Merge pull request #24 from kittendevv/dev

feat: Enhance security headers and authentication mechanism

Author: kittendevv

.env.example

@@ -7,6 +7,17 @@
 ADMIN_USER=admin
 ADMIN_PASS=supersecret
 JWT_SECRET=change-me-in-production
+# Lifetime (seconds) for issued JWT sessions (min 300, max 43200)
+SESSION_TTL_SECONDS=3600
+# Set to false in local dev if you need to test without Secure cookies
+COOKIE_SECURE=true
+
+# Hardened security headers (set to true to disable during local troubleshooting)
+SECURE_HEADERS_DISABLED=false
+# Emit Strict-Transport-Security when requests arrive via HTTPS
+ENABLE_HSTS=false
+# Override default CSP for the backend API if custom hosts are needed
+# CONTENT_SECURITY_POLICY="default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'self'; connect-src 'self'"
 
 # SQLite database path
 # - For Docker (recommended):
@@ -40,4 +51,14 @@ FRONTEND_PORT_INTERNAL=8000
 # For Docker Compose (service name resolves on the network):
 BACKEND_URL=http://backend:3000
 # For local dev outside Docker, you might use:
-# BACKEND_URL=http://localhost:3000
+# BACKEND_URL=http://localhost:3000
+
+# =====================
+# Frontend security headers
+# =====================
+# Set to true to disable hardened headers (handy for local development)
+FRONTEND_SECURE_HEADERS_DISABLED=false
+# Emit Strict-Transport-Security when served via HTTPS
+ENABLE_HSTS=false
+# Override CSP if you host assets elsewhere (defaults admit Tailwind/DaisyUI CDNs)
+# FRONTEND_CONTENT_SECURITY_POLICY="default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 https: ws: wss:; frame-ancestors 'none'; form-action 'self'; object-src 'none'; base-uri 'none'"

.github/workflows/docker.yml

@@ -56,6 +56,10 @@ jobs:
           images: |
             name=ghcr.io/${{ steps.repo.outputs.name }}-${{ matrix.image }},enable=true
 
+      - name: Copy VERSION into frontend build context
+        if: ${{ matrix.image == 'frontend' }}
+        run: cp VERSION frontend/VERSION
+
       - name: Build and push image
         uses: docker/[email protected]
         with:

.gitignore

@@ -13,5 +13,6 @@
 .env
 
 /frontend/static/dev
+/frontend/VERSION
 
 /Invio.wiki

VERSION

@@ -1 +1 @@
-1.6.0
+1.7.0

backend/README.md

@@ -6,7 +6,7 @@ download a good‑looking PDF. That’s it.
 ## Highlights
 
 - Simple JSON API (Deno + Hono) at `/api/v1`
-- Admin endpoints behind Basic Auth (ADMIN_USER/ADMIN_PASS)
+- Admin endpoints behind JWT bearer auth (ADMIN_USER/ADMIN_PASS bootstrap)
 - Public share links per invoice (no login)
 - HTML and PDF renderers share the same templates
 - UBL 2.1 (PEPPOL BIS Billing 3.0) XML export for each invoice
@@ -21,6 +21,11 @@ download a good‑looking PDF. That’s it.
 ```
 invio-backend
 ├── src
+JWT_SECRET=...
+# Optional security header toggles
+# SECURE_HEADERS_DISABLED=false
+# ENABLE_HSTS=true
+# CONTENT_SECURITY_POLICY="default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'self'; connect-src 'self'"
 │   ├── app.ts
 │   ├── routes
 │   │   ├── admin.ts
@@ -101,7 +106,7 @@ Principles
 
 ### Auth
 
-- Admin routes use Basic Auth (from ENV).
+- Admin routes require a JWT obtained via `/api/v1/auth/login` using the admin credentials from env.
 - Public routes use a share token (no auth).
 
 ### Settings
@@ -119,7 +124,11 @@ Principles
 Example:
 
 ```bash
-curl -u admin:supersecret -H "Content-Type: application/json" \
+TOKEN=$(curl -s -X POST http://localhost:3000/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"supersecret"}' | jq -r '.token')
+
+curl -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" \
   -X PATCH http://localhost:3000/api/v1/settings \
   -d '{"companyName":"Your Company","logo":"https://example.com/logo.png","templateId":"professional-modern","highlight":"#6B4EFF"}'
 ```

backend/deno.json

@@ -39,6 +39,7 @@
     "puppeteer-core": "npm:[email protected]",
     "crypto": "https://deno.land/[email protected]/crypto/mod.ts",
     "dotenv": "https://deno.land/[email protected]/dotenv/mod.ts",
-    "yaml": "https://deno.land/[email protected]/yaml/mod.ts"
+    "yaml": "https://deno.land/[email protected]/yaml/mod.ts",
+    "std/path": "https://deno.land/[email protected]/path/mod.ts"
   }
 }

backend/src/app.ts

@@ -6,6 +6,11 @@ import { adminRoutes } from "./routes/admin.ts";
 import { publicRoutes } from "./routes/public.ts";
 import { authRoutes } from "./routes/auth.ts";
 
+const SECURE_HEADERS_DISABLED = (Deno.env.get("SECURE_HEADERS_DISABLED") || "").toLowerCase() === "true";
+const HSTS_ENABLED = (Deno.env.get("ENABLE_HSTS") || "").toLowerCase() === "true";
+const CONTENT_SECURITY_POLICY = Deno.env.get("CONTENT_SECURITY_POLICY") ||
+  "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'self'; connect-src 'self'";
+
 const app = new Hono();
 
 // Check for required credentials in environment
@@ -57,6 +62,39 @@ app.use(
   }),
 );
 
+app.use("*", async (c, next) => {
+  await next();
+  if (SECURE_HEADERS_DISABLED) return;
+  const headers = c.res.headers;
+  if (!headers.has("X-Content-Type-Options")) {
+    headers.set("X-Content-Type-Options", "nosniff");
+  }
+  if (!headers.has("X-Frame-Options")) {
+    headers.set("X-Frame-Options", "DENY");
+  }
+  if (!headers.has("Referrer-Policy")) {
+    headers.set("Referrer-Policy", "no-referrer");
+  }
+  if (!headers.has("Permissions-Policy")) {
+    headers.set("Permissions-Policy", "accelerometer=(), autoplay=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
+  }
+  if (!headers.has("Cross-Origin-Opener-Policy")) {
+    headers.set("Cross-Origin-Opener-Policy", "same-origin");
+  }
+  if (!headers.has("Cross-Origin-Resource-Policy")) {
+    headers.set("Cross-Origin-Resource-Policy", "same-site");
+  }
+  if (!headers.has("Content-Security-Policy")) {
+    headers.set("Content-Security-Policy", CONTENT_SECURITY_POLICY);
+  }
+  if (HSTS_ENABLED && !headers.has("Strict-Transport-Security")) {
+    const proto = c.req.header("x-forwarded-proto")?.toLowerCase() || (c.req.url.startsWith("https://") ? "https" : "http");
+    if (proto === "https") {
+      headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+    }
+  }
+});
+
 // Routes
 app.route("/api/v1", adminRoutes);
 app.route("/api/v1", publicRoutes);