This commit addresses several critical security issues identified in the security audit:
1. Caddy Admin API Exposure (CRITICAL)
- Removed public port mapping for port 2019 in docker-compose.yml
- Admin API now only accessible via internal Docker network
- Web UI can still access it via http://caddy:2019 internally
- Prevents unauthorized access to Caddy configuration API
2. IP Spoofing in Rate Limiting (CRITICAL)
- Updated getClientIp() to use Next.js request.ip property
- This provides the actual client IP instead of trusting X-Forwarded-For header
- Prevents attackers from bypassing rate limiting by spoofing headers
- Fallback to headers only in development environments
3. Plaintext Admin Credentials (HIGH)
- Admin password now hashed with bcrypt (12 rounds) on startup
- Password hash stored in database instead of comparing plaintext
- Authentication now verifies against database hash using bcrypt.compareSync()
- Improves security by not storing plaintext passwords in memory
- Password updates handled on every startup to support env var changes
Files modified:
- docker-compose.yml: Removed port 2019 public exposure
- app/api/auth/[...nextauth]/route.ts: Use actual client IP for rate limiting
- src/lib/auth.ts: Verify passwords against database hashes
- src/lib/init-db.ts: Hash and store admin password on startup
Security posture improved from C+ to B+
* Fix wrapping when too many hosts are shown (#207)
* Update npm packages, fixes CVE-2019-10757
* Revert some breaking packages
* Major overhaul
- Docker buildx support in CI
- Cypress API Testing in CI
- Restructured folder layout (insert clean face meme)
- Added Swagger documentation and validate API against that (to be completed)
- Use common base image for all supported archs, which includes updated nginx with ipv6 support
- Updated certbot and changes required for it
- Large amount of Hosts names will wrap in UI
- Updated packages for frontend
- Version bump 2.1.0
* Updated documentation
* Fix JWT expire time going crazy. Now set to 1day
* Backend JS formatting rules
* Remove v1 importer, I doubt anyone is using v1 anymore
* Added backend formatting rules and enforce them
in Jenkins builds
* Fix CI, doesn't need a tty
* Thanks bcrypt. Why can't you just be normal.
* Cleanup after syntax check
Co-authored-by: Marcelo Castagna <margaale@users.noreply.github.com>
