perf(collab): reduce cursor and preview update churn

feat(collab): add server-authoritative sync and preview-only updates
fix(editor): flush lifecycle saves and recover from version conflicts
2026-02-14 16:38:40 +01:00 · 2026-02-13 20:47:05 +01:00 · 2026-02-13 19:17:25 +01:00 · 2026-02-13 19:02:03 +01:00 · 2026-02-13 16:33:15 +00:00 · 2026-02-12 20:38:05 +01:00
115 changed files with 21246 additions and 6035 deletions
@@ -7,3 +7,9 @@ dist
 .env
 .DS_Store
 *.log
 backend
 frontend/node_modules
 frontend/dist
 frontend/coverage
 frontend/test-results
 frontend/playwright-report
@@ -0,0 +1 @@
 ../../../frontend
@@ -6,6 +6,8 @@
 ![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)
 [![Docker](https://img.shields.io/badge/docker-ready-blue.svg)](https://hub.docker.com)
 _Original repo can be found [here](https://github.com/ZimengXiong/ExcaliDash)_
 A self-hosted dashboard and organizer for [Excalidraw](https://github.com/excalidraw/excalidraw) with live collaboration features.
 ## Screenshots
@@ -99,6 +101,10 @@ docker compose -f docker-compose.prod.yml up -d
 # Access the frontend at localhost:6767
 ```
 For single-container deployments, `JWT_SECRET` can be omitted and will be auto-generated and persisted in the backend volume on first start. For portability and all multi-instance deployments, set a fixed `JWT_SECRET` explicitly.
 By default, the provided Compose files set `TRUST_PROXY=false` for safer setup. Only set `TRUST_PROXY` to a positive hop count (for example, `1`) when requests always pass through a trusted reverse proxy that correctly sets forwarded headers.
 ## Docker Build
 [Install Docker](https://docs.docker.com/desktop/)
@@ -121,6 +127,7 @@ docker compose up -d
 When running ExcaliDash behind Traefik, Nginx, or another reverse proxy, configure both containers so that API + WebSocket calls resolve correctly:
 - `FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks. **Supports multiple comma-separated URLs** for accessing from different addresses.
 - `TRUST_PROXY` (backend) should be set to `1` when requests pass through one trusted reverse proxy hop (for example: frontend nginx -> backend) and forwarded headers are sanitized. This ensures rate limiting and logging use the real client IP from trusted proxy headers.
 - `BACKEND_URL` (frontend) tells the Nginx container how to reach the backend from inside Docker/Kubernetes. Override it if your reverse proxy exposes the backend under a different hostname.
 ```yaml
@@ -129,6 +136,8 @@ backend:
  environment:
    # Single URL
    - FRONTEND_URL=https://excalidash.example.com
    # Trust exactly one reverse-proxy hop
    - TRUST_PROXY=1
    # Or multiple URLs (comma-separated) for local + network access
    # - FRONTEND_URL=http://localhost:6767,http://192.168.1.100:6767,http://nas.local:6767
 frontend:
@@ -141,7 +150,7 @@ frontend:
 ### Multi-Container / Kubernetes Deployments
-When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set the `CSRF_SECRET` environment variable to the same value across all instances.
+When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set both `JWT_SECRET` and `CSRF_SECRET` to the same values across all instances.
 ```bash
 # Generate a secure secret
@@ -152,11 +161,37 @@ openssl rand -base64 32
 # docker-compose.yml or k8s deployment
 backend:
  environment:
    - JWT_SECRET=your-generated-jwt-secret-here
    - CSRF_SECRET=your-generated-secret-here
 ```
 Without this, each container generates its own ephemeral CSRF secret, causing token validation failures when requests are routed to different replicas. Single-container deployments work without this setting.
 ### Authentication Modes (Local + OIDC)
 ExcaliDash supports three auth modes via backend `AUTH_MODE`:
 - `local` (default): native email/password login only.
 - `hybrid`: native login + OIDC login.
 - `oidc_enforced`: OIDC-only login (native login/register disabled).
 For OIDC modes (`hybrid` or `oidc_enforced`), set:
 ```yaml
 backend:
  environment:
    - AUTH_MODE=oidc_enforced
    - OIDC_PROVIDER_NAME=Authentik
    - OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
    - OIDC_CLIENT_ID=your-client-id
    - OIDC_CLIENT_SECRET=your-client-secret
    - OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
    - OIDC_SCOPES=openid profile email
 ```
 In `oidc_enforced` mode, unauthenticated users are automatically redirected to `/api/auth/oidc/start`.
 Users are linked by `(issuer, sub)` first, then by verified email, and optionally auto-provisioned.
 # Development
 ## Clone the Repository
@@ -197,6 +232,27 @@ npx prisma db push
 npm run dev
 ```
 ### Simulate Auth Onboarding (Development)
 To simulate first-run authentication choice flows in local development:
 ```bash
 cd ExcaliDash/backend
 # Preview what would change (no data modifications)
 npm run dev:simulate-auth-onboarding:dry-run
 # Simulate "fresh install" onboarding state
 # (wipes drawings/collections/libraries and removes non-bootstrap users)
 npm run dev:simulate-auth-onboarding:fresh
 # Simulate "migration" onboarding state (ensures legacy data exists)
 npm run dev:simulate-auth-onboarding:migration
 ```
 After running a simulation while the backend is already running, wait about 5 seconds
 (auth mode cache TTL) or restart the backend before refreshing the UI.
 ## Project Structure
 ```
@@ -1 +1 @@
-0.4.0
+0.4.6
@@ -9,3 +9,7 @@ dist
 *.log
 prisma/dev.db
 prisma/dev.db-journal
 src/generated
 coverage
 *.test.ts
 *.spec.ts
@@ -2,7 +2,11 @@
 PORT=8000
 NODE_ENV=production
 DATABASE_URL=file:/app/prisma/dev.db
-FRONTEND_URL=http://localhost:6767
+FRONTEND_URL=https://draw.louiscreates.com
 API_BASE_PATH=/api
 # Keep disabled unless traffic always comes through a trusted reverse proxy.
 TRUST_PROXY=false
 AUTH_MODE=local
 JWT_SECRET=change-this-secret-in-production-min-32-chars
 # Optional Feature Flags (all default to false for backward compatibility)
@@ -10,3 +14,16 @@ JWT_SECRET=change-this-secret-in-production-min-32-chars
 # ENABLE_PASSWORD_RESET=false
 # ENABLE_REFRESH_TOKEN_ROTATION=false
 # ENABLE_AUDIT_LOGGING=false
 # OIDC Configuration (required when AUTH_MODE=hybrid or AUTH_MODE=oidc_enforced)
 # OIDC_PROVIDER_NAME=Authentik
 # OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
 # OIDC_CLIENT_ID=your-client-id
 # OIDC_CLIENT_SECRET=your-client-secret
 # OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
 # OIDC_SCOPES=openid profile email
 # OIDC_EMAIL_CLAIM=email
 # OIDC_EMAIL_VERIFIED_CLAIM=email_verified
 # OIDC_REQUIRE_EMAIL_VERIFIED=true
 # OIDC_JIT_PROVISIONING=true
 # OIDC_FIRST_USER_ADMIN=true
@@ -3,12 +3,15 @@ FROM node:20-alpine AS builder
 WORKDIR /app
 # Native build deps for modules that may compile from source (e.g., better-sqlite3 on arm64)
 RUN apk add --no-cache python3 make g++
 # Copy package files
 COPY package*.json ./
 COPY tsconfig.json ./
 # Install dependencies
-RUN npm ci
+RUN npm ci && npm cache clean --force
 # Copy prisma schema
 COPY prisma ./prisma/
@@ -25,7 +28,7 @@ RUN npx tsc
 # Production stage
 FROM node:20-alpine
-# Install OpenSSL for Prisma and su-exec, create non-root user
+# Install runtime packages and create non-root user
 RUN apk add --no-cache openssl su-exec && \
    addgroup -g 1001 -S nodejs && \
    adduser -S nodejs -u 1001
@@ -36,7 +39,10 @@ WORKDIR /app
 COPY package*.json ./
 # Install production dependencies only
-RUN npm ci --only=production
+RUN apk add --no-cache --virtual .build-deps python3 make g++ && \
    npm ci --omit=dev && \
    npm cache clean --force && \
    apk del .build-deps
 # Copy prisma schema and migrations for runtime and hydration template
 COPY prisma ./prisma/
@@ -48,9 +54,6 @@ COPY --from=builder /app/dist ./dist
 # Copy the generated Prisma Client from builder to maintain the same structure
 COPY --from=builder /app/src/generated ./dist/generated
 # Generate Prisma Client in production (updates node_modules)
 RUN npx prisma generate
 # Create necessary directories (ownership will be set in entrypoint)
 RUN mkdir -p /app/uploads /app/prisma
@@ -1,6 +1,52 @@
 #!/bin/sh
 set -e
 JWT_SECRET_FILE="/app/prisma/.jwt_secret"
 CSRF_SECRET_FILE="/app/prisma/.csrf_secret"
 # Ensure JWT secret exists for production startup.
 # Backward compatibility: older installs may not have JWT_SECRET configured.
 if [ -z "${JWT_SECRET:-}" ]; then
    echo "JWT_SECRET not provided, resolving persisted secret..."
    if [ -f "${JWT_SECRET_FILE}" ]; then
        JWT_SECRET="$(tr -d '\r\n' < "${JWT_SECRET_FILE}")"
    fi
    if [ -z "${JWT_SECRET}" ]; then
        echo "No persisted JWT secret found. Generating a new secret..."
        JWT_SECRET="$(openssl rand -hex 32)"
        umask 077
        printf "%s" "${JWT_SECRET}" > "${JWT_SECRET_FILE}"
    fi
 else
    # Persist explicitly provided secret to support future restarts without env injection.
    umask 077
    printf "%s" "${JWT_SECRET}" > "${JWT_SECRET_FILE}"
 fi
 export JWT_SECRET
 # Ensure CSRF secret exists for stable token validation across restarts.
 # (Still recommend setting explicitly for multi-instance deployments.)
 if [ -z "${CSRF_SECRET:-}" ]; then
    echo "CSRF_SECRET not provided, resolving persisted secret..."
    if [ -f "${CSRF_SECRET_FILE}" ]; then
        CSRF_SECRET="$(tr -d '\r\n' < "${CSRF_SECRET_FILE}")"
    fi
    if [ -z "${CSRF_SECRET}" ]; then
        echo "No persisted CSRF secret found. Generating a new secret..."
        CSRF_SECRET="$(openssl rand -base64 32)"
        umask 077
        printf "%s" "${CSRF_SECRET}" > "${CSRF_SECRET_FILE}"
    fi
 else
    umask 077
    printf "%s" "${CSRF_SECRET}" > "${CSRF_SECRET_FILE}"
 fi
 export CSRF_SECRET
 # 1. Hydrate volume if empty (Running as root)
 if [ ! -f "/app/prisma/schema.prisma" ]; then
    echo "Mount is empty. Hydrating /app/prisma..."
@@ -18,11 +64,13 @@ echo "Fixing filesystem permissions..."
 chown -R nodejs:nodejs /app/uploads
 chown -R nodejs:nodejs /app/prisma
 chmod 755 /app/uploads
 chmod 600 "${JWT_SECRET_FILE}"
 chmod 600 "${CSRF_SECRET_FILE}"
 # Ensure database file has proper permissions
 if [ -f "/app/prisma/dev.db" ]; then
    echo "Database file found, ensuring write permissions..."
-    chmod 666 /app/prisma/dev.db
+    chmod 600 /app/prisma/dev.db
 fi
 # 3. Run Migrations (Drop privileges to nodejs)
@@ -1,23 +1,15 @@
 {
  "name": "backend",
-  "version": "0.3.2",
+  "version": "0.4.6",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "backend",
-      "version": "0.3.2",
+      "version": "0.4.6",
      "license": "ISC",
      "dependencies": {
        "@prisma/client": "^5.22.0",
        "@types/archiver": "^7.0.0",
        "@types/bcrypt": "^6.0.0",
        "@types/jsdom": "^21.1.7",
        "@types/jsonwebtoken": "^9.0.10",
        "@types/ms": "^2.1.0",
        "@types/multer": "^2.0.0",
        "@types/socket.io": "^3.0.1",
        "@types/uuid": "^10.0.0",
        "archiver": "^7.0.1",
        "bcrypt": "^6.0.0",
        "better-sqlite3": "^12.4.6",
@@ -32,16 +24,25 @@
        "jszip": "^3.10.1",
        "ms": "^2.1.3",
        "multer": "^2.0.2",
        "openid-client": "^5.7.1",
        "prisma": "^5.22.0",
        "socket.io": "^4.8.1",
        "uuid": "^13.0.0",
        "zod": "^4.1.12"
      },
      "devDependencies": {
        "@types/archiver": "^7.0.0",
        "@types/bcrypt": "^6.0.0",
        "@types/cors": "^2.8.19",
        "@types/express": "^5.0.5",
        "@types/jsdom": "^21.1.7",
        "@types/jsonwebtoken": "^9.0.10",
        "@types/ms": "^2.1.0",
        "@types/multer": "^2.0.0",
        "@types/node": "^24.10.1",
        "@types/socket.io": "^3.0.1",
        "@types/supertest": "^6.0.3",
        "@types/uuid": "^10.0.0",
        "nodemon": "^3.1.11",
        "supertest": "^7.1.4",
        "ts-node": "^10.9.2",
@@ -1007,6 +1008,7 @@
      "version": "7.0.0",
      "resolved": "https://registry.npmjs.org/@types/archiver/-/archiver-7.0.0.tgz",
      "integrity": "sha512-/3vwGwx9n+mCQdYZ2IKGGHEFL30I96UgBlk8EtRDDFQ9uxM1l4O5Ci6r00EMAkiDaTqD9DQ6nVrWRICnBPtzzg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/readdir-glob": "*"
@@ -1016,6 +1018,7 @@
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/@types/bcrypt/-/bcrypt-6.0.0.tgz",
      "integrity": "sha512-/oJGukuH3D2+D+3H4JWLaAsJ/ji86dhRidzZ/Od7H/i8g+aCmvkeCc6Ni/f9uxGLSQVCRZkX2/lqEFG2BvWtlQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
@@ -1025,6 +1028,7 @@
      "version": "1.19.6",
      "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.6.tgz",
      "integrity": "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/connect": "*",
@@ -1046,6 +1050,7 @@
      "version": "3.4.38",
      "resolved": "https://registry.npmjs.org/@types/connect/-/connect-3.4.38.tgz",
      "integrity": "sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
@@ -1085,6 +1090,7 @@
      "version": "5.0.5",
      "resolved": "https://registry.npmjs.org/@types/express/-/express-5.0.5.tgz",
      "integrity": "sha512-LuIQOcb6UmnF7C1PCFmEU1u2hmiHL43fgFQX67sN3H4Z+0Yk0Neo++mFsBjhOAuLzvlQeqAAkeDOZrJs9rzumQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/body-parser": "*",
@@ -1096,6 +1102,7 @@
      "version": "5.1.0",
      "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-5.1.0.tgz",
      "integrity": "sha512-jnHMsrd0Mwa9Cf4IdOzbz543y4XJepXrbia2T4b6+spXC2We3t1y6K44D3mR8XMFSXMCf3/l7rCgddfx7UNVBA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*",
@@ -1108,12 +1115,14 @@
      "version": "2.0.5",
      "resolved": "https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.5.tgz",
      "integrity": "sha512-r8Tayk8HJnX0FztbZN7oVqGccWgw98T/0neJphO91KkmOzug1KkofZURD4UaD5uH8AqcFLfdPErnBod0u71/qg==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/jsdom": {
      "version": "21.1.7",
      "resolved": "https://registry.npmjs.org/@types/jsdom/-/jsdom-21.1.7.tgz",
      "integrity": "sha512-yOriVnggzrnQ3a9OKOCxaVuSug3w3/SbOj5i7VwXWZEyUNl3bLF9V3MfxGbZKuwqJOQyRfqXyROBB1CoZLFWzA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*",
@@ -1125,6 +1134,7 @@
      "version": "9.0.10",
      "resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-9.0.10.tgz",
      "integrity": "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/ms": "*",
@@ -1142,18 +1152,21 @@
      "version": "1.3.5",
      "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz",
      "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/ms": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/multer": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/@types/multer/-/multer-2.0.0.tgz",
      "integrity": "sha512-C3Z9v9Evij2yST3RSBktxP9STm6OdMc5uR1xF1SGr98uv8dUlAL2hqwrZ3GVB3uyMyiegnscEK6PGtYvNrjTjw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/express": "*"
@@ -1164,7 +1177,6 @@
      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz",
      "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==",
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "undici-types": "~7.16.0"
      }
@@ -1173,18 +1185,21 @@
      "version": "6.14.0",
      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.14.0.tgz",
      "integrity": "sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/range-parser": {
      "version": "1.2.7",
      "resolved": "https://registry.npmjs.org/@types/range-parser/-/range-parser-1.2.7.tgz",
      "integrity": "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/readdir-glob": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/@types/readdir-glob/-/readdir-glob-1.1.5.tgz",
      "integrity": "sha512-raiuEPUYqXu+nvtY2Pe8s8FEmZ3x5yAH4VkLdihcPdalvsHltomrRC9BzuStrJ9yk06470hS0Crw0f1pXqD+Hg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
@@ -1194,6 +1209,7 @@
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/@types/send/-/send-1.2.1.tgz",
      "integrity": "sha512-arsCikDvlU99zl1g69TcAB3mzZPpxgw0UQnaHeC1Nwb015xp8bknZv5rIfri9xTOcMuaVgvabfIRA7PSZVuZIQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
@@ -1203,6 +1219,7 @@
      "version": "1.15.10",
      "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.15.10.tgz",
      "integrity": "sha512-tRs1dB+g8Itk72rlSI2ZrW6vZg0YrLI81iQSTkMmOqnqCaNr/8Ek4VwWcN5vZgCYWbg/JJSGBlUaYGAOP73qBw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/http-errors": "*",
@@ -1214,6 +1231,7 @@
      "version": "0.17.6",
      "resolved": "https://registry.npmjs.org/@types/send/-/send-0.17.6.tgz",
      "integrity": "sha512-Uqt8rPBE8SY0RK8JB1EzVOIZ32uqy8HwdxCnoCOsYrvnswqmFZ/k+9Ikidlk/ImhsdvBsloHbAlewb2IEBV/Og==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/mime": "^1",
@@ -1224,6 +1242,7 @@
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/@types/socket.io/-/socket.io-3.0.1.tgz",
      "integrity": "sha512-XSma2FhVD78ymvoxYV4xGXrIH/0EKQ93rR+YR0Y+Kw1xbPzLDCip/UWSejZ08FpxYeYNci/PZPQS9anrvJRqMA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "socket.io": "*"
@@ -1257,6 +1276,7 @@
      "version": "4.0.5",
      "resolved": "https://registry.npmjs.org/@types/tough-cookie/-/tough-cookie-4.0.5.tgz",
      "integrity": "sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/trusted-types": {
@@ -1270,6 +1290,7 @@
      "version": "10.0.0",
      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-10.0.0.tgz",
      "integrity": "sha512-7gqG38EyHgyP1S+7+xomFtL+ZNHcKv6DwNaCZmJmo1vgMugyF3TCnXVg4t1uk89mLNwnLtnY3TpOpCOyp1/xHQ==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@vitest/expect": {
@@ -2655,7 +2676,6 @@
      "resolved": "https://registry.npmjs.org/express/-/express-5.2.0.tgz",
      "integrity": "sha512-XdpJDLxfztVY59X0zPI6sibRiGcxhTPXRD3IhJmjKf2jwMvkRGV1j7loB8U+heeamoU3XvihAaGRTR4aXXUN3A==",
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "accepts": "^2.0.0",
        "body-parser": "^2.2.1",
@@ -3295,6 +3315,15 @@
        "@pkgjs/parseargs": "^0.11.0"
      }
    },
    "node_modules/jose": {
      "version": "4.15.9",
      "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.9.tgz",
      "integrity": "sha512-1vUQX+IdDMVPj4k8kOxgUqlcK518yluMuGZwqlr44FS1ppZB/5GWh4rZG89erpOBOJjU/OBsnCVFfapsRz6nEA==",
      "license": "MIT",
      "funding": {
        "url": "https://github.com/sponsors/panva"
      }
    },
    "node_modules/jsdom": {
      "version": "22.1.0",
      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-22.1.0.tgz",
@@ -3890,6 +3919,15 @@
        "node": ">=0.10.0"
      }
    },
    "node_modules/object-hash": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz",
      "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==",
      "license": "MIT",
      "engines": {
        "node": ">= 6"
      }
    },
    "node_modules/object-inspect": {
      "version": "1.13.4",
      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
@@ -3913,6 +3951,15 @@
      ],
      "license": "MIT"
    },
    "node_modules/oidc-token-hash": {
      "version": "5.2.0",
      "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.2.0.tgz",
      "integrity": "sha512-6gj2m8cJZ+iSW8bm0FXdGF0YhIQbKrfP4yWTNzxc31U6MOjfEmB1rHvlYvxI1B7t7BCi1F2vYTT6YhtQRG4hxw==",
      "license": "MIT",
      "engines": {
        "node": "^10.13.0 || >=12.0.0"
      }
    },
    "node_modules/on-finished": {
      "version": "2.4.1",
      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
@@ -3934,6 +3981,33 @@
        "wrappy": "1"
      }
    },
    "node_modules/openid-client": {
      "version": "5.7.1",
      "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.7.1.tgz",
      "integrity": "sha512-jDBPgSVfTnkIh71Hg9pRvtJc6wTwqjRkN88+gCFtYWrlP4Yx2Dsrow8uPi3qLr/aeymPF3o2+dS+wOpglK04ew==",
      "license": "MIT",
      "dependencies": {
        "jose": "^4.15.9",
        "lru-cache": "^6.0.0",
        "object-hash": "^2.2.0",
        "oidc-token-hash": "^5.0.3"
      },
      "funding": {
        "url": "https://github.com/sponsors/panva"
      }
    },
    "node_modules/openid-client/node_modules/lru-cache": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
      "license": "ISC",
      "dependencies": {
        "yallist": "^4.0.0"
      },
      "engines": {
        "node": ">=10"
      }
    },
    "node_modules/package-json-from-dist": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
@@ -4090,7 +4164,6 @@
      "integrity": "sha512-vtpjW3XuYCSnMsNVBjLMNkTj6OZbudcPPTPYHqX0CJfpcdWciI1dM8uHETwmDxxiqEwCIE6WvXucWUetJgfu/A==",
      "hasInstallScript": true,
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
        "@prisma/engines": "5.22.0"
      },
@@ -5103,7 +5176,6 @@
      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "engines": {
        "node": ">=12"
      },
@@ -5262,7 +5334,6 @@
      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "dev": true,
      "license": "Apache-2.0",
      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
@@ -5353,7 +5424,6 @@
      "integrity": "sha512-tI2l/nFHC5rLh7+5+o7QjKjSR04ivXDF4jcgV0f/bTQ+OJiITy5S6gaynVsEM+7RqzufMnVbIon6Sr5x1SDYaQ==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "esbuild": "^0.25.0",
        "fdir": "^6.5.0",
@@ -5447,7 +5517,6 @@
      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "engines": {
        "node": ">=12"
      },
@@ -5775,6 +5844,12 @@
        "node": ">=0.4"
      }
    },
    "node_modules/yallist": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
      "license": "ISC"
    },
    "node_modules/yn": {
      "version": "3.1.1",
      "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
@@ -1,12 +1,15 @@
 {
  "name": "backend",
-  "version": "0.4.0",
+  "version": "0.4.6",
  "description": "",
  "main": "index.js",
  "scripts": {
    "predev": "node scripts/predev-migrate.cjs",
    "dev": "nodemon src/index.ts",
    "admin:recover": "node scripts/admin-recover.cjs",
    "dev:simulate-auth-onboarding:fresh": "node scripts/simulate-auth-onboarding.cjs --scenario fresh",
    "dev:simulate-auth-onboarding:migration": "node scripts/simulate-auth-onboarding.cjs --scenario migration",
    "dev:simulate-auth-onboarding:dry-run": "node scripts/simulate-auth-onboarding.cjs --scenario migration --dry-run",
    "test": "vitest run",
    "test:watch": "vitest",
    "test:coverage": "vitest run --coverage"
@@ -17,14 +20,6 @@
  "type": "commonjs",
  "dependencies": {
    "@prisma/client": "^5.22.0",
    "@types/archiver": "^7.0.0",
    "@types/bcrypt": "^6.0.0",
    "@types/jsdom": "^21.1.7",
    "@types/jsonwebtoken": "^9.0.10",
    "@types/ms": "^2.1.0",
    "@types/multer": "^2.0.0",
    "@types/socket.io": "^3.0.1",
    "@types/uuid": "^10.0.0",
    "archiver": "^7.0.1",
    "bcrypt": "^6.0.0",
    "better-sqlite3": "^12.4.6",
@@ -39,16 +34,25 @@
    "jszip": "^3.10.1",
    "ms": "^2.1.3",
    "multer": "^2.0.2",
    "openid-client": "^5.7.1",
    "prisma": "^5.22.0",
    "socket.io": "^4.8.1",
    "uuid": "^13.0.0",
    "zod": "^4.1.12"
  },
  "devDependencies": {
    "@types/archiver": "^7.0.0",
    "@types/bcrypt": "^6.0.0",
    "@types/cors": "^2.8.19",
    "@types/express": "^5.0.5",
    "@types/jsdom": "^21.1.7",
    "@types/jsonwebtoken": "^9.0.10",
    "@types/ms": "^2.1.0",
    "@types/multer": "^2.0.0",
    "@types/node": "^24.10.1",
    "@types/socket.io": "^3.0.1",
    "@types/supertest": "^6.0.3",
    "@types/uuid": "^10.0.0",
    "nodemon": "^3.1.11",
    "supertest": "^7.1.4",
    "ts-node": "^10.9.2",
@@ -0,0 +1,2 @@
 -- Track whether initial auth mode choice has been explicitly completed.
 ALTER TABLE "SystemConfig" ADD COLUMN "authOnboardingCompleted" BOOLEAN NOT NULL DEFAULT false;
@@ -0,0 +1,22 @@
 -- CreateTable
 CREATE TABLE "AuthIdentity" (
    "id" TEXT NOT NULL PRIMARY KEY,
    "userId" TEXT NOT NULL,
    "provider" TEXT NOT NULL,
    "issuer" TEXT NOT NULL,
    "subject" TEXT NOT NULL,
    "emailAtLink" TEXT NOT NULL,
    "lastLoginAt" DATETIME,
    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updatedAt" DATETIME NOT NULL,
    CONSTRAINT "AuthIdentity_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
 );
 -- CreateIndex
 CREATE UNIQUE INDEX "AuthIdentity_issuer_subject_key" ON "AuthIdentity"("issuer", "subject");
 -- CreateIndex
 CREATE UNIQUE INDEX "AuthIdentity_provider_userId_key" ON "AuthIdentity"("provider", "userId");
 -- CreateIndex
 CREATE INDEX "AuthIdentity_userId_idx" ON "AuthIdentity"("userId");
@@ -0,0 +1,42 @@
 -- CreateTable
 CREATE TABLE "DrawingShareLink" (
    "id" TEXT NOT NULL PRIMARY KEY,
    "drawingId" TEXT NOT NULL,
    "role" TEXT NOT NULL,
    "token" TEXT NOT NULL,
    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updatedAt" DATETIME NOT NULL,
    CONSTRAINT "DrawingShareLink_drawingId_fkey" FOREIGN KEY ("drawingId") REFERENCES "Drawing" ("id") ON DELETE CASCADE ON UPDATE CASCADE
 );
 -- CreateTable
 CREATE TABLE "DrawingShareGrant" (
    "id" TEXT NOT NULL PRIMARY KEY,
    "drawingId" TEXT NOT NULL,
    "userId" TEXT NOT NULL,
    "shareLinkId" TEXT NOT NULL,
    "role" TEXT NOT NULL,
    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updatedAt" DATETIME NOT NULL,
    CONSTRAINT "DrawingShareGrant_drawingId_fkey" FOREIGN KEY ("drawingId") REFERENCES "Drawing" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
    CONSTRAINT "DrawingShareGrant_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
    CONSTRAINT "DrawingShareGrant_shareLinkId_fkey" FOREIGN KEY ("shareLinkId") REFERENCES "DrawingShareLink" ("id") ON DELETE CASCADE ON UPDATE CASCADE
 );
 -- CreateIndex
 CREATE UNIQUE INDEX "DrawingShareLink_token_key" ON "DrawingShareLink"("token");
 -- CreateIndex
 CREATE INDEX "DrawingShareLink_drawingId_idx" ON "DrawingShareLink"("drawingId");
 -- CreateIndex
 CREATE UNIQUE INDEX "DrawingShareLink_drawingId_role_key" ON "DrawingShareLink"("drawingId", "role");
 -- CreateIndex
 CREATE INDEX "DrawingShareGrant_drawingId_userId_idx" ON "DrawingShareGrant"("drawingId", "userId");
 -- CreateIndex
 CREATE INDEX "DrawingShareGrant_userId_createdAt_idx" ON "DrawingShareGrant"("userId", "createdAt");
 -- CreateIndex
 CREATE UNIQUE INDEX "DrawingShareGrant_drawingId_userId_shareLinkId_key" ON "DrawingShareGrant"("drawingId", "userId", "shareLinkId");
@@ -21,11 +21,13 @@ model User {
  role                String              @default("USER")
  mustResetPassword   Boolean             @default(false)
  isActive            Boolean             @default(true)
  authIdentities      AuthIdentity[]
  drawings            Drawing[]
  collections         Collection[]
  passwordResetTokens PasswordResetToken[]
  refreshTokens       RefreshToken[]
  auditLogs           AuditLog[]
  drawingShareGrants  DrawingShareGrant[]
  createdAt           DateTime            @default(now())
  updatedAt           DateTime            @updatedAt
 }
@@ -33,6 +35,7 @@ model User {
 model SystemConfig {
  id                         String   @id @default("default")
  authEnabled                Boolean  @default(false)
  authOnboardingCompleted    Boolean  @default(false)
  registrationEnabled        Boolean  @default(false)
  authLoginRateLimitEnabled  Boolean  @default(true)
  authLoginRateLimitWindowMs Int      @default(900000) // 15 minutes
@@ -65,6 +68,8 @@ model Drawing {
  user         User        @relation(fields: [userId], references: [id], onDelete: Cascade)
  collectionId String?
  collection   Collection? @relation(fields: [collectionId], references: [id])
  shareLinks   DrawingShareLink[]
  shareGrants  DrawingShareGrant[]
  createdAt    DateTime    @default(now())
  updatedAt    DateTime    @updatedAt
@@ -72,6 +77,38 @@ model Drawing {
  @@index([userId, collectionId, updatedAt])
 }
 model DrawingShareLink {
  id        String           @id @default(uuid())
  drawingId String
  drawing   Drawing          @relation(fields: [drawingId], references: [id], onDelete: Cascade)
  role      String
  token     String           @unique
  createdAt DateTime         @default(now())
  updatedAt DateTime         @updatedAt
  grants DrawingShareGrant[]
  @@unique([drawingId, role])
  @@index([drawingId])
 }
 model DrawingShareGrant {
  id          String           @id @default(uuid())
  drawingId   String
  drawing     Drawing          @relation(fields: [drawingId], references: [id], onDelete: Cascade)
  userId      String
  user        User             @relation(fields: [userId], references: [id], onDelete: Cascade)
  shareLinkId String
  shareLink   DrawingShareLink @relation(fields: [shareLinkId], references: [id], onDelete: Cascade)
  role        String
  createdAt   DateTime         @default(now())
  updatedAt   DateTime         @updatedAt
  @@unique([drawingId, userId, shareLinkId])
  @@index([drawingId, userId])
  @@index([userId, createdAt])
 }
 model Library {
  id        String   @id // User-specific library ID (e.g., "user_<userId>")
  items     String   @default("[]") // Stored as JSON string array of library items
@@ -110,3 +147,20 @@ model AuditLog {
  details   String?  // JSON string for additional details
  createdAt DateTime @default(now())
 }
 model AuthIdentity {
  id          String   @id @default(uuid())
  userId      String
  user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
  provider    String
  issuer      String
  subject     String
  emailAtLink String
  lastLoginAt DateTime?
  createdAt   DateTime @default(now())
  updatedAt   DateTime @updatedAt
  @@unique([issuer, subject])
  @@unique([provider, userId])
  @@index([userId])
 }
@@ -24,7 +24,10 @@ const resolveDatabaseUrl = (rawUrl) => {
  const absolutePath = path.isAbsolute(filePath)
    ? filePath
-    : path.resolve(hasLeadingPrismaDir ? backendRoot : prismaDir, normalizedRelative);
+    : path.resolve(
        hasLeadingPrismaDir ? backendRoot : prismaDir,
        normalizedRelative,
      );
  return `file:${absolutePath}`;
 };
@@ -91,7 +94,15 @@ const backupDbIfPresent = () => {
 const isNonProd = nodeEnv !== "production";
 const isFileDb = databaseUrl.startsWith("file:");
-const deploy = runCapture("npx prisma migrate deploy");
+let deploy = runCapture("npx prisma migrate deploy");
 if (!deploy.ok) {
  console.warn(
    `[predev] Prisma migrate deploy failed. Attempting pnpm exec...`,
  );
  deploy = runCapture("pnpm exec prisma migrate deploy");
 }
 if (deploy.ok) {
  if (deploy.stdout) process.stdout.write(deploy.stdout);
 } else {
@@ -111,7 +122,16 @@ if (deploy.ok) {
        `  If you need to preserve local data, restore the backup and baseline manually.`,
    );
    // check for npx, if not present try pnpm exec
    try {
      console.log(
        `[predev] Running: npx prisma migrate reset --force --skip-seed`,
      );
      run("npx prisma migrate reset --force --skip-seed");
    } catch {
      console.warn(`[predev] npx not found, trying pnpm exec...`);
      run("pnpm exec prisma migrate reset --force --skip-seed");
    }
  } else {
    throw deploy.error;
  }
@@ -0,0 +1,330 @@
 #!/usr/bin/env node
 require("dotenv").config();
 const path = require("path");
 const { execSync } = require("child_process");
 const { PrismaClient } = require("../src/generated/client");
 const BOOTSTRAP_USER_ID = "bootstrap-admin";
 const DEFAULT_SYSTEM_CONFIG_ID = "default";
 const backendRoot = path.resolve(__dirname, "..");
 const resolveDatabaseUrl = (rawUrl) => {
  const backendRoot = path.resolve(__dirname, "..");
  const defaultDbPath = path.resolve(backendRoot, "prisma/dev.db");
  if (!rawUrl || String(rawUrl).trim().length === 0) {
    return `file:${defaultDbPath}`;
  }
  if (!String(rawUrl).startsWith("file:")) {
    return String(rawUrl);
  }
  const filePath = String(rawUrl).replace(/^file:/, "");
  const prismaDir = path.resolve(backendRoot, "prisma");
  const normalizedRelative = filePath.replace(/^\.\/?/, "");
  const hasLeadingPrismaDir =
    normalizedRelative === "prisma" || normalizedRelative.startsWith("prisma/");
  const absolutePath = path.isAbsolute(filePath)
    ? filePath
    : path.resolve(hasLeadingPrismaDir ? backendRoot : prismaDir, normalizedRelative);
  return `file:${absolutePath}`;
 };
 process.env.DATABASE_URL = resolveDatabaseUrl(process.env.DATABASE_URL);
 const parseArgs = (argv) => {
  const parsed = {
    scenario: "",
    dryRun: false,
    allowProd: false,
  };
  for (let i = 0; i < argv.length; i += 1) {
    const token = argv[i];
    if (token === "--scenario") {
      parsed.scenario = String(argv[i + 1] || "").trim().toLowerCase();
      i += 1;
      continue;
    }
    if (token === "--dry-run") {
      parsed.dryRun = true;
      continue;
    }
    if (token === "--allow-production") {
      parsed.allowProd = true;
      continue;
    }
    if (token === "--help" || token === "-h") {
      parsed.help = true;
      continue;
    }
  }
  return parsed;
 };
 const usage = () => {
  console.log(`Usage:
  node scripts/simulate-auth-onboarding.cjs --scenario fresh
  node scripts/simulate-auth-onboarding.cjs --scenario migration
 Options:
  --dry-run           Show what would change without modifying data
  --allow-production  Override production safety check (not recommended)
  --help, -h          Show this help
 `);
 };
 const assertScenario = (scenario) => {
  if (scenario !== "fresh" && scenario !== "migration") {
    throw new Error("Invalid --scenario. Use 'fresh' or 'migration'.");
  }
 };
 const nowIso = () => new Date().toISOString();
 const run = async () => {
  const args = parseArgs(process.argv.slice(2));
  if (args.help) {
    usage();
    return;
  }
  assertScenario(args.scenario);
 const nodeEnv = process.env.NODE_ENV || "development";
  if (nodeEnv === "production" && !args.allowProd) {
    throw new Error(
      "Refusing to run in production. Pass --allow-production only if you explicitly intend this."
    );
  }
  // Keep migration history authoritative to avoid drift between db push and deploy.
  // Includes a self-heal path for the known duplicate-column failure on
  // 20260210153000_add_auth_onboarding_completed in local dev databases.
  if (nodeEnv !== "production") {
    const runDeploy = () =>
      execSync("npx prisma migrate deploy", {
        cwd: backendRoot,
        stdio: "pipe",
        env: {
          ...process.env,
          DATABASE_URL: process.env.DATABASE_URL,
        },
      });
    try {
      runDeploy();
    } catch (error) {
      const stdout =
        error && error.stdout
          ? Buffer.isBuffer(error.stdout)
            ? error.stdout.toString("utf8")
            : String(error.stdout)
          : "";
      const stderr =
        error && error.stderr
          ? Buffer.isBuffer(error.stderr)
            ? error.stderr.toString("utf8")
            : String(error.stderr)
          : "";
      const combined = `${stdout}\n${stderr}`;
      const canAutoResolve =
        combined.includes("Error: P3009") &&
        combined.includes("20260210153000_add_auth_onboarding_completed") &&
        combined.includes("duplicate column name: authOnboardingCompleted");
      if (!canAutoResolve) {
        throw error;
      }
      execSync(
        "npx prisma migrate resolve --applied 20260210153000_add_auth_onboarding_completed",
        {
          cwd: backendRoot,
          stdio: "pipe",
          env: {
            ...process.env,
            DATABASE_URL: process.env.DATABASE_URL,
          },
        }
      );
      runDeploy();
    }
  }
  const prisma = new PrismaClient();
  try {
    const before = {
      activeUsers: await prisma.user.count({ where: { isActive: true } }),
      users: await prisma.user.count(),
      drawings: await prisma.drawing.count(),
      collections: await prisma.collection.count(),
      auth: await prisma.systemConfig.findUnique({
        where: { id: DEFAULT_SYSTEM_CONFIG_ID },
        select: {
          authEnabled: true,
          authOnboardingCompleted: true,
          registrationEnabled: true,
        },
      }),
    };
    console.log(`[simulate-auth-onboarding] DATABASE_URL=${process.env.DATABASE_URL}`);
    console.log(`[simulate-auth-onboarding] NODE_ENV=${nodeEnv}`);
    console.log(`[simulate-auth-onboarding] scenario=${args.scenario}`);
    console.log("[simulate-auth-onboarding] before:", before);
    if (args.dryRun) {
      console.log("[simulate-auth-onboarding] dry-run only. No data changed.");
      return;
    }
    await prisma.$transaction(async (tx) => {
      await tx.systemConfig.upsert({
        where: { id: DEFAULT_SYSTEM_CONFIG_ID },
        update: {
          authEnabled: false,
          authOnboardingCompleted: false,
          registrationEnabled: false,
        },
        create: {
          id: DEFAULT_SYSTEM_CONFIG_ID,
          authEnabled: false,
          authOnboardingCompleted: false,
          registrationEnabled: false,
          authLoginRateLimitEnabled: true,
          authLoginRateLimitWindowMs: 15 * 60 * 1000,
          authLoginRateLimitMax: 20,
        },
      });
      await tx.user.updateMany({
        data: {
          isActive: false,
          mustResetPassword: true,
        },
      });
      await tx.user.upsert({
        where: { id: BOOTSTRAP_USER_ID },
        update: {
          email: "bootstrap@excalidash.local",
          username: null,
          passwordHash: "",
          name: "Bootstrap Admin",
          role: "ADMIN",
          mustResetPassword: true,
          isActive: false,
        },
        create: {
          id: BOOTSTRAP_USER_ID,
          email: "bootstrap@excalidash.local",
          username: null,
          passwordHash: "",
          name: "Bootstrap Admin",
          role: "ADMIN",
          mustResetPassword: true,
          isActive: false,
        },
      });
      if (args.scenario === "fresh") {
        await tx.drawing.deleteMany({});
        await tx.collection.deleteMany({});
        await tx.library.deleteMany({});
        await tx.user.deleteMany({
          where: {
            id: {
              not: BOOTSTRAP_USER_ID,
            },
          },
        });
        return;
      }
      // Migration simulation:
      // 1) Reassign existing data ownership to bootstrap user
      // 2) Ensure at least one drawing+collection exists so UI shows migration messaging
      await tx.collection.updateMany({
        data: { userId: BOOTSTRAP_USER_ID },
      });
      await tx.drawing.updateMany({
        data: { userId: BOOTSTRAP_USER_ID },
      });
      const collectionCount = await tx.collection.count();
      let targetCollectionId = null;
      if (collectionCount === 0) {
        targetCollectionId = `sim-migration-col-${Date.now()}`;
        await tx.collection.create({
          data: {
            id: targetCollectionId,
            name: "Migrated Collection",
            userId: BOOTSTRAP_USER_ID,
          },
        });
      } else {
        const existing = await tx.collection.findFirst({
          where: { userId: BOOTSTRAP_USER_ID },
          select: { id: true },
          orderBy: { createdAt: "asc" },
        });
        targetCollectionId = existing ? existing.id : null;
      }
      const drawingCount = await tx.drawing.count();
      if (drawingCount === 0) {
        await tx.drawing.create({
          data: {
            id: `sim-migration-draw-${Date.now()}`,
            name: "Migrated Drawing",
            elements: "[]",
            appState: "{}",
            files: "{}",
            preview: null,
            version: 1,
            userId: BOOTSTRAP_USER_ID,
            collectionId: targetCollectionId,
          },
        });
      }
    });
    const after = {
      activeUsers: await prisma.user.count({ where: { isActive: true } }),
      users: await prisma.user.count(),
      drawings: await prisma.drawing.count(),
      collections: await prisma.collection.count(),
      auth: await prisma.systemConfig.findUnique({
        where: { id: DEFAULT_SYSTEM_CONFIG_ID },
        select: {
          authEnabled: true,
          authOnboardingCompleted: true,
          registrationEnabled: true,
        },
      }),
    };
    console.log("[simulate-auth-onboarding] after:", after);
    console.log(`[simulate-auth-onboarding] completed at ${nowIso()}`);
    console.log(
      "[simulate-auth-onboarding] If your backend is already running, wait ~5 seconds (auth cache TTL) or restart before refreshing the UI."
    );
  } finally {
    await prisma.$disconnect().catch(() => {});
  }
 };
 run().catch((error) => {
  console.error("simulate-auth-onboarding failed:", error.message || error);
  process.exitCode = 1;
 });
@@ -0,0 +1,139 @@
 import { afterAll, beforeAll, describe, expect, it } from "vitest";
 import request from "supertest";
 import bcrypt from "bcrypt";
 import jwt, { SignOptions } from "jsonwebtoken";
 import { StringValue } from "ms";
 import { PrismaClient } from "../generated/client";
 import { config } from "../config";
 import { getTestPrisma, setupTestDb } from "./testUtils";
 describe("Auth Enabled Toggle Authorization", () => {
  const userAgent = "vitest-auth-enabled";
  let prisma: PrismaClient;
  let app: any;
  let agent: any;
  let csrfHeaderName: string;
  let csrfToken: string;
  let regularUserToken: string;
  let adminUserToken: string;
  beforeAll(async () => {
    setupTestDb();
    prisma = getTestPrisma();
    ({ app } = await import("../index"));
    await prisma.systemConfig.upsert({
      where: { id: "default" },
      update: {
        authEnabled: true,
        registrationEnabled: false,
      },
      create: {
        id: "default",
        authEnabled: true,
        registrationEnabled: false,
      },
    });
    const passwordHash = await bcrypt.hash("password123", 10);
    const user = await prisma.user.create({
      data: {
        email: "regular-user@test.local",
        passwordHash,
        name: "Regular User",
        role: "USER",
        isActive: true,
      },
      select: {
        id: true,
        email: true,
      },
    });
    const signOptions: SignOptions = {
      expiresIn: config.jwtAccessExpiresIn as StringValue,
    };
    regularUserToken = jwt.sign(
      { userId: user.id, email: user.email, type: "access" },
      config.jwtSecret,
      signOptions
    );
    const admin = await prisma.user.create({
      data: {
        email: "admin-user@test.local",
        passwordHash,
        name: "Admin User",
        role: "ADMIN",
        isActive: true,
      },
      select: {
        id: true,
        email: true,
      },
    });
    adminUserToken = jwt.sign(
      { userId: admin.id, email: admin.email, type: "access" },
      config.jwtSecret,
      signOptions
    );
    agent = request.agent(app);
    const csrfRes = await agent
      .get("/csrf-token")
      .set("User-Agent", userAgent);
    csrfHeaderName = csrfRes.body.header;
    csrfToken = csrfRes.body.token;
  });
  afterAll(async () => {
    await prisma.$disconnect();
  });
  it("rejects unauthenticated auth-enabled toggle when auth is enabled", async () => {
    const response = await agent
      .post("/auth/auth-enabled")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .send({ enabled: false });
    expect(response.status).toBe(401);
  });
  it("rejects non-admin auth-enabled toggle", async () => {
    const response = await agent
      .post("/auth/auth-enabled")
      .set("User-Agent", userAgent)
      .set("Authorization", `Bearer ${regularUserToken}`)
      .set(csrfHeaderName, csrfToken)
      .send({ enabled: false });
    expect(response.status).toBe(403);
    expect(response.body?.message).toContain("Admin access required");
  });
  it("applies auth mode change immediately for subsequent requests", async () => {
    const warmStatusResponse = await request(app)
      .get("/auth/status")
      .set("User-Agent", userAgent);
    expect(warmStatusResponse.status).toBe(200);
    expect(warmStatusResponse.body?.authEnabled).toBe(true);
    const toggleResponse = await agent
      .post("/auth/auth-enabled")
      .set("User-Agent", userAgent)
      .set("Authorization", `Bearer ${adminUserToken}`)
      .set(csrfHeaderName, csrfToken)
      .send({ enabled: false });
    expect(toggleResponse.status).toBe(200);
    expect(toggleResponse.body?.authEnabled).toBe(false);
    const drawingsResponse = await request(app)
      .get("/drawings")
      .set("User-Agent", userAgent);
    expect(drawingsResponse.status).toBe(200);
    expect(Array.isArray(drawingsResponse.body?.drawings)).toBe(true);
  });
 });
@@ -0,0 +1,164 @@
 import { afterAll, beforeAll, describe, expect, it } from "vitest";
 import request from "supertest";
 import { PrismaClient } from "../generated/client";
 import { getTestPrisma, setupTestDb } from "./testUtils";
 import { BOOTSTRAP_USER_ID } from "../auth/authMode";
 describe("Auth onboarding decision", () => {
  const userAgent = "vitest-auth-onboarding";
  let prisma: PrismaClient;
  let app: any;
  let agent: any;
  let csrfHeaderName: string;
  let csrfToken: string;
  beforeAll(async () => {
    setupTestDb();
    prisma = getTestPrisma();
    ({ app } = await import("../index"));
    agent = request.agent(app);
    const csrfRes = await agent.get("/csrf-token").set("User-Agent", userAgent);
    csrfHeaderName = csrfRes.body.header;
    csrfToken = csrfRes.body.token;
  });
  afterAll(async () => {
    await prisma.$disconnect();
  });
  it("reports migration onboarding mode when no active users and legacy data exists", async () => {
    await prisma.user.upsert({
      where: { id: BOOTSTRAP_USER_ID },
      update: {},
      create: {
        id: BOOTSTRAP_USER_ID,
        email: "bootstrap@excalidash.local",
        username: null,
        passwordHash: "",
        name: "Bootstrap Admin",
        role: "ADMIN",
        mustResetPassword: true,
        isActive: false,
      },
    });
    await prisma.systemConfig.upsert({
      where: { id: "default" },
      update: { authEnabled: false, authOnboardingCompleted: false },
      create: {
        id: "default",
        authEnabled: false,
        authOnboardingCompleted: false,
        registrationEnabled: false,
      },
    });
    await prisma.collection.upsert({
      where: { id: "legacy-collection" },
      update: {},
      create: {
        id: "legacy-collection",
        name: "Legacy",
        userId: BOOTSTRAP_USER_ID,
      },
    });
    await prisma.drawing.upsert({
      where: { id: "legacy-drawing" },
      update: {},
      create: {
        id: "legacy-drawing",
        name: "Legacy Drawing",
        elements: "[]",
        appState: "{}",
        files: "{}",
        userId: BOOTSTRAP_USER_ID,
        collectionId: "legacy-collection",
      },
    });
    const response = await request(app).get("/auth/status").set("User-Agent", userAgent);
    expect(response.status).toBe(200);
    expect(response.body?.authEnabled).toBe(false);
    expect(response.body?.authOnboardingRequired).toBe(true);
    expect(response.body?.authOnboardingMode).toBe("migration");
  });
  it("persists a single-user onboarding choice", async () => {
    await prisma.systemConfig.update({
      where: { id: "default" },
      data: { authEnabled: false, authOnboardingCompleted: false },
    });
    const choiceResponse = await agent
      .post("/auth/onboarding-choice")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .send({ enableAuth: false });
    expect(choiceResponse.status).toBe(200);
    expect(choiceResponse.body?.authEnabled).toBe(false);
    expect(choiceResponse.body?.authOnboardingCompleted).toBe(true);
    const statusResponse = await request(app).get("/auth/status").set("User-Agent", userAgent);
    expect(statusResponse.status).toBe(200);
    expect(statusResponse.body?.authOnboardingRequired).toBe(false);
  });
  it("enables auth and bootstrap flow from onboarding choice", async () => {
    await prisma.drawing.deleteMany({});
    await prisma.collection.deleteMany({ where: { id: { not: `trash:${BOOTSTRAP_USER_ID}` } } });
    await prisma.systemConfig.update({
      where: { id: "default" },
      data: { authEnabled: false, authOnboardingCompleted: false },
    });
    const choiceResponse = await agent
      .post("/auth/onboarding-choice")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .send({ enableAuth: true });
    expect(choiceResponse.status).toBe(200);
    expect(choiceResponse.body?.authEnabled).toBe(true);
    expect(choiceResponse.body?.bootstrapRequired).toBe(true);
    expect(choiceResponse.body?.authOnboardingCompleted).toBe(true);
    const statusResponse = await request(app).get("/auth/status").set("User-Agent", userAgent);
    expect(statusResponse.status).toBe(200);
    expect(statusResponse.body?.authEnabled).toBe(true);
    expect(statusResponse.body?.bootstrapRequired).toBe(true);
    expect(statusResponse.body?.authOnboardingRequired).toBe(false);
  });
  it("requires CSRF token for bootstrap registration", async () => {
    const noCsrfResponse = await agent
      .post("/auth/register")
      .set("User-Agent", userAgent)
      .send({
        email: "bootstrap-admin@test.local",
        password: "StrongPass1!",
        name: "Bootstrap Admin",
      });
    expect(noCsrfResponse.status).toBe(403);
    expect(noCsrfResponse.body?.error).toBe("CSRF token missing");
    const bootstrapResponse = await agent
      .post("/auth/register")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .send({
        email: "bootstrap-admin@test.local",
        password: "StrongPass1!",
        name: "Bootstrap Admin",
      });
    expect(bootstrapResponse.status).toBe(201);
    expect(bootstrapResponse.body?.bootstrapped).toBe(true);
    expect(bootstrapResponse.body?.user?.email).toBe("bootstrap-admin@test.local");
  });
 });
@@ -0,0 +1,20 @@
 import { describe, expect, it } from "vitest";
 import { createCsrfToken, validateCsrfToken } from "../security";
 describe("CSRF client identity stability", () => {
  it("keeps token validation stable when using cookie-based client IDs", () => {
    const cookieClientId = "cookie:fixed-client-id";
    const token = createCsrfToken(cookieClientId);
    expect(validateCsrfToken(cookieClientId, token)).toBe(true);
  });
  it("shows why legacy IP-based IDs are unstable across proxy hops", () => {
    const userAgent = "Mozilla/5.0 test";
    const clientIdViaProxyA = `10.0.0.5:${userAgent}`;
    const clientIdViaProxyB = `10.0.0.6:${userAgent}`;
    const token = createCsrfToken(clientIdViaProxyA);
    expect(validateCsrfToken(clientIdViaProxyB, token)).toBe(false);
  });
 });
@@ -267,6 +267,90 @@ describe("Security Sanitization - Image Data URLs", () => {
    });
  });
  describe("sanitizeDrawingData - preview svg handling", () => {
    it("should preserve safe SVG layout attributes needed for thumbnail rendering", () => {
      const preview = [
        '<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 728.39453125 606.908203125" width="1456.7890625" height="1213.81640625" preserveAspectRatio="xMidYMid meet">',
        '<rect x="0" y="0" width="728.39453125" height="606.908203125" fill="#ffffff"></rect>',
        '<path d="M0 0 L20 20" stroke="#000" stroke-linecap="round"></path>',
        "</svg>",
      ].join("");
      const result = sanitizeDrawingData({
        elements: [],
        appState: { viewBackgroundColor: "#ffffff" },
        files: {},
        preview,
      });
      expect(result.preview).toContain('viewBox="0 0 728.39453125 606.908203125"');
      expect(result.preview).toContain('preserveAspectRatio="xMidYMid meet"');
      expect(result.preview).toContain('stroke-linecap="round"');
      expect(result.preview).toContain('xmlns="http://www.w3.org/2000/svg"');
    });
    it("should preserve safe embedded image previews", () => {
      const preview = [
        '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 40 40">',
        '<image x="0" y="0" width="40" height="40" href="data:image/png;base64,AAAA"></image>',
        "</svg>",
      ].join("");
      const result = sanitizeDrawingData({
        elements: [],
        appState: { viewBackgroundColor: "#ffffff" },
        files: {},
        preview,
      });
      expect(result.preview).toContain("<image");
      expect(result.preview).toContain('href="data:image/png;base64,AAAA"');
    });
    it("should remove embedded images with unsafe href values", () => {
      const preview = [
        '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 40 40">',
        '<image x="0" y="0" width="40" height="40" href="javascript:alert(1)"></image>',
        '<rect x="0" y="0" width="10" height="10" fill="#000"></rect>',
        "</svg>",
      ].join("");
      const result = sanitizeDrawingData({
        elements: [],
        appState: { viewBackgroundColor: "#ffffff" },
        files: {},
        preview,
      });
      expect(result.preview).not.toContain("<image");
      expect(result.preview).toContain("<rect");
    });
    it("should preserve safe defs/pattern image structures used by Excalidraw exports", () => {
      const preview = [
        '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">',
        '<defs><pattern id="p1" width="1" height="1" patternUnits="objectBoundingBox">',
        '<image href="data:image/png;base64,AAAA" width="100" height="100"></image>',
        "</pattern></defs>",
        '<rect x="0" y="0" width="100" height="100" fill="url(#p1)"></rect>',
        "</svg>",
      ].join("");
      const result = sanitizeDrawingData({
        elements: [],
        appState: { viewBackgroundColor: "#ffffff" },
        files: {},
        preview,
      });
      expect(result.preview).toContain("<defs>");
      expect(result.preview).toContain("<pattern");
      expect(result.preview).toContain('id="p1"');
      expect(result.preview).toContain("<image");
      expect(result.preview).toContain('fill="url(#p1)"');
    });
  });
  describe("validateImportedDrawing - with files", () => {
    it("should validate drawing with embedded images", () => {
      const files = createSampleFilesObject(2, "large");
@@ -3,6 +3,7 @@ import request from "supertest";
 import fs from "fs";
 import path from "path";
 import os from "os";
 import JSZip from "jszip";
 import { getTestPrisma, setupTestDb, cleanupTestDb } from "./testUtils";
 type LegacyDbOptions = {
@@ -156,11 +157,117 @@ const createLegacySqliteDb = (opts: LegacyDbOptions): string => {
  return filePath;
 };
 const createExcalidashArchiveWithDuplicateDrawingIds = async (): Promise<string> => {
  const dir = createTempDir();
  const filePath = path.join(dir, "duplicate-drawing-ids.excalidash");
  const zip = new JSZip();
  const manifest = {
    format: "excalidash",
    formatVersion: 1,
    exportedAt: new Date().toISOString(),
    unorganizedFolder: "Unorganized",
    collections: [] as any[],
    drawings: [
      {
        id: "duplicate-drawing-id",
        name: "Drawing One",
        filePath: "Unorganized/drawing-1.excalidraw",
        collectionId: null,
      },
      {
        id: "duplicate-drawing-id",
        name: "Drawing Two",
        filePath: "Unorganized/drawing-2.excalidraw",
        collectionId: null,
      },
    ],
  };
  zip.file("excalidash.manifest.json", JSON.stringify(manifest));
  zip.file(
    "Unorganized/drawing-1.excalidraw",
    JSON.stringify({ type: "excalidraw", version: 2, source: "test", elements: [], appState: {}, files: {} })
  );
  zip.file(
    "Unorganized/drawing-2.excalidraw",
    JSON.stringify({ type: "excalidraw", version: 2, source: "test", elements: [], appState: {}, files: {} })
  );
  const buffer = await zip.generateAsync({ type: "nodebuffer" });
  fs.writeFileSync(filePath, buffer);
  return filePath;
 };
 const createLegacySqliteDbWithDuplicateDrawingIds = (): string => {
  const dir = createTempDir();
  const filePath = path.join(dir, "legacy-duplicate-ids.db");
  const db = openWritableDb(filePath);
  try {
    db.exec(`
      CREATE TABLE "Drawing" (
        id TEXT,
        name TEXT NOT NULL,
        elements TEXT NOT NULL,
        appState TEXT NOT NULL,
        files TEXT,
        preview TEXT,
        version INTEGER,
        collectionId TEXT,
        collectionName TEXT,
        createdAt TEXT,
        updatedAt TEXT
      );
    `);
    const now = new Date("2024-01-03T00:00:00.000Z").toISOString();
    const insertDrawing = db.prepare(
      `INSERT INTO "Drawing"
        (id, name, elements, appState, files, preview, version, collectionId, collectionName, createdAt, updatedAt)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
    );
    insertDrawing.run(
      "legacy-duplicate-id",
      "Legacy Drawing A",
      JSON.stringify([]),
      JSON.stringify({}),
      JSON.stringify({}),
      null,
      1,
      null,
      null,
      now,
      now,
    );
    insertDrawing.run(
      "legacy-duplicate-id",
      "Legacy Drawing B",
      JSON.stringify([]),
      JSON.stringify({}),
      JSON.stringify({}),
      null,
      1,
      null,
      null,
      now,
      now,
    );
  } finally {
    db.close();
  }
  return filePath;
 };
 describe("Import compatibility (legacy exports)", () => {
  const uploadsDir = path.resolve(__dirname, "../../uploads");
  const userAgent = "vitest-import-compat";
  let prisma: ReturnType<typeof getTestPrisma>;
  let app: any;
  let agent: any;
  let csrfHeaderName: string;
  let csrfToken: string;
@@ -172,7 +279,8 @@ describe("Import compatibility (legacy exports)", () => {
    // Import the server AFTER DATABASE_URL is set by setupTestDb/getTestPrisma.
    ({ app } = await import("../index"));
-    const csrfRes = await request(app).get("/csrf-token").set("User-Agent", userAgent);
+    agent = request.agent(app);
    const csrfRes = await agent.get("/csrf-token").set("User-Agent", userAgent);
    csrfHeaderName = csrfRes.body.header;
    csrfToken = csrfRes.body.token;
    expect(typeof csrfHeaderName).toBe("string");
@@ -195,7 +303,7 @@ describe("Import compatibility (legacy exports)", () => {
      includeTrashDrawing: false,
    });
-    const res = await request(app)
+    const res = await agent
      .post("/import/sqlite/legacy/verify")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
@@ -217,7 +325,7 @@ describe("Import compatibility (legacy exports)", () => {
      includeTrashDrawing: true,
    });
-    const res = await request(app)
+    const res = await agent
      .post("/import/sqlite/legacy")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
@@ -239,7 +347,9 @@ describe("Import compatibility (legacy exports)", () => {
      expect.arrayContaining(["legacy-drawing-1", "legacy-drawing-2", "legacy-drawing-trash"])
    );
-    const trash = await prisma.collection.findUnique({ where: { id: "trash" } });
+    const trash = await prisma.collection.findUnique({
      where: { id: "trash:bootstrap-admin" },
    });
    expect(trash).toBeTruthy();
  });
@@ -251,7 +361,7 @@ describe("Import compatibility (legacy exports)", () => {
      includeTrashDrawing: false,
    });
-    const verify = await request(app)
+    const verify = await agent
      .post("/import/sqlite/legacy/verify")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
@@ -261,7 +371,7 @@ describe("Import compatibility (legacy exports)", () => {
    expect(verify.body.drawings).toBe(2);
    expect(verify.body.collections).toBe(1);
-    const res = await request(app)
+    const res = await agent
      .post("/import/sqlite/legacy")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
@@ -278,7 +388,7 @@ describe("Import compatibility (legacy exports)", () => {
    db.exec(`CREATE TABLE "NotDrawing" (id TEXT PRIMARY KEY NOT NULL);`);
    db.close();
-    const res = await request(app)
+    const res = await agent
      .post("/import/sqlite/legacy/verify")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
@@ -287,4 +397,52 @@ describe("Import compatibility (legacy exports)", () => {
    expect(res.status).toBe(400);
    expect(res.body.error).toBe("Invalid legacy DB");
  });
  it("rejects .excalidash verify when manifest has duplicate drawing IDs", async () => {
    const archive = await createExcalidashArchiveWithDuplicateDrawingIds();
    const res = await agent
      .post("/import/excalidash/verify")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .attach("archive", archive);
    expect(res.status).toBe(400);
    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
  });
  it("rejects .excalidash import when manifest has duplicate drawing IDs", async () => {
    const archive = await createExcalidashArchiveWithDuplicateDrawingIds();
    const res = await agent
      .post("/import/excalidash")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .attach("archive", archive);
    expect(res.status).toBe(400);
    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
  });
  it("rejects legacy verify when DB has duplicate drawing IDs", async () => {
    const legacyDb = createLegacySqliteDbWithDuplicateDrawingIds();
    const res = await agent
      .post("/import/sqlite/legacy/verify")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .attach("db", legacyDb);
    expect(res.status).toBe(400);
    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
  });
  it("rejects legacy import when DB has duplicate drawing IDs", async () => {
    const legacyDb = createLegacySqliteDbWithDuplicateDrawingIds();
    const res = await agent
      .post("/import/sqlite/legacy")
      .set("User-Agent", userAgent)
      .set(csrfHeaderName, csrfToken)
      .attach("db", legacyDb);
    expect(res.status).toBe(400);
    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
  });
 });
@@ -0,0 +1,55 @@
 import { describe, expect, it } from "vitest";
 import { sanitizeDrawingUpdateData } from "../index";
 describe("sanitizeDrawingUpdateData regression", () => {
  it("does not inject empty scene fields for preview-only updates", () => {
    const payload: {
      preview?: string | null;
      elements?: unknown[];
      appState?: Record<string, unknown>;
      files?: Record<string, unknown>;
    } = {
      preview: "<svg><rect width=\"10\" height=\"10\"/></svg>",
    };
    const ok = sanitizeDrawingUpdateData(payload);
    expect(ok).toBe(true);
    expect(typeof payload.preview).toBe("string");
    expect(String(payload.preview)).toContain("<svg");
    expect(payload.elements).toBeUndefined();
    expect(payload.appState).toBeUndefined();
    expect(payload.files).toBeUndefined();
  });
  it("still sanitizes scene fields when scene data is provided", () => {
    const payload: {
      preview?: string | null;
      elements?: any[];
      appState?: Record<string, unknown>;
      files?: Record<string, unknown>;
    } = {
      elements: [
        {
          id: "el-1",
          type: "rectangle",
          x: 0,
          y: 0,
          width: 100,
          height: 100,
          version: 1,
          versionNonce: 1,
          isDeleted: false,
        },
      ],
      appState: { viewBackgroundColor: "#ffffff" },
      files: {},
      preview: "<svg/>",
    };
    const ok = sanitizeDrawingUpdateData(payload);
    expect(ok).toBe(true);
    expect(Array.isArray(payload.elements)).toBe(true);
    expect(typeof payload.appState).toBe("object");
  });
 });
@@ -98,11 +98,9 @@ export const setupTestDb = () => {
 * Clean up the test database between tests
 */
 export const cleanupTestDb = async (prisma: PrismaClient) => {
-  // Delete all drawings and collections (except Trash)
+  // Delete all drawings and collections.
  await prisma.drawing.deleteMany({});
-  await prisma.collection.deleteMany({
+  await prisma.collection.deleteMany({});
    where: { id: { not: "trash" } },
  });
 };
 /**
@@ -129,14 +127,15 @@ export const createTestUser = async (prisma: PrismaClient, email: string = "test
 export const initTestDb = async (prisma: PrismaClient) => {
  // Create a test user first
  const testUser = await createTestUser(prisma);
  const trashCollectionId = `trash:${testUser.id}`;
  // Ensure Trash collection exists
-  const trash = await prisma.collection.findUnique({
+  const trash = await prisma.collection.findFirst({
-    where: { id: "trash" },
+    where: { id: trashCollectionId, userId: testUser.id },
  });
  if (!trash) {
    await prisma.collection.create({
-      data: { id: "trash", name: "Trash", userId: testUser.id },
+      data: { id: trashCollectionId, name: "Trash", userId: testUser.id },
    });
  }
@@ -2,14 +2,34 @@ import express, { Request, Response } from "express";
 import crypto from "crypto";
 import jwt, { SignOptions } from "jsonwebtoken";
 import ms, { type StringValue } from "ms";
-import { PrismaClient, Prisma } from "./generated/client";
+import { Prisma, PrismaClient } from "./generated/client";
 import { config } from "./config";
-import { requireAuth, optionalAuth } from "./middleware/auth";
+import {
  requireAuth as defaultRequireAuth,
  optionalAuth as defaultOptionalAuth,
  authModeService as defaultAuthModeService,
 } from "./middleware/auth";
 import { getCsrfTokenHeader, sanitizeText, validateCsrfToken } from "./security";
 import rateLimit, { MemoryStore } from "express-rate-limit";
 import { registerAccountRoutes } from "./auth/accountRoutes";
 import { registerAdminRoutes } from "./auth/adminRoutes";
 import { registerCoreRoutes } from "./auth/coreRoutes";
 import { registerOidcRoutes } from "./auth/oidcRoutes";
 import { prisma as defaultPrisma } from "./db/prisma";
 import {
  BOOTSTRAP_USER_ID,
  DEFAULT_SYSTEM_CONFIG_ID,
  type AuthModeService,
 } from "./auth/authMode";
 import { getCsrfValidationClientIds } from "./security/csrfClient";
 import {
  clearAuthCookies,
  readCookie,
  REFRESH_TOKEN_COOKIE_NAME,
  setAccessTokenCookie,
  setAuthCookies,
 } from "./auth/cookies";
 import { getClientIp } from "./utils/clientIp";
 interface JwtPayload {
  userId: string;
@@ -30,30 +50,24 @@ const isJwtPayload = (decoded: unknown): decoded is JwtPayload => {
  );
 };
-const router = express.Router();
+type CreateAuthRouterDeps = {
-const prisma = new PrismaClient();
+  prisma: PrismaClient;
-
+  requireAuth: express.RequestHandler;
-const BOOTSTRAP_USER_ID = "bootstrap-admin";
+  optionalAuth: express.RequestHandler;
-const DEFAULT_SYSTEM_CONFIG_ID = "default";
+  authModeService: AuthModeService;
 const ensureSystemConfig = async () => {
  return prisma.systemConfig.upsert({
    where: { id: DEFAULT_SYSTEM_CONFIG_ID },
    update: {},
    create: {
      id: DEFAULT_SYSTEM_CONFIG_ID,
      authEnabled: false,
      registrationEnabled: false,
      authLoginRateLimitEnabled: true,
      authLoginRateLimitWindowMs: 15 * 60 * 1000,
      authLoginRateLimitMax: 20,
    },
  });
 };
 export const createAuthRouter = (deps: CreateAuthRouterDeps): express.Router => {
  const { prisma, requireAuth, optionalAuth, authModeService } = deps;
  const router = express.Router();
  const ensureSystemConfig = authModeService.ensureSystemConfig;
  const ensureAuthEnabled = async (res: Response): Promise<boolean> => {
    const systemConfig = await ensureSystemConfig();
-  if (!systemConfig.authEnabled) {
+    const authEnabled =
      config.authMode !== "local" ? true : systemConfig.authEnabled;
    if (!authEnabled) {
      res.status(404).json({
        error: "Not found",
        message: "Authentication is disabled",
@@ -78,15 +92,23 @@ const DEFAULT_LOGIN_RATE_LIMIT: LoginRateLimitConfig = {
  let loginRateLimitConfig: LoginRateLimitConfig = { ...DEFAULT_LOGIN_RATE_LIMIT };
  let loginAttemptLimiter: ReturnType<typeof rateLimit> | null = null;
  let loginLimiterInitPromise: Promise<void> | null = null;
  let loginIdentifierKeyIndex = new Map<string, Set<string>>();
-const parseLoginRateLimitConfig = (systemConfig: Awaited<ReturnType<typeof ensureSystemConfig>>): LoginRateLimitConfig => {
+  const parseLoginRateLimitConfig = (
-  const enabled = typeof systemConfig.authLoginRateLimitEnabled === "boolean" ? systemConfig.authLoginRateLimitEnabled : DEFAULT_LOGIN_RATE_LIMIT.enabled;
+    systemConfig: Awaited<ReturnType<typeof ensureSystemConfig>>
  ): LoginRateLimitConfig => {
    const enabled =
      typeof systemConfig.authLoginRateLimitEnabled === "boolean"
        ? systemConfig.authLoginRateLimitEnabled
        : DEFAULT_LOGIN_RATE_LIMIT.enabled;
    const windowMs =
-    Number.isFinite(Number(systemConfig.authLoginRateLimitWindowMs)) && Number(systemConfig.authLoginRateLimitWindowMs) > 0
+      Number.isFinite(Number(systemConfig.authLoginRateLimitWindowMs)) &&
      Number(systemConfig.authLoginRateLimitWindowMs) > 0
        ? Number(systemConfig.authLoginRateLimitWindowMs)
        : DEFAULT_LOGIN_RATE_LIMIT.windowMs;
    const max =
-    Number.isFinite(Number(systemConfig.authLoginRateLimitMax)) && Number(systemConfig.authLoginRateLimitMax) > 0
+      Number.isFinite(Number(systemConfig.authLoginRateLimitMax)) &&
      Number(systemConfig.authLoginRateLimitMax) > 0
        ? Number(systemConfig.authLoginRateLimitMax)
        : DEFAULT_LOGIN_RATE_LIMIT.max;
    return { enabled, windowMs, max };
@@ -104,8 +126,30 @@ const resolveAuthIdentifier = (req: Request): string | null => {
    return trimmed.length > 0 ? trimmed.slice(0, 255) : null;
  };
  const resolveRateLimitIp = (req: Request): string => getClientIp(req);
  const trackIdentifierRateLimitKey = (identifier: string, key: string): void => {
    if (!loginIdentifierKeyIndex.has(identifier) && loginIdentifierKeyIndex.size >= 5000) {
      const oldestIdentifier = loginIdentifierKeyIndex.keys().next().value;
      if (typeof oldestIdentifier === "string") {
        loginIdentifierKeyIndex.delete(oldestIdentifier);
      }
    }
    const existing = loginIdentifierKeyIndex.get(identifier) ?? new Set<string>();
    if (existing.size >= 50) {
      const oldestKey = existing.values().next().value;
      if (typeof oldestKey === "string") {
        existing.delete(oldestKey);
      }
    }
    existing.add(key);
    loginIdentifierKeyIndex.set(identifier, existing);
  };
  const buildLoginAttemptLimiter = (cfg: LoginRateLimitConfig) => {
    const store = new MemoryStore();
    loginIdentifierKeyIndex = new Map<string, Set<string>>();
    const limiter = rateLimit({
      windowMs: cfg.windowMs,
      max: cfg.max,
@@ -121,8 +165,12 @@ const buildLoginAttemptLimiter = (cfg: LoginRateLimitConfig) => {
      store,
      keyGenerator: (req) => {
        const identifier = resolveAuthIdentifier(req as Request);
-      if (identifier) return `login:${identifier}`;
+        const ip = resolveRateLimitIp(req as Request);
-      const ip = (req as Request).ip || "unknown";
+        if (identifier) {
          const key = `login:${identifier}:ip:${ip}`;
          trackIdentifierRateLimitKey(identifier, key);
          return key;
        }
        return `login-ip:${ip}`;
      },
    });
@@ -147,18 +195,32 @@ const ensureLoginAttemptLimiter = async () => {
  };
  const applyLoginRateLimitConfig = (
-  systemConfig: Pick<Awaited<ReturnType<typeof ensureSystemConfig>>, "authLoginRateLimitEnabled" | "authLoginRateLimitWindowMs" | "authLoginRateLimitMax">
+    systemConfig: Pick<
      Awaited<ReturnType<typeof ensureSystemConfig>>,
      "authLoginRateLimitEnabled" | "authLoginRateLimitWindowMs" | "authLoginRateLimitMax"
    >
  ): LoginRateLimitConfig => {
-  loginRateLimitConfig = parseLoginRateLimitConfig(systemConfig as Awaited<ReturnType<typeof ensureSystemConfig>>);
+    loginRateLimitConfig = parseLoginRateLimitConfig(
      systemConfig as Awaited<ReturnType<typeof ensureSystemConfig>>
    );
    buildLoginAttemptLimiter(loginRateLimitConfig);
    return loginRateLimitConfig;
  };
  const resetLoginAttemptKey = async (identifier: string): Promise<void> => {
    await ensureLoginAttemptLimiter();
-  const key = `login:${identifier}`;
+    const normalizedIdentifier = identifier.trim().toLowerCase();
    const keys = loginIdentifierKeyIndex.get(normalizedIdentifier);
    try {
      if (!keys || keys.size === 0) {
        // Backward-compatible fallback for pre-change key format.
        await loginAttemptLimiter?.resetKey(`login:${normalizedIdentifier}`);
        return;
      }
      for (const key of keys) {
        await loginAttemptLimiter?.resetKey(key);
      }
      loginIdentifierKeyIndex.delete(normalizedIdentifier);
    } catch (error) {
      if (process.env.NODE_ENV === "development") {
        console.debug("Rate limit reset skipped:", error);
@@ -166,7 +228,11 @@ const resetLoginAttemptKey = async (identifier: string): Promise<void> => {
    }
  };
-const loginAttemptRateLimiter = async (req: Request, res: Response, next: express.NextFunction) => {
+  const loginAttemptRateLimiter = async (
    req: Request,
    res: Response,
    next: express.NextFunction
  ) => {
    await ensureLoginAttemptLimiter();
    if (!loginRateLimitConfig.enabled) return next();
    return (loginAttemptLimiter as ReturnType<typeof rateLimit>)(req, res, next);
@@ -184,6 +250,7 @@ const accountActionRateLimiter = rateLimit({
    validate: {
      trustProxy: false,
    },
    keyGenerator: (req) => getClientIp(req as Request),
  });
  const generateTempPassword = (): string => {
@@ -224,12 +291,6 @@ const requireAdmin = (
    return true;
  };
 const getClientId = (req: Request): string => {
  const ip = req.ip || req.connection.remoteAddress || "unknown";
  const userAgent = req.headers["user-agent"] || "unknown";
  return `${ip}:${userAgent}`.slice(0, 256);
 };
  const requireCsrf = (req: Request, res: Response): boolean => {
    const headerName = getCsrfTokenHeader();
    const tokenHeader = req.headers[headerName];
@@ -243,7 +304,9 @@ const requireCsrf = (req: Request, res: Response): boolean => {
      return false;
    }
-  if (!validateCsrfToken(getClientId(req), token)) {
+    const clientIds = getCsrfValidationClientIds(req);
    const isValidToken = clientIds.some((clientId) => validateCsrfToken(clientId, token));
    if (!isValidToken) {
      res.status(403).json({
        error: "CSRF token invalid",
        message: "Invalid or expired CSRF token. Please refresh and try again.",
@@ -309,6 +372,18 @@ const isMissingRefreshTokenTableError = (error: unknown): boolean => {
  const getRefreshTokenExpiresAt = (): Date =>
    resolveExpiresAt(config.jwtRefreshExpiresIn, 7 * 24 * 60 * 60 * 1000);
  registerOidcRoutes({
    router,
    prisma,
    ensureAuthEnabled,
    sanitizeText,
    generateTokens,
    setAuthCookies,
    getRefreshTokenExpiresAt,
    isMissingRefreshTokenTableError,
    config,
  });
  registerCoreRoutes({
    router,
    prisma,
@@ -327,6 +402,11 @@ registerCoreRoutes({
    isMissingRefreshTokenTableError,
    bootstrapUserId: BOOTSTRAP_USER_ID,
    defaultSystemConfigId: DEFAULT_SYSTEM_CONFIG_ID,
    clearAuthEnabledCache: authModeService.clearAuthEnabledCache,
    setAuthCookies,
    setAccessTokenCookie,
    clearAuthCookies,
    readRefreshTokenFromRequest: (req) => readCookie(req, REFRESH_TOKEN_COOKIE_NAME),
  });
  registerAdminRoutes({
@@ -348,6 +428,8 @@ registerAdminRoutes({
    getRefreshTokenExpiresAt,
    config,
    defaultSystemConfigId: DEFAULT_SYSTEM_CONFIG_ID,
    setAuthCookies,
    requireCsrf,
  });
  registerAccountRoutes({
@@ -361,6 +443,18 @@ registerAccountRoutes({
    config,
    generateTokens,
    getRefreshTokenExpiresAt,
    setAuthCookies,
    requireCsrf,
  });
-export default router;
+  return router;
 };
 const authRouter = createAuthRouter({
  prisma: defaultPrisma,
  requireAuth: defaultRequireAuth,
  optionalAuth: defaultOptionalAuth,
  authModeService: defaultAuthModeService,
 });
 export default authRouter;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
tototomate123	5d613ea550	perf(collab): reduce cursor and preview update churn	2026-02-14 16:38:40 +01:00
tototomate123	0ffe410eeb	feat(collab): add server-authoritative sync and preview-only updates	2026-02-13 20:47:05 +01:00
tototomate123	fd5470ada5	fix(editor): flush lifecycle saves and recover from version conflicts	2026-02-13 19:17:25 +01:00
tototomate123	75cbe97bc0	feat(collab): restore cross-account sharing and reliable realtime sync	2026-02-13 19:02:03 +01:00
tototomate123	12da89b815	Update README.md	2026-02-13 16:33:15 +00:00
tototomate123	9e248f9751	css fix	2026-02-12 20:38:05 +01:00
tototomate123	fe58cf7e89	update to excalidraw 0.18.0	2026-02-12 20:32:53 +01:00
tototomate123	6061d4ab94	fix(auth): align frontend password validation with production policy	2026-02-12 19:58:13 +01:00
tototomate123	6fe2ab3d28	fix(deploy): align /api routing, socket path, and proxy-aware auth limits	2026-02-12 19:43:49 +01:00
tototomate123	e05edff84d	fix socket in editor	2026-02-12 19:29:17 +01:00
tototomate123	da131834ce	add production stuff	2026-02-12 19:22:40 +01:00
tototomate123	08d2165a70	fix(dashboard): normalize route id params for express 5 typings	2026-02-12 19:10:41 +01:00
Zimeng Xiong	2cbd11cf0d	fix impersonation issues	2026-02-10 22:45:00 -08:00
Zimeng Xiong	1c71a08bbe	Plan OIDC integration and audit	2026-02-10 14:45:34 -08:00
Zimeng Xiong	bb028ef2db	fix csrf token hardset, remove cookie from localstorage	2026-02-10 13:16:04 -08:00
Zimeng Xiong	1117dc584e	resolve e2e	2026-02-07 19:24:00 -08:00
Zimeng Xiong	70103e18fb	sign CSRF with cookie, Login rate-limit key hardened against identifier-only lockout	2026-02-07 18:52:00 -08:00
Zimeng Xiong	fd013de325	add tests on refactor	2026-02-07 18:03:05 -08:00
Zimeng Xiong	6bee0e2ded	refactor index.ts	2026-02-07 17:47:41 -08:00
Zimeng Xiong	35bbbb9599	images in preview	2026-02-07 17:21:58 -08:00
Zimeng Xiong	2aa749a2f0	prevent preview updates from overwriting drawings	2026-02-07 15:51:35 -08:00
Zimeng Xiong	02736d663a	chore: pre-release v0.4.6-dev	2026-02-07 12:46:00 -08:00
Zimeng Xiong	de254d46f2	concurrency	2026-02-07 12:45:33 -08:00
Zimeng Xiong	dd0f381ed1	chore: pre-release v0.4.5-dev	2026-02-07 12:09:21 -08:00
Zimeng Xiong	c40a5f46a0	fix colliding drawing IDs	2026-02-07 12:09:02 -08:00
Zimeng Xiong	8fcca43b0d	chore: pre-release v0.4.4-dev	2026-02-07 11:58:09 -08:00
Zimeng Xiong	f20412cdfb	separate debounced autosave	2026-02-07 11:57:32 -08:00
Zimeng Xiong	a366acfedc	chore: pre-release v0.4.3-dev	2026-02-07 11:08:03 -08:00
Zimeng Xiong	154dcbb151	update resopnsiveness hamburger	2026-02-07 11:07:15 -08:00
Zimeng Xiong	2e74d2ad1a	chore: pre-release v0.4.2-dev	2026-02-07 10:34:36 -08:00
Zimeng Xiong	173c050f58	fix HTTPS reuqirement when frontend URL is nto HTTPS	2026-02-07 10:31:08 -08:00
Zimeng Xiong	8161a563f0	chore: pre-release v0.4.1-dev	2026-02-07 10:08:27 -08:00
Zimeng Xiong	812f1cbf58	chore: pre-release v0.4.1-dev	2026-02-07 10:01:14 -08:00
Zimeng Xiong	26017fa5d2	fix JWT secret	2026-02-07 10:00:58 -08:00
Zimeng Xiong	06f4c0f537	remove dev dependencies from development containers	2026-02-07 09:27:39 -08:00
		`@@ -0,0 +1,2 @@`
							`-- Track whether initial auth mode choice has been explicitly completed.`
							`ALTER TABLE "SystemConfig" ADD COLUMN "authOnboardingCompleted" BOOLEAN NOT NULL DEFAULT false;`