feat: security hardening and polish for product release #5

Merged

patillacode merged 26 commits from feature/security-and-polish into main 2026-04-20 18:11:48 +02:00

Conversation 0 Commits 26 Files changed 54 +1881 -965

patillacode commented 2026-04-18 22:26:12 +02:00

Owner

Copy link

Security hardening, publishing flow redesign, and polish

Security (9 fixes)

• HSTS + Permissions-Policy headers added to all responses; HSTS only sent when SECURE_COOKIES=true
• Session versioning: session_version column on User; token format updated to include version; stale tokens
  rejected on every request
• Session invalidation on password change: admin reset and self-change both increment session_version,
  logging out all other devices; self-change re-issues cookie so the current session stays valid
• Login CSRF: double-submit cookie pattern on GET /login → POST /login; requests without a matching token get
  403
• Image magic byte validation: upload endpoint validates actual file bytes, not the client-supplied Content-Type
• TRUST_PROXY setting: opt-in X-Forwarded-For support for correct IP detection behind nginx/Caddy/Traefik; rate limiter uses real IP when enabled
• CSP nonces: per-request nonces replace unsafe-inline on script-src; Google Fonts and esm.sh (Tiptap) whitelisted
• Image access control: /uploads/{user_id}/{filename} requires auth or a valid ?share_token linked to an entry owned by that user
• Share token revocation: DELETE /journal/{date}/share endpoint clears the token; images embedded in shared entries are rewritten to include ?share_token so they load for unauthenticated viewers

Publishing flow redesign

Replaced the fragile share popup with a clean two-action model:

• Publish/Unpublish toggle in the toolbar: primary action, clear state label
• Copy link icon button: appears inline only when the entry is published, copies directly to clipboard with a
  toast; no popup, no URL input field
• Both buttons work dynamically without page reload
• Mobile nav button mirrors the same publish toggle

UI & calendar polish

• Calendar now distinguishes four day states: today (dot below number), written (accent strikethrough),
  shared/published (accent ring), active/current (solid fill); states stack, active overrides all
• CSS split into modular component files

i18n

• All templates fully wired to the translation system (account page, admin users table, journal toolbar)
• New keys: account, publish, unpublish, copy_link, change_password, admin_role, user_role, stop_sharing,
  delete_confirm

Docs & CI

• README rewritten with inline Docker Compose quick-start
• CONFIGURATION.md added with full prose-style config reference
• CI pipeline updated to run tests on every push to main, build and push Docker image only on version tags (v*)

### Security hardening, publishing flow redesign, and polish **Security (9 fixes)** - `HSTS` + `Permissions-Policy` headers added to all responses; `HSTS` only sent when `SECURE_COOKIES=true` - Session versioning: `session_version` column on `User`; token format updated to include version; stale tokens rejected on every request - Session invalidation on password change: admin reset and self-change both increment `session_version`, logging out all other devices; self-change re-issues cookie so the current session stays valid - Login `CSRF`: double-submit cookie pattern on `GET /login` → `POST /login`; requests without a matching token get 403 - Image magic byte validation: upload endpoint validates actual file bytes, not the client-supplied `Content-Type` - `TRUST_PROXY` setting: opt-in `X-Forwarded-For` support for correct IP detection behind nginx/Caddy/Traefik; rate limiter uses real IP when enabled - CSP nonces: per-request nonces replace unsafe-inline on script-src; Google Fonts and esm.sh (Tiptap) whitelisted - Image access control: `/uploads/{user_id}/{filename}` requires auth or a valid `?share_token` linked to an entry owned by that user - Share token revocation: `DELETE /journal/{date}/share` endpoint clears the token; images embedded in shared entries are rewritten to include `?share_token` so they load for unauthenticated viewers **Publishing flow redesign** Replaced the fragile share popup with a clean two-action model: - Publish/Unpublish toggle in the toolbar: primary action, clear state label - Copy link icon button: appears inline only when the entry is published, copies directly to clipboard with a toast; no popup, no URL input field - Both buttons work dynamically without page reload - Mobile nav button mirrors the same publish toggle **UI & calendar polish** - Calendar now distinguishes four day states: today (dot below number), written (accent strikethrough), shared/published (accent ring), active/current (solid fill); states stack, active overrides all - CSS split into modular component files **i18n** - All templates fully wired to the translation system (account page, admin users table, journal toolbar) - New keys: account, publish, unpublish, copy_link, change_password, admin_role, user_role, stop_sharing, delete_confirm **Docs & CI** - README rewritten with inline Docker Compose quick-start - `CONFIGURATION.md` added with full prose-style config reference - CI pipeline updated to run tests on every push to main, build and push Docker image only on version tags (v*)

patillacode added 1 commit 2026-04-18 22:26:12 +02:00

feat: security hardening and polish for product release ... 539cde1a5e

- Custom 404/500 error pages with logo and styled layout
- Security headers middleware (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- CSRF protection on all HTML form POST endpoints via HMAC session token
- In-memory rate limiter on login (10 attempts per 15-minute window)
- Self-service password change at /account for regular users
- Account nav link added to authenticated layout
- Web manifest name fields filled in (Piruetas)
- Meta description added to base template; OG tags on share page
- 40 tests passing (13 new tests covering all new features)

patillacode added 2 commits 2026-04-18 23:05:23 +02:00

refactor: split CSS into modular files with consistent naming ... 183053d477

Extracted main.css (562 lines) into a component-based structure:
tokens, reset, layout, responsive, and per-component files under
components/. Adopted CUBE CSS-inspired block__element naming for
element-level classes, applying renames across all templates and
calendar.js. Single base.css entry point via @import.

fix: surface upload/share errors, remove dead word_count field, fix open redirect ... 4bb3f65705

- editor.js: show toast on image upload and share fetch failures
- journal.py: remove dead word_count from EntrySaveRequest (server recalculates)
- auth.py: restrict locale redirect to path-only to prevent open redirect via Referer

patillacode added 8 commits 2026-04-19 00:16:37 +02:00

feat: add Permissions-Policy and HSTS security headers 652b74d8c8

feat: add session_version to token for session invalidation support b30dcaf24f

feat: invalidate sessions on password reset/change via session_version 91a77eb16f

feat: add login CSRF protection via double-submit cookie ff5cf15da8

feat: validate image magic bytes to prevent MIME type spoofing 4d32b9b15e

feat: add TRUST_PROXY for correct IP detection behind reverse proxies 2b2a527e2f

feat: replace CSP unsafe-inline with per-request nonces f72b1533ee

feat: image access control, entry linking, and share token revocation 335b1f5f39

patillacode added 1 commit 2026-04-19 00:29:34 +02:00

docs: rewrite README and add CONFIGURATION.md reference ef78322997

patillacode added 1 commit 2026-04-19 00:34:01 +02:00

docs: simplify quick start with inline compose example 7526b73c0e

patillacode added 1 commit 2026-04-20 16:42:25 +02:00

fix: allow Google Fonts in CSP style-src and font-src 8afa7e0850

patillacode added 1 commit 2026-04-20 16:44:10 +02:00

fix: allow esm.sh in CSP script-src for Tiptap editor 3b0cf735d9

patillacode added 1 commit 2026-04-20 16:53:19 +02:00

feat: conditional stop-sharing button and shared-day indicator in calendar 46d2e6d92f

patillacode added 1 commit 2026-04-20 17:01:05 +02:00

feat: redesign calendar day states with dot, strikethrough, and ring indicators 62f868d42c

patillacode added 2 commits 2026-04-20 17:06:32 +02:00

fix: hide stop-sharing button by default in HTML d69b367e0c

ci: build and push Docker image on version tags only 2c98108f3a

patillacode added 1 commit 2026-04-20 17:11:03 +02:00

feat: translate account, admin, and journal templates; add missing i18n keys 087fa8f53e

patillacode added 2 commits 2026-04-20 17:29:03 +02:00

feat: replace share popup with publish/unpublish toggle and copy-link button e154f0e81f

wip 69fe95eea2

patillacode added 1 commit 2026-04-20 17:35:52 +02:00

feat: replace copy-link text with external-link icon 7ed0da8972

patillacode added 1 commit 2026-04-20 17:38:21 +02:00

fix: hide copy-link button when entry is not published 0b0e0fc4df

patillacode added 1 commit 2026-04-20 18:06:45 +02:00

Merge branch 'main' into feature/security-and-polish a04148bfaf

patillacode added 1 commit 2026-04-20 18:08:08 +02:00

ci: run tests on all branches and PRs 927a38b203

patillacode merged commit cf74c2ad3e into main 2026-04-20 18:11:48 +02:00

patillacode referenced this pull request from a commit 2026-04-20 18:11:49 +02:00

feat: security hardening and polish for product release (#5)

patillacode deleted branch feature/security-and-polish 2026-04-21 16:51:18 +02:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

patillacode/piruetas!5

No description provided.