Add drawing share links/grants, API base path support, and DX improvements

.dockerignore

@@ -7,3 +7,9 @@ dist
 .env
 .DS_Store
 *.log
+backend
+frontend/node_modules
+frontend/dist
+frontend/coverage
+frontend/test-results
+frontend/playwright-report

.github/workflows/test.yml

@@ -108,7 +108,7 @@ jobs:
         run: |
           # Start backend server in background
           cd backend
-          DATABASE_URL="file:${{ github.workspace }}/backend/prisma/e2e-test.db" FRONTEND_URL="http://localhost:5173" npm run dev &
+          DATABASE_URL="file:${{ github.workspace }}/backend/prisma/e2e-test.db" FRONTEND_URL="http://localhost:6767" npm run dev &
           BACKEND_PID=$!
           cd ..
 
@@ -132,7 +132,7 @@ jobs:
           # Wait for frontend to be ready
           echo "Waiting for frontend server..."
           for i in {1..30}; do
-            if curl -s http://localhost:5173 > /dev/null; then
+            if curl -s http://localhost:6767 > /dev/null; then
               echo "Frontend is ready!"
               break
             fi

.pnpm-store/v10/projects/3d9dc8786854ec3088fcfd3c145118e4

@@ -0,0 +1 @@
+../../../frontend

FORK.md

@@ -0,0 +1,69 @@
+# Fork Summary
+
+This fork adds optional security features and UX improvements with **zero breaking changes** and **minimal migration overhead**. All security features are **disabled by default** via feature flags.
+
+## Security Features Added
+
+1. **Password Reset** - Token-based password reset flow (`/auth/password-reset-request`, `/auth/password-reset-confirm`)
+2. **Refresh Token Rotation** - Prevents token reuse by rotating refresh tokens on each use
+3. **Audit Logging** - Logs security events (logins, password changes, deletions) for compliance
+
+## UX Improvements Added
+
+1. **Profile Page** - View and edit personal information, change password (`/profile`)
+2. **Select All Button** - Quick selection of all drawings in current view
+3. **Sort Dropdown** - Improved sort controls with icons and separate direction toggle
+4. **Auto-hide Header** - Editor header auto-hides to maximize drawing space (with toggle)
+
+## Backward Compatibility
+
+✅ All security features disabled by default  
+✅ No breaking changes to existing code  
+✅ Graceful degradation (missing tables don't cause errors)  
+✅ Optional database migration  
+
+## Enable Security Features
+
+Set in `backend/.env`:
+```bash
+ENABLE_PASSWORD_RESET=true
+ENABLE_REFRESH_TOKEN_ROTATION=true
+ENABLE_AUDIT_LOGGING=true
+```
+
+Then run migration:
+```bash
+cd backend && npx prisma migrate deploy
+```
+
+## Migration Strategy
+
+**For base project:** Keep features disabled (default) - no migration needed, zero risk.
+
+**For this fork:** Enable features via environment variables when ready.
+
+## Database Changes
+
+Migration adds 3 optional tables (only used when features enabled):
+- `PasswordResetToken` - For password reset flow
+- `RefreshToken` - For token rotation tracking
+- `AuditLog` - For security event logging
+
+## Code Changes
+
+### Backend
+- Feature flags in `backend/src/config.ts`
+- Conditional logic in auth endpoints
+- Graceful error handling for missing tables
+- New endpoints: `/auth/profile` (PUT), `/auth/change-password` (POST)
+- Audit logging utility (`backend/src/utils/audit.ts`)
+
+### Frontend
+- Password reset pages (`/reset-password`, `/reset-password-confirm`)
+- Profile page (`/profile`)
+- Select All button in Dashboard
+- Sort dropdown with icons
+- Auto-hide header in Editor with toggle
+- Updated API client for token rotation
+
+All changes are backward compatible and optional.

README.md

@@ -6,6 +6,8 @@
 ![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)
 [![Docker](https://img.shields.io/badge/docker-ready-blue.svg)](https://hub.docker.com)
 
+_Original repo can be found [here](https://github.com/ZimengXiong/ExcaliDash)_
+
 A self-hosted dashboard and organizer for [Excalidraw](https://github.com/excalidraw/excalidraw) with live collaboration features.
 
 ## Screenshots
@@ -99,6 +101,10 @@ docker compose -f docker-compose.prod.yml up -d
 # Access the frontend at localhost:6767
 ```
 
+For single-container deployments, `JWT_SECRET` can be omitted and will be auto-generated and persisted in the backend volume on first start. For portability and all multi-instance deployments, set a fixed `JWT_SECRET` explicitly.
+
+By default, the provided Compose files set `TRUST_PROXY=false` for safer setup. Only set `TRUST_PROXY` to a positive hop count (for example, `1`) when requests always pass through a trusted reverse proxy that correctly sets forwarded headers.
+
 ## Docker Build
 
 [Install Docker](https://docs.docker.com/desktop/)
@@ -121,6 +127,7 @@ docker compose up -d
 When running ExcaliDash behind Traefik, Nginx, or another reverse proxy, configure both containers so that API + WebSocket calls resolve correctly:
 
 - `FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks. **Supports multiple comma-separated URLs** for accessing from different addresses.
+- `TRUST_PROXY` (backend) should be set to `1` when requests pass through one trusted reverse proxy hop (for example: frontend nginx -> backend) and forwarded headers are sanitized. This ensures rate limiting and logging use the real client IP from trusted proxy headers.
 - `BACKEND_URL` (frontend) tells the Nginx container how to reach the backend from inside Docker/Kubernetes. Override it if your reverse proxy exposes the backend under a different hostname.
 
 ```yaml
@@ -129,6 +136,8 @@ backend:
   environment:
     # Single URL
     - FRONTEND_URL=https://excalidash.example.com
+    # Trust exactly one reverse-proxy hop
+    - TRUST_PROXY=1
     # Or multiple URLs (comma-separated) for local + network access
     # - FRONTEND_URL=http://localhost:6767,http://192.168.1.100:6767,http://nas.local:6767
 frontend:
@@ -141,7 +150,7 @@ frontend:
 
 ### Multi-Container / Kubernetes Deployments
 
-When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set the `CSRF_SECRET` environment variable to the same value across all instances.
+When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set both `JWT_SECRET` and `CSRF_SECRET` to the same values across all instances.
 
 ```bash
 # Generate a secure secret
@@ -152,11 +161,37 @@ openssl rand -base64 32
 # docker-compose.yml or k8s deployment
 backend:
   environment:
+    - JWT_SECRET=your-generated-jwt-secret-here
     - CSRF_SECRET=your-generated-secret-here
 ```
 
 Without this, each container generates its own ephemeral CSRF secret, causing token validation failures when requests are routed to different replicas. Single-container deployments work without this setting.
 
+### Authentication Modes (Local + OIDC)
+
+ExcaliDash supports three auth modes via backend `AUTH_MODE`:
+
+- `local` (default): native email/password login only.
+- `hybrid`: native login + OIDC login.
+- `oidc_enforced`: OIDC-only login (native login/register disabled).
+
+For OIDC modes (`hybrid` or `oidc_enforced`), set:
+
+```yaml
+backend:
+  environment:
+    - AUTH_MODE=oidc_enforced
+    - OIDC_PROVIDER_NAME=Authentik
+    - OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
+    - OIDC_CLIENT_ID=your-client-id
+    - OIDC_CLIENT_SECRET=your-client-secret
+    - OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
+    - OIDC_SCOPES=openid profile email
+```
+
+In `oidc_enforced` mode, unauthenticated users are automatically redirected to `/api/auth/oidc/start`.
+Users are linked by `(issuer, sub)` first, then by verified email, and optionally auto-provisioned.
+
 # Development
 
 ## Clone the Repository
@@ -197,6 +232,27 @@ npx prisma db push
 npm run dev
 ```
 
+### Simulate Auth Onboarding (Development)
+
+To simulate first-run authentication choice flows in local development:
+
+```bash
+cd ExcaliDash/backend
+
+# Preview what would change (no data modifications)
+npm run dev:simulate-auth-onboarding:dry-run
+
+# Simulate "fresh install" onboarding state
+# (wipes drawings/collections/libraries and removes non-bootstrap users)
+npm run dev:simulate-auth-onboarding:fresh
+
+# Simulate "migration" onboarding state (ensures legacy data exists)
+npm run dev:simulate-auth-onboarding:migration
+```
+
+After running a simulation while the backend is already running, wait about 5 seconds
+(auth mode cache TTL) or restart the backend before refreshing the UI.
+
 ## Project Structure
 
 ```

RELEASE.md

@@ -1,43 +1,9 @@
-CSRF Protection (8a78b2b)
+Multi user setup is opt-in, single user by default
 
-  - Implemented comprehensive CSRF (Cross-Site Request Forgery) protection for enhanced security
-  - Added new backend/src/security.ts module for security utilities
-  - Frontend API layer now handles CSRF tokens automatically
-  - Added integration tests for CSRF validation
+Multi-user support for excalidash
+- Admin dashboard
+- Password reset, force user password reset (admin only), account lockout recovery
+- Rate limits
 
-  Upload Progress Indicator (8f9b9b4)
+Deprecates .json and .sqlite database backups in favor of .excalidash archives (user scoped, prevents exporting of senstive information). Legacy import is maintained.
 
-  - Added a visual upload progress bar when users upload files
-  - New UploadContext for managing upload state across components
-  - New UploadStatus component displaying real-time upload progress
-  - Save status indicator when navigating back from the editor
-  - Improved error handling and recovery for failed uploads
-
-  Bug Fixes
-
-  - Fixed broken e2e tests (cae8f3c)
-  - Replaced deprecated substr() with substring()
-  - Fixed stale state issues in error handling
-  - Fixed missing useEffect dependencies
-  - Fixed CSS class conflicts in progress bar styling
-  - Added error recovery for save state in Editor
-
-  Infrastructure
-
-  - Updated docker-compose configurations with new environment variables
-  - E2E test suite improvements and reliability fixes
-  - Added Kubernetes deployment note in README
-
-### Kubernetes
-
-  A `CSRF_SECRET` environment variable is now required for CSRF protection. Generate a secure 32+ character random string:
-
-  ```bash
-  openssl rand -base64 32
-
-  Add it to your deployment:
-  - Docker Compose: Add CSRF_SECRET=<your-secret> to the backend service environment
-  - Kubernetes: Add to your ConfigMap/Secret and reference in the backend deployment
-
-  If not set, the backend will refuse to start.
-  ```

VERSION

@@ -1 +1 @@
-0.3.2
+0.4.6

backend/.dockerignore

@@ -9,3 +9,7 @@ dist
 *.log
 prisma/dev.db
 prisma/dev.db-journal
+src/generated
+coverage
+*.test.ts
+*.spec.ts

backend/.env.example

@@ -2,4 +2,28 @@
 PORT=8000
 NODE_ENV=production
 DATABASE_URL=file:/app/prisma/dev.db
-FRONTEND_URL=http://localhost:6767
+FRONTEND_URL=https://draw.louiscreates.com
+API_BASE_PATH=/api
+# Keep disabled unless traffic always comes through a trusted reverse proxy.
+TRUST_PROXY=false
+AUTH_MODE=local
+JWT_SECRET=change-this-secret-in-production-min-32-chars
+
+# Optional Feature Flags (all default to false for backward compatibility)
+# Set to "true" or "1" to enable:
+# ENABLE_PASSWORD_RESET=false
+# ENABLE_REFRESH_TOKEN_ROTATION=false
+# ENABLE_AUDIT_LOGGING=false
+
+# OIDC Configuration (required when AUTH_MODE=hybrid or AUTH_MODE=oidc_enforced)
+# OIDC_PROVIDER_NAME=Authentik
+# OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
+# OIDC_CLIENT_ID=your-client-id
+# OIDC_CLIENT_SECRET=your-client-secret
+# OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
+# OIDC_SCOPES=openid profile email
+# OIDC_EMAIL_CLAIM=email
+# OIDC_EMAIL_VERIFIED_CLAIM=email_verified
+# OIDC_REQUIRE_EMAIL_VERIFIED=true
+# OIDC_JIT_PROVISIONING=true
+# OIDC_FIRST_USER_ADMIN=true

backend/Dockerfile

@@ -3,12 +3,15 @@ FROM node:20-alpine AS builder
 
 WORKDIR /app
 
+# Native build deps for modules that may compile from source (e.g., better-sqlite3 on arm64)
+RUN apk add --no-cache python3 make g++
+
 # Copy package files
 COPY package*.json ./
 COPY tsconfig.json ./
 
 # Install dependencies
-RUN npm ci
+RUN npm ci && npm cache clean --force
 
 # Copy prisma schema
 COPY prisma ./prisma/
@@ -25,7 +28,7 @@ RUN npx tsc
 # Production stage
 FROM node:20-alpine
 
-# Install OpenSSL for Prisma and su-exec, create non-root user
+# Install runtime packages and create non-root user
 RUN apk add --no-cache openssl su-exec && \
     addgroup -g 1001 -S nodejs && \
     adduser -S nodejs -u 1001
@@ -36,7 +39,10 @@ WORKDIR /app
 COPY package*.json ./
 
 # Install production dependencies only
-RUN npm ci --only=production
+RUN apk add --no-cache --virtual .build-deps python3 make g++ && \
+    npm ci --omit=dev && \
+    npm cache clean --force && \
+    apk del .build-deps
 
 # Copy prisma schema and migrations for runtime and hydration template
 COPY prisma ./prisma/
@@ -48,9 +54,6 @@ COPY --from=builder /app/dist ./dist
 # Copy the generated Prisma Client from builder to maintain the same structure
 COPY --from=builder /app/src/generated ./dist/generated
 
-# Generate Prisma Client in production (updates node_modules)
-RUN npx prisma generate
-
 # Create necessary directories (ownership will be set in entrypoint)
 RUN mkdir -p /app/uploads /app/prisma