Archive/screentinker

Fork 0

mirror of https://github.com/screentinker/screentinker.git synced 2026-05-15 07:32:23 -06:00

Commit graph

Author	SHA1	Message	Date
ScreenTinker	772ead28a2	Fix reset-admin.js: honor recovery token in requireAuth scripts/reset-admin.js signed a JWT with a synthetic id ("recovery-XXX") and instructed the operator to paste it into localStorage. But the requireAuth middleware always SELECTs the user row by id, so every authed API call under the recovery token returned 401 "User not found" and the recovery flow was effectively dead. Fix: - reset-admin.js now sets a `recovery: true` claim on the JWT. - requireAuth / optionalAuth short-circuit the DB lookup when decoded.recovery === true and synthesize a req.user record in memory (role: admin, plan_id: enterprise). The synthetic user is never persisted, so FK-constrained writes that expect a real user (creating devices, etc.) will still fail — which is fine, recovery is only meant to let the operator reset a password or create a fresh admin via the Settings UI. Security: a recovery token still requires the jwtSecret to sign, so only someone with filesystem access to the server can mint one. Token TTL remains 1h. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-21 19:08:49 -05:00
ScreenTinker	afbe113acf	Security audit remediation: auth, IDOR, XSS, hardening - Device WebSocket authentication: devices get a device_token on registration, must present it on reconnect. All WS events require prior auth. Timing-safe token comparison. - IDOR fixes: ownership checks on schedules (device, week), layouts (all CRUD, zones, duplicate, device assign), video-walls (content, device-config). - XSS prevention: shared esc() helper in utils.js, fixed 13 innerHTML injection points across 9 frontend files. - OAuth hardening: no longer silently overwrites auth_provider on accounts with local passwords (returns 409). - JWT pinned to HS256 for sign and verify. - Password policy: change endpoint now requires 8 chars (was 6). - HSTS header enabled (max-age 1 year, includeSubDomains). - Stripe webhook rejects unsigned payloads when no secret configured. - Screenshot size validation (max 2MB base64). - Rate limiting on exports, imports, content operations. - Content file serving checks playlist_items instead of old assignments. - Content ownership verified in device-groups assign-content. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-11 22:48:07 -05:00
ScreenTinker	1594a9d4a4	Initial open source release ScreenTinker - open source digital signage management software. MIT License, all features included, no license gates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-08 12:14:53 -05:00

Author

SHA1

Message

Date

ScreenTinker

772ead28a2

Fix reset-admin.js: honor recovery token in requireAuth

scripts/reset-admin.js signed a JWT with a synthetic id ("recovery-XXX")
and instructed the operator to paste it into localStorage. But the
requireAuth middleware always SELECTs the user row by id, so every
authed API call under the recovery token returned 401 "User not found"
and the recovery flow was effectively dead.

Fix:
- reset-admin.js now sets a `recovery: true` claim on the JWT.
- requireAuth / optionalAuth short-circuit the DB lookup when
  decoded.recovery === true and synthesize a req.user record in
  memory (role: admin, plan_id: enterprise). The synthetic user is
  never persisted, so FK-constrained writes that expect a real
  user (creating devices, etc.) will still fail — which is fine,
  recovery is only meant to let the operator reset a password or
  create a fresh admin via the Settings UI.

Security: a recovery token still requires the jwtSecret to sign,
so only someone with filesystem access to the server can mint one.
Token TTL remains 1h.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-21 19:08:49 -05:00

ScreenTinker

afbe113acf

Security audit remediation: auth, IDOR, XSS, hardening

- Device WebSocket authentication: devices get a device_token on
  registration, must present it on reconnect. All WS events require
  prior auth. Timing-safe token comparison.
- IDOR fixes: ownership checks on schedules (device, week), layouts
  (all CRUD, zones, duplicate, device assign), video-walls (content,
  device-config).
- XSS prevention: shared esc() helper in utils.js, fixed 13 innerHTML
  injection points across 9 frontend files.
- OAuth hardening: no longer silently overwrites auth_provider on
  accounts with local passwords (returns 409).
- JWT pinned to HS256 for sign and verify.
- Password policy: change endpoint now requires 8 chars (was 6).
- HSTS header enabled (max-age 1 year, includeSubDomains).
- Stripe webhook rejects unsigned payloads when no secret configured.
- Screenshot size validation (max 2MB base64).
- Rate limiting on exports, imports, content operations.
- Content file serving checks playlist_items instead of old assignments.
- Content ownership verified in device-groups assign-content.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-11 22:48:07 -05:00

ScreenTinker

1594a9d4a4

Initial open source release

ScreenTinker - open source digital signage management software.
MIT License, all features included, no license gates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-08 12:14:53 -05:00

3 commits