steve
3fd3285c13
- Fix session store expiry: cookie.maxAge is already in milliseconds, so stored sessions outlived the cookie by 1000x - Regenerate the session ID on login, first-run setup, and OIDC login to prevent session fixation - Mark session cookies Secure on TLS connections (secure: 'auto') and add TRUST_PROXY support for reverse-proxy deployments - Build password reset links from APP_BASE_URL instead of the Host header to prevent reset-link poisoning - Rate-limit forgot-password requests (5 per IP per 15 minutes) - Strip OIDC debug logging that leaked authorization codes, subject IDs, and emails to logs
24 lines
925 B
Bash
24 lines
925 B
Bash
# Copy to .env and fill in values before starting in production.
|
|
# Generate SESSION_SECRET with: openssl rand -hex 32
|
|
|
|
SESSION_SECRET=replace-with-a-random-64-character-hex-string
|
|
SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days)
|
|
PORT=3000
|
|
DB_PATH=/app/data/check-printing.db
|
|
|
|
# Public base URL of the app — used to build password reset links.
|
|
# Strongly recommended in production (prevents host-header link poisoning).
|
|
APP_BASE_URL=https://checks.example.com
|
|
|
|
# Set to 1 when running behind a reverse proxy (TLS termination) so client IPs
|
|
# and HTTPS detection work correctly. Leave unset for direct LAN access.
|
|
TRUST_PROXY=
|
|
|
|
# OIDC / SSO (optional — omit or leave blank to disable)
|
|
OIDC_ENABLED=false
|
|
OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
|
|
OIDC_CLIENT_ID=
|
|
OIDC_CLIENT_SECRET=
|
|
OIDC_REDIRECT_URI=https://checks.example.com/api/auth/oidc/callback
|
|
OIDC_BUTTON_LABEL=Sign in with SSO
|