Commit Graph

29 Commits

Author SHA1 Message Date
derekc 3e990cae7e Replace passlib with direct bcrypt calls, drop passlib dependency
passlib is unmaintained and incompatible with bcrypt 5.0.0 due to its
internal wrap-bug detection test exceeding bcrypt's 72-byte password limit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 01:41:27 -07:00
derekc b8d2910d7c Bump all Python dependencies to latest versions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 01:38:44 -07:00
derekc 883bb1ab12 Add ntfy push notifications to Features section of README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 23:15:09 -07:00
derekc 2d3ad3a06c Add login lockout with ntfy alerts and update docs
- Lock accounts for 15 minutes after 5 consecutive failed login attempts
- Send urgent ntfy notification when an account is locked
- Send high-priority ntfy notification on login attempt against a locked account
- Auto-reset lockout on expiry; reset counter on successful login
- Add v2.4 migration for failed_login_attempts and locked_until columns
- Add ALLOWED_ORIGINS and SECURE_COOKIES to .env.example
- Update README: lockout row in security table, new ntfy events

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 23:11:30 -07:00
derekc 7cd2dfb710 Add ntfy push notifications for security-relevant events
Sends alerts on admin login, new registrations, user disable/delete, and
impersonation. NTFY_URL and NTFY_TOKEN are optional — leave blank to disable.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 23:01:13 -07:00
derekc 4172b63dc2 Add footer with CHNS.tech credit and Buy Me a Coffee button
Adds a green footer (matching nav colour) to all authenticated pages
with a "Created by: CHNS.tech" link and a styled BMC button. CSP updated
to allow buymeacoffee CDN domains.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 22:50:30 -07:00
derekc d2afdc4ea3 Fix entry edit always failing with 'Input should be None'
Two bugs:

1. Python 3.12 name collision in schemas.py: `date: Optional[date] = None`
   caused get_type_hints() to resolve the `date` type annotation to NoneType
   (Optional[None]) because the field name shadowed the datetime.date import.
   All *Update schemas were rejecting any PUT with a valid date. Fixed by
   aliasing the import: `from datetime import date as Date`.

2. FastAPI validation errors return detail as a list of objects, not a string.
   Passing that list to new Error() produced "Error: [object Object]". Fixed
   in api.js to map the detail array to msg strings before throwing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 20:37:15 -07:00
derekc dcfc605579 Update README: auth, security, env vars, project structure
- Fix authentication section: JWT now in HttpOnly cookie, not localStorage
- Fix API section: session cookie auth, no Authorization header needed
- Add SECURE_COOKIES and ALLOWED_ORIGINS to setup instructions
- Add Security section documenting headers, CORS, rate limiting, etc.
- Document server-side impersonation (no admin token in browser)
- Add logout endpoint to API table
- Update project structure with login.js
- Note HTTPS reverse proxy requirement

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 00:18:54 -07:00
derekc 392a48dfb9 Go-live hardening: server_tokens, resource limits, pinned images, CVE fixes
- Add server_tokens off to nginx (suppress version leakage)
- Add deploy.resources.limits to all containers (db: 512M, api: 256M, nginx: 64M)
- Pin image tags: mysql:8.0 → 8.0.45, nginx:alpine → 1.29.6-alpine
- Fix CVEs: cryptography 43.0.3 → 46.0.5 (HIGH), python-jose 3.3.0 → 3.4.0 (CRITICAL)
- Add .limit(500) to GET /api/flock and GET /api/admin/users

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 00:16:28 -07:00
derekc 59f9685e2b Move JWT from localStorage to HttpOnly cookie; fix CSRF
- JWT stored in HttpOnly, Secure, SameSite=Strict cookie — JS cannot
  read the token at all; SameSite=Strict prevents CSRF without tokens
- Non-sensitive user payload returned in response body and stored in
  localStorage for UI purposes only (not usable for auth)
- Add POST /api/auth/logout endpoint that clears the cookie server-side
- Add SECURE_COOKIES env var (default true) for local HTTP testing
- Extract login.html inline script to login.js (CSP compliance)
- Remove Authorization: Bearer header from API calls; add credentials:
  include so cookies are sent automatically
- CSP script-src includes unsafe-inline to support existing onclick
  handlers throughout the app

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 23:57:22 -07:00
derekc 6d09e40f58 Remove admin token from sessionStorage during impersonation
Embed admin_id claim in impersonation JWTs and add a backend
/api/admin/unimpersonate endpoint that re-issues the admin token
from that claim. The admin token no longer needs to be stored in
sessionStorage, eliminating the risk of token theft via XSS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 23:32:08 -07:00
derekc f6cc7a606e Harden security: CORS, XSS, rate limiting, CSP, SRI
- Lock down CORS to ALLOWED_ORIGINS env var (was wildcard)
- Fix admin panel XSS: use data-username attributes instead of
  interpolating usernames into onclick handlers
- Add rate limiting to /api/auth/register (3r/m) and /api/admin/*
  (10r/m); set limit_req_status 429
- Add Content-Security-Policy header restricting scripts to self
  and cdn.jsdelivr.net
- Add Subresource Integrity hash to Chart.js CDN script tag

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 23:18:33 -07:00
derekc 958c409e8e Fix bugs, data integrity, and cache busting
- models.py: add UniqueConstraint(user_id, date) to flock_history so
  duplicate flock entries for the same day are rejected at the DB level
- main.py: v2.3 migration applies the new unique constraint to existing
  installs at startup
- login.html: update register form minlength and placeholder from 6 to 10
  characters to match backend; add specific 429 error message so rate-
  limited users see "Too many attempts — please wait a minute" instead of
  a generic failure
- auth.js: update settings modal password input minlength from 6 to 10
- summary.js: fix CSV export truncation — pass limit=10000 so users with
  more than 500 days of data get a complete export; read chart border color
  from --green CSS variable instead of hardcoded hex
- All HTML files: bump JS version params to ?v=4 so browsers discard
  cached copies of files changed across recent sessions (api.js, auth.js,
  dashboard.js, history.js, log.js, flock.js, budget.js, summary.js,
  admin.js)
- .env.example: add password strength guidance for MySQL and admin vars

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 00:27:02 -07:00
derekc 9709283d7a Fix remaining code quality and infrastructure items
- admin.py: remove unused get_current_user import
- feed.py, flock.py, other.py: add IntegrityError handling on POST/PUT
  endpoints; duplicate submissions now return 409 instead of crashing with
  a 500 error
- stats.py: extract magic numbers into named module-level constants
  (DAYS_ROLLING, DAYS_SHORT, PRECISION_AVG, PRECISION_HEN, PRECISION_COST);
  add return type annotations to _total_feed_cost and _total_other_cost;
  normalize both helpers to always return Decimal so budget_stats no longer
  needs Decimal(str(...)) workarounds; simplify _cpe/_cpd helpers
- dashboard.js: read --green CSS variable at runtime instead of hardcoding
  the hex value so chart color stays in sync with the stylesheet
- docker-compose.yml: add healthcheck to api service (polls /api/health
  every 30s) so Docker knows when the API is unhealthy; add password
  strength guidance comment above the db service

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 00:18:58 -07:00
derekc ce1e9c5134 Implement reliability improvements across frontend
- api.js: add exponential backoff retry (3 attempts, 500/1000/2000ms) for
  GET requests on network errors and 5xx responses; mutating methods are
  not retried since they are not idempotent
- api.js: add offline indicator — fixed pill banner appears at bottom of
  page when navigator goes offline, disappears when back online
- style.css: add styles for offline banner and session expiry warning
- auth.js: show amber warning banner below nav when session expires within
  24 hours (with exact hours remaining); dismissible with X button
- auth.js: fix password min-length client-side check from 6 to 10 to
  match the backend
- log.js, flock.js, budget.js: disable submit button during async request
  and re-enable in finally block to prevent double-submits and make loading
  state visible
- dashboard.js: fix chart date labels to use user's configured timezone
  instead of the browser's local timezone

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 00:09:36 -07:00
derekc 60fed6d464 Implement performance improvements across backend and frontend
- models.py: add composite (user_id, date) indexes to flock_history,
  feed_purchases, and other_purchases for faster date-filtered queries
  (egg_collections already had one via its unique constraint)
- main.py: add v2.2 migration to create the three composite indexes on
  existing installs at startup
- stats.py: fix N+1 query in monthly_stats — flock history is now fetched
  once and looked up per month using bisect_right instead of one DB query
  per month row; also remove unnecessary Decimal(str(...)) round-trips
  since SQLAlchemy already returns Numeric columns as Decimal
- eggs.py: add limit parameter (default 500, max 1000) to list_eggs to
  cap unbounded fetches on large datasets
- dashboard.js: pass start= (30 days ago) when fetching eggs so the
  dashboard only loads the data it actually needs for the chart and
  recent collections list

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 00:02:58 -07:00
derekc 37f19a83ed Implement security hardening across frontend, backend, and infrastructure
- nginx: add X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
  and Referrer-Policy headers on all responses; rate limit /api/auth/login
  to 5 req/min per IP (burst 3) to prevent brute force
- frontend: add escHtml() utility to api.js; use it on all notes fields
  across dashboard, log, history, flock, and budget pages to prevent XSS
- log.js: fix broken loadRecent() call referencing removed #recent-body
  element; replaced with loadHistory() from history.js
- schemas.py: raise minimum password length from 6 to 10 characters
- admin.py: add audit logging for password reset, disable, delete, and
  impersonate actions; fix impersonate to use named admin param for logging
- main.py: add startup env validation — exits with clear error if any
  required env var is missing; configure structured logging to stdout
- docker-compose.yml: add log rotation (10 MB / 3 files) to all services

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:55:08 -07:00
derekc b660263f30 Merge History into Log Eggs page; update dashboard card order and colors
- Removed standalone History page (history.html); full collection history
  (date filter, edit, delete, totals footer) is now embedded in the Log
  Eggs page below the log form
- Removed History nav link from all pages
- Reordered dashboard stat cards: egg counts → averages → Flock Size →
  cost cards
- Egg count and average cards now use green; Flock Size card uses orange
- Updated README to reflect removed History page, merged log/history
  feature, dashboard card changes, and project structure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:43:27 -07:00
derekc 31dd106ebd Add .env.example
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:22:26 -07:00
derekc 4d94e716e7 Add egg emoji to README title
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:21:20 -07:00
derekc 58c138d647 Update clone URL to yolkbook repo name
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:20:21 -07:00
derekc aa12648228 Add multi-user auth, admin panel, and timezone support; rename to Yolkbook
- Rename app from Eggtracker to Yolkbook throughout
- Add JWT-based authentication (python-jose, passlib/bcrypt)
- Add users table; all data tables gain user_id FK for full data isolation
- Super admin credentials sourced from ADMIN_USERNAME/ADMIN_PASSWORD env vars,
  synced on every startup; orphaned rows auto-assigned to admin post-migration
- Login page with self-registration; JWT stored in localStorage (30-day expiry)
- Admin panel (/admin): list users, reset passwords, disable/enable, delete,
  and impersonate (Login As) with Return to Admin banner
- Settings modal (gear icon in nav): timezone selector and change password
- Timezone stored per-user; stats date windows computed in user's timezone;
  date input setToday() respects user timezone via Intl API
- migrate_v2.sql for existing single-user installs
- Auto-migration adds timezone column to users on startup
- Updated README with full setup, auth, admin, and migration docs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 23:19:29 -07:00
derekc 7d50af0054 Show cost per egg as 2 decimal places on dashboard
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-26 22:57:22 -08:00
derekc 5bc874a924 Show cost per egg as 2 decimal places on summary page
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-26 22:55:21 -08:00
derekc b633586012 Show cost per egg as 2 decimal places
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-26 22:53:09 -08:00
derekc 404fd0510f Add Other Purchases to budget page
- New other_purchases table (date, total, notes)
- /api/other CRUD endpoints
- Budget stats now include other costs in cost/egg and cost/dozen math
- Budget page: new Log Other Purchases form, stat cards for other costs,
  combined Purchase History table showing feed and other entries together

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-26 22:47:57 -08:00
derekc ceb0780663 Add README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-26 22:29:55 -08:00
derekc 492e1fd68f Initial commit
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-26 22:27:58 -08:00
derekc 4387f6df92 Initial commit 2026-02-26 22:25:21 -08:00