA1	Message	Date
steve	c2b2722c56	chore: bump version to 0.5.0 TODO to Issues / todo (push) Has been cancelled Details Build and push Docker image / build-push (push) Has been cancelled Details	2026-06-11 22:56:20 -06:00
steve	d1b27837e3	Merge pull request #18 from snachodog/fix/qs-dos-advisory Build and push Docker image / build-push (push) Has been cancelled Details TODO to Issues / todo (push) Has been cancelled Details fix(deps): force qs >= 6.15.2 to resolve DoS advisory	2026-06-11 22:30:50 -06:00
steve	5d66d1f575	fix(deps): force qs >= 6.15.2 to resolve DoS advisory express 4 pins qs to ~6.14.0, which falls in the vulnerable range of GHSA-q8mj-m7cp-5q26 (remotely triggerable TypeError in qs.stringify). Add an npm override so the transitive dependency resolves to the patched 6.15.2.	2026-06-11 22:29:52 -06:00
steve	34540e410c	Merge pull request #17 from snachodog/refactor/security-hardening Build and push Docker image / build-push (push) Has been cancelled Details TODO to Issues / todo (push) Has been cancelled Details Security hardening and hot-path performance fixes	2026-06-11 22:25:30 -06:00
steve	2504766be7	perf(db): reuse prepared statements on hot paths - Prepare the user_accounts role lookup once in the auth middleware; it runs on nearly every authenticated request - Prepare session store get/set/destroy/purge statements once in the constructor instead of per request - Prepare the per-check SELECT once per PDF job instead of once per check	2026-06-11 22:03:56 -06:00
steve	b4824655dd	fix(docker): run container as non-root and exclude local files from image - Add .dockerignore: a local .env, the live SQLite database in data/, .git, and node_modules were previously copied into the published image by COPY - Run the app as the unprivileged node user; pre-create /app/data with matching ownership so named volumes inherit it - Set NODE_ENV=production in the image - Document the one-time volume chown needed when upgrading existing deployments	2026-06-11 21:57:39 -06:00
steve	674506bd2d	fix(api): close authz gap and tighten input validation - Require account access on POST /api/pdf/preview: any authenticated user could previously render any account's MICR line (routing and account number) regardless of role - Re-validate QBO import records server-side on confirm (date format, positive amounts, integer check numbers) instead of trusting client JSON - Make PUT /api/users/:id atomic: validate all fields up front, then apply every change in a single transaction (a validation failure could previously leave a half-applied update) - Block demoting the last remaining admin - Validate routing numbers as exactly 9 digits on account setup and update - Cap upload sizes (50 MB .mdb, 10 MB CSV) and add a JSON error handler so oversized uploads and bad JSON return clean 4xx errors instead of HTML stack traces - Disable the X-Powered-By header	2026-06-11 21:56:53 -06:00
steve	3fd3285c13	fix(auth): harden session lifecycle, reset links, and OIDC logging - Fix session store expiry: cookie.maxAge is already in milliseconds, so stored sessions outlived the cookie by 1000x - Regenerate the session ID on login, first-run setup, and OIDC login to prevent session fixation - Mark session cookies Secure on TLS connections (secure: 'auto') and add TRUST_PROXY support for reverse-proxy deployments - Build password reset links from APP_BASE_URL instead of the Host header to prevent reset-link poisoning - Rate-limit forgot-password requests (5 per IP per 15 minutes) - Strip OIDC debug logging that leaked authorization codes, subject IDs, and emails to logs	2026-06-11 21:54:35 -06:00
steve	427b064af1	chore: add GitHub issue templates	2026-05-16 08:36:55 -06:00
steve	7d105bce21	chore: bump version to 0.4.6 TODO to Issues / todo (push) Has been cancelled Details Build and push Docker image / build-push (push) Has been cancelled Details	2026-05-02 17:22:31 -06:00
steve	0b21f4ea3c	feat(layout): add preview PDF button to layout editor Generates a 3-up PDF with dummy check data (no real checks touched) so the layout can be proofed without printing live checks. Closes #12	2026-05-02 17:21:41 -06:00
steve	f91fc7bd8a	fix(deposits): bold check numbers and amounts for better print visibility	2026-04-28 10:28:08 -06:00
steve	bb935acfa9	fix(deposits): check number spacing, darker text, header/title repositioning - Shift check numbers right (0.16->0.28") so they clear the row number labels - Darken label text (#444->##111) and disclaimer text (#666->#333) - Move 'DEPOSIT TICKET' header and depositor/bank block down 0.12" on front page - Vertically center the check grid on the back page - Reposition 'ADDITIONAL CHECK LISTING' title relative to centered grid	2026-04-28 09:59:28 -06:00
steve	3957cf5518	feat(deposits): add back page rows all at once via single button	2026-04-28 09:28:49 -06:00
steve	4a47394923	fix(deposits): darken deposit slip grid lines for scanner readability	2026-04-28 09:14:52 -06:00
steve	189ae53d34	feat(deposits): pre-fill 30 slots and add back-page overflow for 31-60 checks - Deposit panel now pre-fills all 30 check slots on open (new and existing) - Remove button maintains 30-slot minimum by appending a blank row - Add Row button hidden at <30, visible at 30-59, disabled at 60 - Deposit slip PDF splits items: first 30 on front, up to 30 more on back - Front page gains a FROM REVERSE row carrying back-page subtotal when needed - Back page renders with same column positions/width as front, titled 'ADDITIONAL CHECK LISTING', numbered rows 31-60, and 'Forward to other side / TOTAL $' footer Closes #10, closes #11	2026-04-28 09:04:44 -06:00
steve	657de9e61a	fix(ui): resolve deposit panel scroll and PDF open on iOS - Switch #deposit-panel to 100dvh so iOS browser chrome doesn't clip the Save button - Move overflow-y:auto to #deposit-panel-body so the actions footer stays pinned - Replace window.open(blob:) with <a download> click to fix PDF opening in Firefox iOS (Firefox iOS blocks blob: URL navigation in new tabs) Closes #7, closes #9	2026-04-28 08:32:07 -06:00