steve
3fd3285c13
- Fix session store expiry: cookie.maxAge is already in milliseconds, so stored sessions outlived the cookie by 1000x - Regenerate the session ID on login, first-run setup, and OIDC login to prevent session fixation - Mark session cookies Secure on TLS connections (secure: 'auto') and add TRUST_PROXY support for reverse-proxy deployments - Build password reset links from APP_BASE_URL instead of the Host header to prevent reset-link poisoning - Rate-limit forgot-password requests (5 per IP per 15 minutes) - Strip OIDC debug logging that leaked authorization codes, subject IDs, and emails to logs
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
services:
|
|
check-printing:
|
|
image: dogiakos/check-printing:latest
|
|
container_name: check-printing
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3003:3000"
|
|
volumes:
|
|
# Persistent data: SQLite DB lives here
|
|
- check-printing-data:/app/data
|
|
environment:
|
|
- NODE_ENV=production
|
|
- PORT=3000
|
|
- DB_PATH=/app/data/check-printing.db
|
|
# Required in production — generate with: openssl rand -hex 32
|
|
- SESSION_SECRET=${SESSION_SECRET}
|
|
# Public base URL for password reset links (recommended)
|
|
- APP_BASE_URL=${APP_BASE_URL:-}
|
|
# Set to 1 when behind a reverse proxy / TLS termination
|
|
- TRUST_PROXY=${TRUST_PROXY:-}
|
|
# OIDC / SSO (optional — omit or leave blank to disable)
|
|
- OIDC_ENABLED=${OIDC_ENABLED:-}
|
|
- OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-}
|
|
- OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-}
|
|
- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-}
|
|
- OIDC_REDIRECT_URI=${OIDC_REDIRECT_URI:-}
|
|
- OIDC_BUTTON_LABEL=${OIDC_BUTTON_LABEL:-Sign in with SSO}
|
|
|
|
volumes:
|
|
check-printing-data:
|