70103e18fb
sign CSRF with cookie, Login rate-limit key hardened against identifier-only lockout
2026-02-07 18:52:00 -08:00
fd013de325
add tests on refactor
2026-02-07 18:03:05 -08:00
6bee0e2ded
refactor index.ts
2026-02-07 17:47:41 -08:00
35bbbb9599
images in preview
2026-02-07 17:21:58 -08:00
2aa749a2f0
prevent preview updates from overwriting drawings
2026-02-07 15:51:35 -08:00
02736d663a
chore: pre-release v0.4.6-dev
2026-02-07 12:46:00 -08:00
de254d46f2
concurrency
2026-02-07 12:45:33 -08:00
dd0f381ed1
chore: pre-release v0.4.5-dev
2026-02-07 12:09:21 -08:00
c40a5f46a0
fix colliding drawing IDs
2026-02-07 12:09:02 -08:00
8fcca43b0d
chore: pre-release v0.4.4-dev
2026-02-07 11:58:09 -08:00
a366acfedc
chore: pre-release v0.4.3-dev
2026-02-07 11:08:03 -08:00
2e74d2ad1a
chore: pre-release v0.4.2-dev
2026-02-07 10:34:36 -08:00
173c050f58
fix HTTPS reuqirement when frontend URL is nto HTTPS
2026-02-07 10:31:08 -08:00
8161a563f0
chore: pre-release v0.4.1-dev
2026-02-07 10:08:27 -08:00
812f1cbf58
chore: pre-release v0.4.1-dev
2026-02-07 10:01:14 -08:00
26017fa5d2
fix JWT secret
2026-02-07 10:00:58 -08:00
06f4c0f537
remove dev dependencies from development containers
2026-02-07 09:27:39 -08:00
bbb23ca661
chore: pre-release v0.4.0-dev
2026-02-07 08:58:51 -08:00
f214e4f7b7
Ensure non multi-user flow stays
2026-02-06 23:05:23 -08:00
7aa33a1bdf
graph QL
2026-02-06 22:49:21 -08:00
ea06cd9175
fix graphQL
2026-02-06 22:35:17 -08:00
734f0a292d
fix graphQL
2026-02-06 22:28:36 -08:00
08135ee36a
fix test failures, new export/backup solutions
2026-02-06 22:21:19 -08:00
f462b2e288
minor UI fixes
2026-02-06 21:18:10 -08:00
01fda32bcd
test(import): add legacy import compatibility coverage
2026-02-06 14:54:02 -08:00
94694deb91
fix: address code review feedback - add error handling and fix import style
...
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com >
2026-02-06 14:52:47 -08:00
ef75f9ebdf
test: add user data sandboxing security tests
...
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com >
2026-02-06 14:52:47 -08:00
5e782e4044
fix: scope drawings cache by userId and add Socket.io authentication
...
Security fixes:
1. Drawings cache now includes userId in cache key to prevent data leakage
between users making identical queries.
2. Socket.io connections now require JWT authentication when auth is enabled.
3. Socket.io join-room verifies drawing ownership before allowing access.
4. Frontend passes auth token when connecting to Socket.io.
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com >
2026-02-06 14:52:47 -08:00
0253ebb6b8
admin dashboard
2026-02-06 14:27:24 -08:00
1e617025df
Add admin password reset flow
2026-02-06 14:11:13 -08:00
e4941ad77f
fix(dev): avoid native deps in predev migrate
2026-02-06 09:56:45 -08:00
2e370f9821
fix(dev): reset legacy dev.db and apply migrations
2026-02-06 09:54:13 -08:00
b075a0cf9e
fix(dev): avoid auth redirect when backend/schema missing
2026-02-06 09:50:27 -08:00
7977a3eb09
feat(auth): default to single-user mode with enable toggle
2026-02-06 09:45:38 -08:00
40a645b823
chore(deps): apply dependabot updates
2026-02-06 09:22:23 -08:00
d68fe6a2c0
fix(auth): stabilize refresh expiry and frontend URL handling
2026-02-06 09:17:24 -08:00
7a54123e93
fix(export): include excalidraw source/version metadata
2026-02-06 00:26:31 -08:00
75a1f11a96
feat(auth): consolidate multi-user auth and admin controls
2026-02-06 00:25:13 -08:00
700e153740
merge: pull PR48 auth and UX into pre-release
2026-02-05 23:25:56 -08:00
fd3b97225f
merge: bring main into pre-release
2026-02-05 23:20:06 -08:00
b6d0150d44
chore: release v0.3.2
2026-02-01 16:06:19 -08:00
55cd816cca
fix: correct test assertions for trust proxy behavior in supertest
...
The demonstration tests had incorrect assumptions about how Express
trust proxy works in supertest (no real socket connection). Updated
assertions to match actual behavior while preserving the test's purpose
of showing that trust proxy: true extracts the correct client IP.
2026-02-01 16:05:58 -08:00
d67bd1daf8
fix express proxy headers
2026-02-01 16:04:52 -08:00
4b56d3cfc6
repro issue
2026-02-01 16:04:52 -08:00
4f53b899c9
chore: add dependencies for authentication features
...
- Add bcrypt for password hashing
- Add jsonwebtoken for JWT tokens
- Add zod for input validation
- Update package-lock.json
2026-01-24 17:13:07 +01:00
9fe3a2193d
chore: update tests and configuration for auth integration
...
- Update test utilities for user authentication
- Update Settings page for authenticated export
- Update docker-compose.yml if needed
- Update package-lock.json files
2026-01-24 17:12:39 +01:00
9c6b7dd727
test: add tests for audit logging utility
...
- Add comprehensive tests for logAuditEvent
- Add tests for getAuditLogs with user filtering
- Test graceful degradation when feature disabled
- Test JSON details parsing
- Follow existing test patterns and style
2026-01-24 17:12:34 +01:00
29af9fac62
feat(backend): integrate authentication and user isolation
...
- Add authentication middleware to protected routes
- Add user isolation to drawing and collection queries
- Add audit logging to delete operations
- Update CSRF token handling for authenticated users
2026-01-24 17:12:18 +01:00
2998fad8e7
feat(security): add audit logging utility
...
- Add logAuditEvent function for security event logging
- Add getAuditLogs function for retrieving audit logs
- Gracefully handles disabled feature or missing table
- Feature disabled by default via config flag
2026-01-24 17:12:16 +01:00
b6e9514eb3
feat(auth): add authentication endpoints (login, register, refresh, me)
...
- Add POST /auth/register endpoint with email validation
- Add POST /auth/login endpoint with JWT token generation
- Add POST /auth/refresh endpoint for token refresh
- Add GET /auth/me endpoint for current user info
- Add rate limiting for auth endpoints
- Add bcrypt password hashing
- Add JWT access and refresh token generation
2026-01-24 17:12:06 +01:00
Zimeng Xiong