Nexus

Hartmut/Nexus

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	3452464809	fix(security): invalidate sessions on password change and remove hash from permission API responses - setUserPassword and resetPassword now call activeSession.deleteMany after updating the passwordHash, so any pre-change sessions are immediately revoked (CWE-613 session fixation after credential change) - setUserPermissions and resetUserPermissions now use explicit Prisma select to exclude passwordHash and totpSecret from the returned user object Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-09 21:37:56 +02:00
Hartmut	dc5bbdc47d	feat: centralize app base URL — no localhost fallback in production Introduce getAppBaseUrl() in packages/api/src/lib/app-base-url.ts: - Reads NEXTAUTH_URL (trimmed, trailing slash stripped) - production: throws if NEXTAUTH_URL is missing/empty so broken localhost links in emails are caught at runtime, not silently sent - development/test: falls back to http://localhost:3100 with a one-time console.warn Replace the duplicated inline fallback in: - packages/api/src/router/invite.ts (invite email link) - packages/api/src/router/auth.ts (password reset email link) Extend GET /api/health to report: "baseUrl": { "configured": bool, "isLocalhost": bool } so deployment checks can detect a misconfigured NEXTAUTH_URL. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-02 14:19:19 +02:00
Hartmut	fceceeee4b	feat: SMTP full ENV override, password reset flow, and E2E email testing - SMTP: SMTP_HOST/PORT/USER/FROM/TLS now all have ENV override support (previously only SMTP_PASSWORD was env-aware). ENV takes priority over DB. - docker-compose.yml: forward all SMTP_* env vars to app container + add Mailhog service (ports 1025 SMTP / 8025 HTTP, always available in dev) - Password reset: PasswordResetToken Prisma model + authRouter with requestPasswordReset (timing-safe, no email enumeration) + resetPassword - UI: /auth/forgot-password, /auth/reset-password/[token] pages + "Forgot password?" link on sign-in page - E2E: Mailhog helpers (getLatestEmailTo, clearMailhog, extractUrlFromEmail) + invite-flow.spec.ts + password-reset.spec.ts Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-02 08:55:39 +02:00

Author

SHA1

Message

Date

Hartmut

3452464809

fix(security): invalidate sessions on password change and remove hash from permission API responses

- setUserPassword and resetPassword now call activeSession.deleteMany after
  updating the passwordHash, so any pre-change sessions are immediately revoked
  (CWE-613 session fixation after credential change)
- setUserPermissions and resetUserPermissions now use explicit Prisma select to
  exclude passwordHash and totpSecret from the returned user object

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 21:37:56 +02:00

Hartmut

dc5bbdc47d

feat: centralize app base URL — no localhost fallback in production

Introduce getAppBaseUrl() in packages/api/src/lib/app-base-url.ts:
- Reads NEXTAUTH_URL (trimmed, trailing slash stripped)
- production: throws if NEXTAUTH_URL is missing/empty so broken
  localhost links in emails are caught at runtime, not silently sent
- development/test: falls back to http://localhost:3100 with a
  one-time console.warn

Replace the duplicated inline fallback in:
- packages/api/src/router/invite.ts (invite email link)
- packages/api/src/router/auth.ts (password reset email link)

Extend GET /api/health to report:
  "baseUrl": { "configured": bool, "isLocalhost": bool }
so deployment checks can detect a misconfigured NEXTAUTH_URL.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-04-02 14:19:19 +02:00

Hartmut

fceceeee4b

feat: SMTP full ENV override, password reset flow, and E2E email testing

- SMTP: SMTP_HOST/PORT/USER/FROM/TLS now all have ENV override support
  (previously only SMTP_PASSWORD was env-aware). ENV takes priority over DB.
- docker-compose.yml: forward all SMTP_* env vars to app container + add
  Mailhog service (ports 1025 SMTP / 8025 HTTP, always available in dev)
- Password reset: PasswordResetToken Prisma model + authRouter with
  requestPasswordReset (timing-safe, no email enumeration) + resetPassword
- UI: /auth/forgot-password, /auth/reset-password/[token] pages +
  "Forgot password?" link on sign-in page
- E2E: Mailhog helpers (getLatestEmailTo, clearMailhog, extractUrlFromEmail)
  + invite-flow.spec.ts + password-reset.spec.ts

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-04-02 08:55:39 +02:00

3 Commits