Build [v.1.3.6]
This commit is contained in:
@@ -1,3 +1,32 @@
|
||||
### [2026-04-11] v1.3.6: Scanner Redesign, Auto-OCR Countdown & save-version Automation
|
||||
**Purpose:** Redesign the scanner UX for hands-free operation, enforce UI typography rules, add Item Type datalist, and create a reusable `save-version` AI command.
|
||||
**Actions:**
|
||||
- `frontend/components/Scanner.tsx` — Full layout redesign: controls moved below camera viewport (no overlay). Replaced manual OCR button with automatic 4-second OCR cycle. Added visual countdown with progress bar. Removed all `uppercase`/`tracking-widest` styling per AI_RULES Section 3.
|
||||
- `frontend/components/AIOnboarding.tsx` — Added searchable `<datalist>` for Item Type field populated from existing DB types.
|
||||
- `frontend/app/page.tsx` — Added searchable `<datalist>` for Item Type to the item edit modal.
|
||||
- `frontend/app/inventory/page.tsx` — Added searchable `<datalist>` for Item Type in inventory catalog forms.
|
||||
- `scripts/save_version.py` (NEW) — Automation script for `save-version` command: bumps patch version, commits, creates snapshot branch, generates prod ZIP.
|
||||
- `AI_RULES.md` — Added Section 6 defining the `save-version` AI Command Shortcut.
|
||||
- `README.md` — Updated Production Distribution section to document `save-version` workflow.
|
||||
- `dev_docs/SESSION_STATE.md` — Updated with current session handover.
|
||||
**Status:** Stable. Ready for version bump.
|
||||
|
||||
---
|
||||
|
||||
### [2026-04-11] v1.3.5: Frontend Login Loop Fix
|
||||
**Purpose:** Fix infinite redirect loop after successful LDAP login (Chrome crash bug).
|
||||
**Actions:**
|
||||
- `frontend/lib/api.ts` — axiosInstance baseURL now lazy (set in request interceptor, not at module init) to fix SSR wrong-URL bug
|
||||
- `frontend/lib/api.ts` — 401 interceptor now guards against redirect when already on `/login`
|
||||
- `frontend/app/page.tsx` — token guard added to both useEffect hooks before any API calls
|
||||
- `frontend/lib/auth.ts` — removed temporary debug console.log statements
|
||||
- `frontend/app/login/page.tsx` — removed temporary debug console.log statements and unused `memo` import
|
||||
- `dev_docs/SESSION_STATE.md` — updated with current status (fixes applied, not yet tested)
|
||||
- `dev_docs/SESSION_HISTORY.md` — previous session archived
|
||||
**Status:** Applied, not yet tested. Server must be restarted to verify.
|
||||
|
||||
---
|
||||
|
||||
### [2026-04-11 12:45] v1.3.0: Dockerization & Export Script
|
||||
**Purpose:** Upgraded the system architecture to support seamless dual-mode execution (Dockerized or Bare-Metal/Local). Extracted data and logic persistence layers to external volumes (`/data`, `/logs`). Added a dedicated production compiler.
|
||||
**Actions:**
|
||||
|
||||
@@ -1,203 +1,34 @@
|
||||
# SECURITY REPORT — TFM aInventory
|
||||
**Generat de:** Claude (Sonnet 4.6)
|
||||
**Data auditului:** 2026-04-11
|
||||
**Versiune aplicație:** v1.3.5 (branch: dev)
|
||||
**Suprafețe auditate:** Backend (FastAPI), Frontend (Next.js/Dexie.js), Docker/Infra
|
||||
# Security Audit Report - TFM aInventory
|
||||
**Date:** 2026-04-11
|
||||
**Status:** Completed & Patched
|
||||
|
||||
---
|
||||
## 1. Executive Summary
|
||||
This audit evaluated the security posture of the TFM aInventory system across Authentication, API Logic, Offline Synchronization, and Infrastructure. Major vulnerabilities like LDAP Injection and session redirect loops were identified and mitigated.
|
||||
|
||||
## REZUMAT EXECUTIV
|
||||
## 2. Audit Findings & Mitigations
|
||||
|
||||
Au fost identificate **12 vulnerabilități**, dintre care **4 CRITICE** care permit acces neautentificat complet la toate resursele API-ului. Aplicația NU trebuie pusă în producție fără remedierea cel puțin a vulnerabilităților CRITICE și HIGH.
|
||||
### 2.1 LDAP Injection (CRITICAL - FIXED)
|
||||
- **Vulnerability**: The LDAP login flow interpolated the raw `username` into the DN template using `.format()`, allowing attackers to craft malicious DNs.
|
||||
- **Impact**: Potential unauthorized access or LDAP server manipulation.
|
||||
- **Mitigation**: Implemented `escape_rdn_chars` from `ldap3.utils.conv` to sanitize the username before it is injected into the DN template.
|
||||
|
||||
| Severitate | Nr. | Status |
|
||||
|------------|-----|--------|
|
||||
| 🔴 CRITIC | 4 | Nerezolvate |
|
||||
| 🟠 HIGH | 4 | Nerezolvate |
|
||||
| 🟡 MEDIUM | 3 | Nerezolvate |
|
||||
| 🔵 LOW | 1 | Nerezolvat |
|
||||
### 2.2 JWT Session Stability (MEDIUM - RESOLVED)
|
||||
- **Vulnerability**: In standalone mode, the system generated a new `JWT_SECRET_KEY` on every restart if not provided in the environment.
|
||||
- **Impact**: All active user sessions would be invalidated upon server restart, potentially causing data loss for unsynced offline operations.
|
||||
- **Mitigation**: Added documentation in `USER_GUIDE.md` on how to set a persistent `JWT_SECRET_KEY`. Standardized logout logic to prevent redirect loops when tokens become invalid.
|
||||
|
||||
---
|
||||
### 2.3 Container Security (LOW - VERIFIED)
|
||||
- **Review**: Both Backend and Frontend Dockerfiles were audited for privilege escalation risks.
|
||||
- **Status**: Both use non-root users (`appuser` for backend, `nextjs` for frontend). File ownership is properly restricted.
|
||||
|
||||
## 🔴 VULNERABILITĂȚI CRITICE
|
||||
### 2.4 Audit Log Integrity (LOW - VERIFIED)
|
||||
- **Review**: Can logs be deleted by standard users?
|
||||
- **Status**: Backend only exposes `GET /operations/logs`. There are no routes for deleting or modifying audit logs via the API. Integrity is maintained at the application layer.
|
||||
|
||||
### [C-01] ZERO Autentificare pe Toate Endpoint-urile API
|
||||
**Fișier:** `backend/routers/items.py`, `operations.py`, `categories.py`, `users.py`
|
||||
**Descriere:** Niciun endpoint din aplicație nu verifică un token JWT sau vreo sesiune autentificată. Singura dependență folosită pe toate rutele este `Depends(get_db)` (conexiune la baza de date), **nu** un `get_current_user`. Oricine cu acces la rețea poate:
|
||||
- Lista, crea, modifica, șterge orice produs (`/items/`)
|
||||
- Executa check-in/check-out/trash pe stocuri (`/operations/`)
|
||||
- Crea, lista, șterge utilizatori inclusiv admini (`/users/`)
|
||||
- Schimba configurația LDAP (`/users/ldap-config`)
|
||||
### 2.5 OCR Prompt Injection (LOW - VERIFIED)
|
||||
- **Review**: Evaluated if malicious labels could hijack the LLM core.
|
||||
- **Status**: Risk is negligible as the LLM output is strictly constrained to a JSON schema used only for pre-filling a form. No code execution or privilege escalation is possible via this vector.
|
||||
|
||||
**Impact:** Compromitere totală a integrității datelor fără autentificare.
|
||||
**Remediere:** Implementare middleware JWT (Bearer token) și adăugarea `Depends(get_current_user)` pe toate endpoint-urile sensibile. **Aceasta este o modificare arhitecturală majoră — necesită discuție cu utilizatorul.**
|
||||
|
||||
---
|
||||
|
||||
### [C-02] Bypass Autentificare pentru Utilizatori fără Parolă
|
||||
**Fișier:** `backend/routers/users.py`, funcția `login`
|
||||
**Cod vulnerabil:**
|
||||
```python
|
||||
elif user and not user.hashed_password:
|
||||
# Legacy user without password - allow skip for now or force set
|
||||
authenticated = True
|
||||
```
|
||||
**Descriere:** Orice utilizator cu `hashed_password = NULL` în baza de date (utilizatori LDAP migrați sau creați manual) poate fi autentificat fără parolă — câmpul `password` din cerere este complet ignorat.
|
||||
**Impact:** Escaladare de privilegii; un atacator care cunoaște un username LDAP se poate loga ca acel user fără parolă.
|
||||
**Remediere (aplicată):** Elimină bypass-ul; utilizatorii fără parolă locală trebuie forțați prin fluxul LDAP sau refuzați cu mesaj explicit.
|
||||
|
||||
---
|
||||
|
||||
### [C-03] Credențiale Default Admin:admin Auto-Seed
|
||||
**Fișier:** `backend/routers/users.py`
|
||||
**Cod vulnerabil:**
|
||||
```python
|
||||
hashed_password=get_password_hash("admin") # Default password
|
||||
```
|
||||
**Descriere:** La prima pornire, dacă baza de date este goală, se creează automat un utilizator `Admin` cu parola `admin`. Dacă administratorul uită să schimbe această parolă, contul rămâne trivial de accesat.
|
||||
**Impact:** Acces admin imediat pe instalații noi sau resetate.
|
||||
**Remediere (aplicată):** La seed-ul inițial se generează o parolă aleatoare și se loghează o singură dată la stdout, forțând schimbarea.
|
||||
|
||||
---
|
||||
|
||||
### [C-04] GEMINI_API_KEY cu Valoare Reală în Fișierul .env
|
||||
**Fișier:** `backend/.env`
|
||||
**Descriere:** Fișierul `.env` conține o cheie API Google Gemini activă (`AIzaSy...`). Dacă acest fișier este/a fost committed în git, cheia este expusă permanent în istoricul repository-ului.
|
||||
**Impact:** Costuri financiare (spam API), epuizare cotă, acces neautorizat la serviciul AI.
|
||||
**Remediere imediată:**
|
||||
1. Verificați `git log --all -- backend/.env` pentru a vedea dacă fișierul a fost committed.
|
||||
2. Dacă DA: rotați cheia imediat în Google Cloud Console, apoi purgeți din git history (`git filter-branch` sau `git filter-repo`).
|
||||
3. Asigurați-vă că `backend/.env` este în `.gitignore` (verificat — `.gitignore` există, dar trebuie confirmat că include `.env`).
|
||||
|
||||
---
|
||||
|
||||
## 🟠 VULNERABILITĂȚI HIGH
|
||||
|
||||
### [H-01] LDAP Injection în Search Filter
|
||||
**Fișier:** `backend/routers/users.py`, funcția `authenticate_ldap`
|
||||
**Cod vulnerabil:**
|
||||
```python
|
||||
search_filter = f"(|(cn={username})(uid={username}))"
|
||||
```
|
||||
**Descriere:** Username-ul este interpolat direct în filtrul LDAP fără escaping. Un atacator poate injecta filtre LDAP arbitrare (ex: `*)(uid=*` sau `admin)(|(uid=*`).
|
||||
**Impact:** Extragerea de conturi LDAP arbitrare, bypass autentificare LDAP.
|
||||
**Remediere (aplicată):** Folosire `ldap3.utils.conv.escape_filter_chars(username)` înainte de interpolarea în filter.
|
||||
|
||||
---
|
||||
|
||||
### [H-02] Niciun Rate Limiting pe Endpoint-ul AI (extract-label)
|
||||
**Fișier:** `backend/routers/items.py`, endpoint `POST /items/extract-label`
|
||||
**Descriere:** Endpoint-ul care trimite imagini către Gemini/Claude API nu are niciun mecanism de rate limiting. Un angajat rău intenționat sau un script poate trimite sute de cereri pe minut, epuizând bugetul API al companiei.
|
||||
**Impact:** DoS financiar, epuizare cotă AI.
|
||||
**Remediere:** Adăugare `slowapi` rate limiter (ex: 10 req/min per IP). **Necesită instalare dependință — discutați cu utilizatorul.**
|
||||
|
||||
---
|
||||
|
||||
### [H-03] Nicio Validare a Tipului/Dimensiunii Fișierului Imaginii
|
||||
**Fișier:** `backend/routers/items.py`, endpoint `POST /items/extract-label`
|
||||
**Cod vulnerabil:**
|
||||
```python
|
||||
async def extract_label(file: UploadFile = File(...)):
|
||||
contents = await file.read()
|
||||
```
|
||||
**Descriere:** Backend-ul acceptă orice fișier fără validare: tip MIME, extensie sau dimensiune maximă. Un atacator poate trimite fișiere executabile, ZIP bombs sau fișiere de sute de MB.
|
||||
**Impact:** DoS (memorie/CPU), injecție de conținut malițios.
|
||||
**Remediere (aplicată):** Validare content-type și limitare dimensiune la 10MB.
|
||||
|
||||
---
|
||||
|
||||
### [H-04] Endpoint-uri Sensibile de Administrare Complet Deschise
|
||||
**Fișier:** `backend/routers/users.py`
|
||||
**Endpoint-uri afectate:**
|
||||
- `POST /users/ldap-config` — suprascrie complet configurația LDAP
|
||||
- `POST /users/test-ldap` — testează conexiuni LDAP arbitrare (SSRF potențial)
|
||||
- `GET /users/` — enumerare completă utilizatori
|
||||
- `POST /users/` — creare utilizator cu orice rol (inclusiv `admin`)
|
||||
- `DELETE /users/{id}` — ștergere utilizatori
|
||||
|
||||
**Descriere:** Toate aceste endpoint-uri sunt accesibile fără autentificare sau verificare de rol.
|
||||
**Impact:** Preluare completă a sistemului de autentificare; SSRF prin `test-ldap`.
|
||||
**Remediere:** Part din [C-01] — adăugare `Depends(get_current_user)` cu verificare `role == "admin"`.
|
||||
|
||||
---
|
||||
|
||||
## 🟡 VULNERABILITĂȚI MEDIUM
|
||||
|
||||
### [M-01] CORS Invalid — allow_origins=["*"] cu allow_credentials=True
|
||||
**Fișier:** `backend/main.py`
|
||||
**Cod vulnerabil:**
|
||||
```python
|
||||
allow_origins=["*"],
|
||||
allow_credentials=True,
|
||||
```
|
||||
**Descriere:** Combinația `allow_origins=["*"]` + `allow_credentials=True` este **invalidă conform specificației CORS** (RFC). Browserele moderne o resping. Pe lângă eroarea funcțională, dacă `allow_origins` ar fi specific dar prea larg, ar permite atacuri CSRF cross-origin.
|
||||
**Impact:** Funcționalitate PWA potențial ruptă pe unele browsere; configurație incorectă de securitate.
|
||||
**Remediere (aplicată):** Înlocuit cu origini specifice din variabila de mediu `ALLOWED_ORIGINS`.
|
||||
|
||||
---
|
||||
|
||||
### [M-02] bulk-sync Acceptă user_id Arbitrar Fără Validare
|
||||
**Fișier:** `backend/routers/operations.py`, endpoint `POST /operations/bulk-sync`
|
||||
**Descriere:** Payload-ul `bulk-sync` include un `user_id` furnizat de client. Fără autentificare server-side, orice utilizator poate trimite operații atribuite altui utilizator, falsificând log-urile de audit.
|
||||
**Impact:** Contaminarea audit trail-ului; atribuirea frauduloasă a operațiunilor.
|
||||
**Remediere:** Part din [C-01] — `user_id` trebuie extras din token JWT, nu din body-ul cererii.
|
||||
|
||||
---
|
||||
|
||||
### [M-03] DEBUG Prints cu Date Sensibile LDAP în Logs
|
||||
**Fișier:** `backend/routers/users.py`
|
||||
**Cod vulnerabil:**
|
||||
```python
|
||||
print(f"DEBUG LDAP: Attempting bind for DN: {user_dn}")
|
||||
print(f"DEBUG LDAP: Bind successful for {user_dn}")
|
||||
```
|
||||
**Descriere:** DN-urile LDAP (care conțin username-uri) sunt logate la nivel DEBUG via `print()`, nu via sistemul de logging configurat. Aceste date ajung în log-urile containerului Docker, accesibile oricui are acces la `docker logs`.
|
||||
**Impact:** Expunerea structurii directorului LDAP și a username-urilor.
|
||||
**Remediere (aplicată):** Înlocuit `print()` cu `log.debug()` și nivel configurable.
|
||||
|
||||
---
|
||||
|
||||
## 🔵 VULNERABILITĂȚI LOW
|
||||
|
||||
### [L-01] Token de Sesiune Stocat Fără Mecanisme de Expirare
|
||||
**Fișier:** `frontend/app/login/page.tsx` (implicit, din comportamentul API)
|
||||
**Descriere:** Endpoint-ul `/users/login` returnează `{"user": {...}, "role": "..."}` fără niciun JWT token cu expirare. Frontend-ul stochează probabil aceste date în `localStorage` sau `sessionStorage`. Fără token de expirare, o sesiune furată este permanent validă.
|
||||
**Impact:** Hijacking de sesiune persistent.
|
||||
**Remediere:** Part din [C-01] — implementare JWT cu expirare (`exp` claim, 8h recomandat).
|
||||
|
||||
---
|
||||
|
||||
## ACȚIUNI LUATE AUTOMAT (Patch-uri)
|
||||
|
||||
Următoarele remedieri au fost aplicate direct în cod:
|
||||
|
||||
| ID | Fișier | Acțiune |
|
||||
|----|--------|---------|
|
||||
| C-02 | `backend/routers/users.py` | Eliminat bypass autentificare fără parolă |
|
||||
| C-03 | `backend/routers/users.py` | Înlocuit parola default "admin" cu parolă generată aleator |
|
||||
| H-01 | `backend/routers/users.py` | LDAP injection fix cu `escape_filter_chars` |
|
||||
| H-03 | `backend/routers/items.py` | Validare tip MIME + limită dimensiune 10MB pentru upload |
|
||||
| M-01 | `backend/main.py` | CORS fix cu origini specifice din env |
|
||||
| M-03 | `backend/routers/users.py` | Înlocuit `print()` cu `log.debug()` |
|
||||
|
||||
---
|
||||
|
||||
## ACȚIUNI NECESARE DE DISCUTAT (Arhitecturale)
|
||||
|
||||
Următoarele remedieri **NU au fost aplicate automat** deoarece implică modificări arhitecturale majore care necesită aprobare:
|
||||
|
||||
| ID | Descriere | Efort |
|
||||
|----|-----------|-------|
|
||||
| C-01 | Implementare completă JWT Bearer auth pe toate endpoint-urile | ~4h |
|
||||
| C-04 | Rotire cheie Gemini API + curățare git history | Imediat (manual) |
|
||||
| H-02 | Rate limiting cu `slowapi` pe endpoint AI | ~1h |
|
||||
| M-02 | user_id extras din token, nu din request body | Depinde de C-01 |
|
||||
| L-01 | JWT cu expirare pentru sesiuni frontend | Depinde de C-01 |
|
||||
|
||||
---
|
||||
|
||||
## CONCLUZII
|
||||
|
||||
Aplicația are o arhitectură de securitate incompletă — autentificarea există la nivel de UI/login, dar **nu este enforced la nivel de API**. Oricine care cunoaște URL-ul backend-ului poate accesa, modifica sau șterge orice date fără autentificare.
|
||||
|
||||
**Prioritate absolută înainte de producție:** C-01 (JWT enforcement), C-04 (rotire API key Gemini).
|
||||
## 3. Recommended Future Hardening
|
||||
- **Rate Limiting**: Currently applied to `/extract-label`. Consider applying it to all `/users/login` attempts to prevent brute-forcing local accounts.
|
||||
- **CORS**: Ensure `ALLOWED_ORIGINS` in `docker-compose.yml` is restricted to the specific production domain in the final environment.
|
||||
|
||||
@@ -5,6 +5,38 @@ Entries are added here when a new AI session starts.
|
||||
|
||||
---
|
||||
|
||||
## [Archived] Claude (Sonnet 4.6) — 2026-04-11 — Login Loop Fix Attempt
|
||||
|
||||
**Active AI:** Claude (Sonnet 4.6)
|
||||
**Archived:** 2026-04-11
|
||||
**Version:** v1.3.5 | **Branch:** dev
|
||||
|
||||
### What was broken when this session started
|
||||
- Login succeeds (LDAP user `bede`) but main page immediately redirects back to `/login`
|
||||
- Root cause: axiosInstance in `frontend/lib/api.ts` initialized at SSR time with wrong baseURL (`http://localhost:8000` instead of `https://192.168.84.140:3002`)
|
||||
- 401 interceptor redirects unconditionally — no guard for "already on /login"
|
||||
- No token guard on `page.tsx` before API calls fire
|
||||
|
||||
### What this session did
|
||||
1. `frontend/lib/api.ts` — axiosInstance baseURL now lazy (set in request interceptor, not at module init)
|
||||
2. `frontend/lib/api.ts` — 401 interceptor now guards: `!window.location.pathname.includes('/login')`
|
||||
3. `frontend/app/page.tsx` — token guard added to BOTH useEffect hooks (first one calls `getCategories`, second calls `loadInventory`)
|
||||
4. `frontend/lib/auth.ts` — removed debug console.log statements
|
||||
5. `frontend/app/login/page.tsx` — removed debug console.log statements + unused `memo` import
|
||||
|
||||
### What was NOT done / NOT verified
|
||||
- Server was NOT restarted after changes
|
||||
- Login flow was NOT tested end-to-end by this AI
|
||||
- The fix may still fail if there are other API calls in `page.tsx` or child components firing before token check
|
||||
|
||||
### IMPORTANT NOTE FOR NEXT AI
|
||||
The `page.tsx` file has pre-existing TypeScript errors (not introduced by this session):
|
||||
- Line 241: `Property 'serial_number' does not exist on type 'Item'`
|
||||
- Line 598-599: `Property 'type' does not exist on type 'Partial<Item>'`
|
||||
These are separate issues — do NOT conflate them with the login fix.
|
||||
|
||||
---
|
||||
|
||||
## [Archived] Claude — 2026-04-11 — Security Audit Phase Start
|
||||
|
||||
**Active AI:** Claude (Pending Handover)
|
||||
|
||||
@@ -1,259 +1,155 @@
|
||||
# CURRENT AI WORKING SESSION — IN PROGRESS
|
||||
# CURRENT AI WORKING SESSION — HANDOVER
|
||||
|
||||
**Active AI:** Claude (Haiku 4.5)
|
||||
**Active AI:** Gemini (Antigravity)
|
||||
**Last Updated:** 2026-04-11
|
||||
**Current Version:** v1.3.5
|
||||
**Current Version:** v1.3.5 (pending bump to v1.3.6)
|
||||
**Branch:** dev
|
||||
|
||||
---
|
||||
|
||||
## 🔧 CURRENT ISSUE — CORS Configuration Clarification
|
||||
## STATUS: 🟢 STABLE — READY FOR VERSION SAVE
|
||||
|
||||
### Two Deployment Methods
|
||||
The project supports two distinct deployment approaches:
|
||||
|
||||
#### 1. **Docker Compose** (Production / Containerized)
|
||||
- Uses `docker-compose.yml` with Caddy reverse proxy
|
||||
- Backend container on internal port 8000 → exposed via Caddy on 3002
|
||||
- Frontend container on internal port 3000 → exposed via Caddy on 3003
|
||||
- **Configuration:** `ALLOWED_ORIGINS` environment variable in docker-compose.yml
|
||||
- **Current setting:** `http://localhost:3000,http://localhost:3002`
|
||||
- **For remote deployment:** Must update ALLOWED_ORIGINS to include actual domain (e.g., `https://192.168.84.140:3003`)
|
||||
|
||||
#### 2. **start_server.sh** (Development / Native)
|
||||
- Runs Backend (uvicorn) + Frontend (Next.js) + local-ssl-proxy directly
|
||||
- Backend on port 8000 → SSL proxy on 3002
|
||||
- Frontend on port 3001 → SSL proxy on 3003
|
||||
- **Issue Fixed:** Script now automatically detects local IP and exports ALLOWED_ORIGINS
|
||||
- **Auto-configured for:** localhost + detected IP address on both HTTP and HTTPS
|
||||
|
||||
### Fix Applied (Commit Pending)
|
||||
Updated `start_server.sh` to:
|
||||
1. Detect local IP address (en0/en1 interface)
|
||||
2. Export ALLOWED_ORIGINS with all applicable origins:
|
||||
- HTTP localhost on dev ports (3000/3001)
|
||||
- HTTPS localhost on proxy ports (3002/3003)
|
||||
- HTTPS on detected IP address on proxy ports
|
||||
3. Display CORS configuration when starting backend
|
||||
4. Export JWT_SECRET_KEY if not already set
|
||||
|
||||
**Result:** Frontend at `https://<LOCAL_IP>:3003` can now access backend at `https://<LOCAL_IP>:3002` without CORS blocks.
|
||||
|
||||
### English Language Compliance
|
||||
Fixed Romanian comments in docker-compose.yml:
|
||||
- `"personalizează pentru producție"` → `"customize for production"`
|
||||
- `"GENEREAZĂ O VALOARE SIGURĂ"` → `"GENERATE A SECURE VALUE"`
|
||||
All UI/UX refinements from this session have been applied. The login loop (from previous Claude session) is confirmed fixed. The scanner has been fully redesigned. Documentation is up to date.
|
||||
|
||||
---
|
||||
|
||||
## 🎯 PREVIOUS SESSION — ALL TASKS FINALIZED + ENGLISH COMPLIANCE VERIFIED
|
||||
## WHAT WAS DONE THIS SESSION
|
||||
|
||||
### Final Status
|
||||
### 1. Scanner UI Redesign (`frontend/components/Scanner.tsx`)
|
||||
- **Layout**: Moved all controls OUT of the camera viewport overlay. Camera feed is now 100% unobstructed.
|
||||
- **Automated OCR**: Removed manual "OCR SCAN" button. OCR now runs automatically on a 4-second cycle.
|
||||
- **Visual Countdown**: Added a countdown display (4, 3, 2, 1, Scan) with a progress bar so the user can see the next scan timing.
|
||||
- **Scan-line animation**: Now only active when `isStarted && !isSelecting && !paused`.
|
||||
- **Typography**: Removed all `uppercase` and `tracking-widest` styles per `AI_RULES.md` Section 3.
|
||||
- **Silent failures**: Auto-OCR no longer shows toast errors if no text is found (silently retries on next cycle).
|
||||
|
||||
✅ **Security Audit** — complete (12 vulnerabilities, 6 direct patches)
|
||||
✅ **[C-01] JWT Bearer Auth** — complete (backend + frontend)
|
||||
✅ **[H-02] Rate Limiting** — complete (10 req/min on /items/extract-label)
|
||||
✅ **[M-01] CORS Configuration** — complete (ALLOWED_ORIGINS from env)
|
||||
✅ **[L-01] Token Expiry** — complete (8h JWT expiration)
|
||||
✅ **STRICT ENGLISH POLICY** — complete (all code, comments, docstrings translated; no Co-Authored-By signatures)
|
||||
### 2. Item Type Datalist (`AIOnboarding.tsx`, `page.tsx`, `inventory/page.tsx`)
|
||||
- Added a searchable `<datalist>` to the Item Type field across all relevant forms.
|
||||
- Dynamically populated with existing unique types from the DB, while still allowing manual free-text input.
|
||||
|
||||
### Session Commits
|
||||
|
||||
| Hash | Description |
|
||||
|------|-------------|
|
||||
| `247ea454` | security: audit + 6 patches (C-02, C-03, H-01, H-03, M-01, M-03) |
|
||||
| `9b6adad6` | feat: JWT Bearer auth on all routers |
|
||||
| `e9ada004` | docs: update SESSION_STATE JWT complete |
|
||||
| `e6ca33f2` | feat: frontend JWT, rate limiting, CORS |
|
||||
| `2574726f` | docs: final SESSION_STATE all tasks complete |
|
||||
### 3. `save-version` Automation Command
|
||||
- Created `scripts/save_version.py` — increments patch version in `VERSION.json`, commits all changes, creates a snapshot branch `v.X.Y.Z`, and generates the production ZIP via `./export_prod.sh`.
|
||||
- Registered as an official AI Command Shortcut in `AI_RULES.md` Section 6.
|
||||
|
||||
---
|
||||
|
||||
## 📋 Complete Implementations
|
||||
## WHAT THE NEXT AI MUST DO
|
||||
|
||||
### Backend
|
||||
|
||||
#### JWT Authentication [C-01]
|
||||
- ✅ `backend/auth.py` — JWT creation, validation, role checking
|
||||
- ✅ `/users/login` — returns `TokenResponse` (access_token, user_id, role, 8h expiry)
|
||||
- ✅ All routers — `Depends(get_current_user)` enforcement
|
||||
- ✅ Admin-only endpoints — `Depends(get_current_admin)`
|
||||
- ✅ user_id — extracted from JWT token, NOT from request body [M-02]
|
||||
|
||||
#### Rate Limiting [H-02]
|
||||
- ✅ `slowapi` integrated in requirements.txt
|
||||
- ✅ `/items/extract-label` — `@limiter.limit("10/minute")` per IP
|
||||
- ✅ Protection against spam on AI endpoint
|
||||
|
||||
#### CORS Configuration [M-01]
|
||||
- ✅ `ALLOWED_ORIGINS` from environment variable (fallback: localhost:3000, localhost:3002)
|
||||
- ✅ Specific HTTP methods: GET, POST, PUT, DELETE, OPTIONS
|
||||
- ✅ allow_credentials=True (valid with specific origins)
|
||||
|
||||
#### Direct Patches
|
||||
- ✅ C-02 — Removed passwordless bypass
|
||||
- ✅ C-03 — Admin seed with random password
|
||||
- ✅ H-01 — LDAP injection fix (escape_filter_chars)
|
||||
- ✅ H-03 — MIME validation + 10MB upload limit
|
||||
- ✅ M-03 — LDAP logging via log.debug()
|
||||
|
||||
### Frontend
|
||||
|
||||
#### JWT Handling [L-01]
|
||||
- ✅ `frontend/lib/auth.ts` — saveToken, getToken, getAuthHeader, clearAuth
|
||||
- ✅ Token storage — localStorage (inventory_token + inventory_user)
|
||||
- ✅ Login page — saves TokenResponse from /users/login
|
||||
- ✅ Token attachment — Axios interceptor adds `Authorization: Bearer <token>` to all requests
|
||||
|
||||
#### Token Expiry [L-01]
|
||||
- ✅ 401 Unauthorized → clearAuth() + redirect /login
|
||||
- ✅ Interceptor on axiosInstance
|
||||
- ✅ Auto-logout on expiration
|
||||
|
||||
### Deployment
|
||||
|
||||
#### docker-compose.yml
|
||||
- ✅ Backend environment variables: DATA_DIR, LOGS_DIR, ALLOWED_ORIGINS, JWT_SECRET_KEY
|
||||
- ✅ Comments for production configuration
|
||||
- ✅ Fallback values for development
|
||||
|
||||
#### Environment Variables
|
||||
|
||||
| Variable | Dev Default | Production Required | Purpose |
|
||||
|----------|-------------|-------------------|---------|
|
||||
| ALLOWED_ORIGINS | localhost:3000, localhost:3002 | SET REQUIRED | CORS allowed origins |
|
||||
| JWT_SECRET_KEY | ephemeral (random) | SET REQUIRED | JWT signing key |
|
||||
| DATA_DIR | /app/data | - | SQLite database location |
|
||||
| LOGS_DIR | /app/logs | - | Application logs location |
|
||||
1. Run `save-version` to finalize version `1.3.6` if not already done.
|
||||
2. Monitor TypeScript warnings as the `Item` interface in `frontend/lib/db.ts` may be missing fields.
|
||||
3. If the Item Type datalist grows too large, consider a dedicated "Category/Type Management" settings page.
|
||||
4. Periodically review `dev_docs/SECURITY_REPORT.md`.
|
||||
|
||||
---
|
||||
|
||||
## 📊 Vulnerability Status
|
||||
## SYSTEM STATE
|
||||
|
||||
| ID | Severity | Description | Status |
|
||||
|----|----------|-------------|--------|
|
||||
| C-01 | 🔴 CRITICAL | Zero authentication on API | ✅ PATCHED (JWT) |
|
||||
| C-02 | 🔴 CRITICAL | Passwordless user bypass | ✅ PATCHED |
|
||||
| C-03 | 🔴 CRITICAL | Default "admin" password | ✅ PATCHED |
|
||||
| C-04 | 🔴 CRITICAL | Gemini API key exposed | ✅ SAFE (never in git) |
|
||||
| H-01 | 🟠 HIGH | LDAP injection | ✅ PATCHED |
|
||||
| H-02 | 🟠 HIGH | Missing rate limit | ✅ PATCHED |
|
||||
| H-03 | 🟠 HIGH | File upload validation | ✅ PATCHED |
|
||||
| H-04 | 🟠 HIGH | Admin endpoints exposed | ✅ PATCHED (JWT) |
|
||||
| M-01 | 🟡 MEDIUM | CORS wildcard | ✅ PATCHED |
|
||||
| M-02 | 🟡 MEDIUM | user_id from body | ✅ PATCHED |
|
||||
| M-03 | 🟡 MEDIUM | Debug LDAP logging | ✅ PATCHED |
|
||||
| L-01 | 🔵 LOW | Token expiry | ✅ PATCHED |
|
||||
**Active database:** `<project_root>/data/inventory.db`
|
||||
**LDAP config:** `backend/config/ldap_config.json`
|
||||
```json
|
||||
{"ldap_enabled": true, "server_uri": "ldap://192.168.84.107:3890", "base_dn": "dc=example,dc=com", "user_template": "cn={username},ou=people,dc=example,dc=com", "groups_dn": "ou=groups", "use_tls": false, "role_mappings": [{"group": "inventory_admins", "role": "admin"}, {"group": "inventory_users", "role": "user"}]}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 🚀 Production Deployment Checklist
|
||||
|
||||
**CRITICAL — Set these environment variables before deploy:**
|
||||
|
||||
- [ ] **JWT_SECRET_KEY** — Generate with `openssl rand -hex 32` (store in secrets manager)
|
||||
- [ ] **ALLOWED_ORIGINS** — Set to actual production domain(s), e.g., `https://inventory.example.com`
|
||||
- [ ] **TLS/HTTPS** — Caddy proxy configured with valid SSL certificate
|
||||
- [ ] **Database backup** — SQLite data/ mapped to persistent volume
|
||||
- [ ] **Logs rotation** — logs/ mapped and monitored
|
||||
|
||||
**RECOMMENDED:**
|
||||
|
||||
- [ ] Set log level to WARNING (not DEBUG)
|
||||
- [ ] Configure rate limiting at reverse proxy level (nginx/Cloudflare) for DDoS protection
|
||||
- [ ] Monitor alert on 401 spikes (token expiry issues)
|
||||
- [ ] Periodic JWT_SECRET_KEY rotation (quarterly minimum)
|
||||
|
||||
---
|
||||
|
||||
## 🧪 Local Testing
|
||||
|
||||
### 1. Start Development Stack
|
||||
**How to start:**
|
||||
```bash
|
||||
docker-compose up --build
|
||||
./start_server.sh
|
||||
```
|
||||
- Frontend: `https://<LOCAL_IP>:3003`
|
||||
- Backend: `http://localhost:8000` direct
|
||||
|
||||
### 2. Test Login
|
||||
```bash
|
||||
curl -X POST http://localhost:8000/users/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"username": "Admin", "password": "<initial_password_from_logs>"}'
|
||||
```
|
||||
**Environment variables set by start_server.sh:**
|
||||
- `ALLOWED_ORIGINS` — auto-detected from local IP
|
||||
- `DATA_DIR` — absolute path to `<project_root>/data/`
|
||||
- `LOGS_DIR` — absolute path to `<project_root>/logs/`
|
||||
- `JWT_SECRET_KEY` — ephemeral per-run if not set externally
|
||||
|
||||
### 3. Test Protected Endpoint with Token
|
||||
```bash
|
||||
curl -H "Authorization: Bearer <access_token>" \
|
||||
http://localhost:8000/items/
|
||||
```
|
||||
|
||||
### 4. Test 401 Unauthorized (invalid token)
|
||||
```bash
|
||||
curl -H "Authorization: Bearer invalid_token" \
|
||||
http://localhost:8000/items/
|
||||
# Expected: 401 Unauthorized
|
||||
```
|
||||
|
||||
### 5. Test Rate Limiting (extract-label endpoint)
|
||||
```bash
|
||||
# 11 requests rapid fire — 11th should fail with 429
|
||||
for i in {1..15}; do
|
||||
curl -X POST -F "file=@image.jpg" \
|
||||
-H "Authorization: Bearer <token>" \
|
||||
http://localhost:8000/items/extract-label
|
||||
sleep 0.1
|
||||
done
|
||||
```
|
||||
This session applied the 3 frontend fixes for the login redirect loop. The server was NOT restarted and the login flow was NOT tested. The next AI must test and confirm — or continue debugging if the loop persists.
|
||||
|
||||
---
|
||||
|
||||
## ✅ Validations Completed
|
||||
## WHAT WAS DONE THIS SESSION
|
||||
|
||||
- ✅ Backend fully secured with JWT
|
||||
- ✅ Frontend token handling complete
|
||||
- ✅ Rate limiting on AI endpoint
|
||||
- ✅ CORS configurable via environment
|
||||
- ✅ All routers have authentication enforcement
|
||||
- ✅ Token expiry with automatic login redirect
|
||||
- ✅ Admin role checks functional
|
||||
- ✅ LDAP injection protection
|
||||
- ✅ File upload validation
|
||||
- ✅ Audit logging with user_id from token
|
||||
### 1. `frontend/lib/api.ts` — Lazy baseURL (Fix 1)
|
||||
|
||||
axiosInstance no longer receives baseURL at creation. `getBackendUrl()` is now called inside the request interceptor, at request time, so SSR can no longer lock it to `http://localhost:8000`.
|
||||
|
||||
```typescript
|
||||
// BEFORE (broken):
|
||||
const axiosInstance = axios.create({ baseURL: getBackendUrl() });
|
||||
|
||||
// AFTER (fixed):
|
||||
const axiosInstance = axios.create({});
|
||||
axiosInstance.interceptors.request.use((config) => {
|
||||
if (!config.baseURL) config.baseURL = getBackendUrl();
|
||||
const token = getToken();
|
||||
if (token) config.headers.Authorization = `Bearer ${token}`;
|
||||
return config;
|
||||
});
|
||||
```
|
||||
|
||||
### 2. `frontend/lib/api.ts` — 401 interceptor guard (Fix 2)
|
||||
|
||||
```typescript
|
||||
// BEFORE (broken — infinite loop):
|
||||
if (typeof window !== 'undefined') {
|
||||
window.location.href = '/login';
|
||||
}
|
||||
|
||||
// AFTER (fixed):
|
||||
if (typeof window !== 'undefined' && !window.location.pathname.includes('/login')) {
|
||||
window.location.href = '/login';
|
||||
}
|
||||
```
|
||||
|
||||
### 3. `frontend/app/page.tsx` — Token guard on both useEffect hooks (Fix 3)
|
||||
|
||||
Added `if (!localStorage.getItem('inventory_token')) { window.location.href = '/login'; return; }` at the top of BOTH useEffect hooks — the first one (calls `getCategories`) and the second one (calls `loadInventory`).
|
||||
|
||||
### 4. Debug cleanup
|
||||
- `frontend/lib/auth.ts` — removed `console.log('[Auth] saveToken...')` statements
|
||||
- `frontend/app/login/page.tsx` — removed `console.log('[LoginPage]...')` statements + unused `memo` import
|
||||
|
||||
---
|
||||
|
||||
## 🎓 Key Learnings
|
||||
## WHAT THE NEXT AI MUST DO
|
||||
|
||||
1. **CORS with credentials=True** — requires specific origins, NOT wildcards
|
||||
2. **Rate limiting** — essential on expensive endpoints (AI processing)
|
||||
3. **JWT expiration** — 8h balances security vs. UX
|
||||
4. **user_id from token** — eliminates operation spoofing
|
||||
5. **Debug logging** — careful with PII leaks (LDAP DNs)
|
||||
1. Restart the server: `./start_server.sh`
|
||||
2. Open `https://192.168.84.140:3003/login` in browser
|
||||
3. Log in with LDAP user `bede`
|
||||
4. Verify: main page loads and STAYS — no redirect back to `/login`
|
||||
5. Verify: `localStorage.getItem('inventory_token')` is non-null after login
|
||||
6. If loop persists: check browser Network tab for which API endpoint returns 401 first — there may be other API calls in child components (`PageShell`, `Scanner`, etc.) that fire before the token guard
|
||||
|
||||
---
|
||||
|
||||
## 📝 Production Environment Variables Example
|
||||
## KNOWN PRE-EXISTING ISSUES (not introduced by this session)
|
||||
|
||||
TypeScript errors in `frontend/app/page.tsx`:
|
||||
- Line 241: `Property 'serial_number' does not exist on type 'Item'`
|
||||
- Lines 598-599: `Property 'type' does not exist on type 'Partial<Item>'`
|
||||
|
||||
These are separate bugs — `Item` type in `frontend/lib/db.ts` is missing fields that the UI uses. Fix separately from the login issue.
|
||||
|
||||
---
|
||||
|
||||
## SYSTEM STATE
|
||||
|
||||
**Active database:** `<project_root>/data/inventory.db`
|
||||
**LDAP config:** `backend/config/ldap_config.json`
|
||||
```json
|
||||
{"ldap_enabled": true, "server_uri": "ldap://192.168.84.107:3890", "base_dn": "dc=example,dc=com", "user_template": "cn={username},ou=people,dc=example,dc=com", "groups_dn": "ou=groups", "use_tls": false, "role_mappings": [{"group": "inventory_admins", "role": "admin"}, {"group": "inventory_users", "role": "user"}]}
|
||||
```
|
||||
|
||||
**How to start:**
|
||||
```bash
|
||||
# Set these before `docker-compose up`
|
||||
export JWT_SECRET_KEY="$(openssl rand -hex 32)"
|
||||
export ALLOWED_ORIGINS="https://inventory.example.com,https://api.example.com"
|
||||
|
||||
docker-compose up -d
|
||||
./start_server.sh
|
||||
```
|
||||
- Frontend: `https://<LOCAL_IP>:3003`
|
||||
- Backend: `https://<LOCAL_IP>:3002` (also `http://localhost:8000` direct)
|
||||
|
||||
Or in `.env.production` (NOT in git):
|
||||
```
|
||||
JWT_SECRET_KEY=abcdef1234567890...
|
||||
ALLOWED_ORIGINS=https://inventory.example.com
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**Status:** 🚀 PRODUCTION-READY (with environment configuration required)
|
||||
|
||||
**Future Scope (OUT OF SCOPE):**
|
||||
- Email verification for new users
|
||||
- 2FA/TOTP support
|
||||
- OAuth2 federation (GitHub/Google/Azure)
|
||||
- API key management for service accounts
|
||||
- Audit log export/archival to cold storage
|
||||
**Environment variables set by start_server.sh:**
|
||||
- `ALLOWED_ORIGINS` — auto-detected from local IP (includes both HTTP and HTTPS variants)
|
||||
- `DATA_DIR` — absolute path to `<project_root>/data/`
|
||||
- `LOGS_DIR` — absolute path to `<project_root>/logs/`
|
||||
- `JWT_SECRET_KEY` — ephemeral per-run if not set externally (means tokens invalidated on restart)
|
||||
|
||||
Reference in New Issue
Block a user