Commit Graph

5 Commits

Author SHA1 Message Date
derekc e08e031ad0 Add HSTS, gzip, Ntfy notifications, and paginate entries endpoint
- nginx: add HSTS (max-age=31536000) and gzip for text/css/js/json
- entries: add limit/offset query params (default 200, max 1000)
- Ntfy: wire NTFY_URL/NTFY_TOKEN through env; notify on startup, new
  registration, admin login, user disable, and user delete
- httpx==0.28.1 added for async Ntfy HTTP calls

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 01:12:59 -07:00
derekc 50ee1f9fed Fix auth bypasses, race condition, stale connections, and unbounded query
- Block disabled accounts at login and unimpersonate (C4, C2)
- Catch IntegrityError on register commit to return 409 instead of 500 (C5)
- Stop _seed_admin from overwriting existing admin password on restart (C8)
- Cap public/stats query at 500 users to bound memory usage (C3)
- Rate-limit PUT /me/password at 5/minute (C6)
- Bump SQLAlchemy to 2.0.50 and aiomysql to 0.3.2; re-enable pool_pre_ping (C7)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 00:55:12 -07:00
derekc ef8b44934c Fix aiomysql pool_pre_ping crash, add rate limiting and security hardening
Remove pool_pre_ping=True to fix startup crash caused by aiomysql 0.2.0
async adapter requiring a reconnect argument SQLAlchemy does not pass.
Add slowapi rate limiting, structured logging, CORS config, backend
health check, and nginx security headers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 00:44:23 -07:00
derekc 48a15c54f6 Add admin account with user management endpoints
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 20:45:19 -07:00
derekc 72b23c18aa Add initial project files
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 19:11:00 -07:00