Security fixes:
1. Drawings cache now includes userId in cache key to prevent data leakage
between users making identical queries.
2. Socket.io connections now require JWT authentication when auth is enabled.
3. Socket.io join-room verifies drawing ownership before allowing access.
4. Frontend passes auth token when connecting to Socket.io.
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com>
The demonstration tests had incorrect assumptions about how Express
trust proxy works in supertest (no real socket connection). Updated
assertions to match actual behavior while preserving the test's purpose
of showing that trust proxy: true extracts the correct client IP.
Clarifies that FRONTEND_URL accepts multiple comma-separated URLs
for accessing ExcaliDash from different addresses (e.g., localhost
and LAN IP simultaneously).
- Update test utilities for user authentication
- Update Settings page for authenticated export
- Update docker-compose.yml if needed
- Update package-lock.json files
- Document all security features added
- Document UX improvements added
- Include migration strategy and backward compatibility notes
- Provide enable instructions for optional features
- Add comprehensive tests for logAuditEvent
- Add tests for getAuditLogs with user filtering
- Test graceful degradation when feature disabled
- Test JSON details parsing
- Follow existing test patterns and style
- Add Select All button with CheckSquare/Square icons
- Toggle selection of all drawings in current view
- Match styling with other icon buttons
- Add tooltip for better UX
- Add Login page with email/password form
- Add Register page with email validation
- Add forgot password link to login page
- Update App.tsx with auth routes and AuthProvider
- Add email validation in registration form
- Add AuthContext for managing user authentication state
- Add ProtectedRoute component for route protection
- Update API client with JWT token injection
- Add refresh token rotation support
- Add CSRF token handling
- Add logAuditEvent function for security event logging
- Add getAuditLogs function for retrieving audit logs
- Gracefully handles disabled feature or missing table
- Feature disabled by default via config flag
- Add POST /auth/register endpoint with email validation
- Add POST /auth/login endpoint with JWT token generation
- Add POST /auth/refresh endpoint for token refresh
- Add GET /auth/me endpoint for current user info
- Add rate limiting for auth endpoints
- Add bcrypt password hashing
- Add JWT access and refresh token generation
Zimeng Xiong