Enhance security and fix issues in secure-auth.js
This commit significantly improves the security and reliability of the authentication module while maintaining all original functionality. Key changes: - Security: Added input sanitization (sanitize-html, validator), rate limiting (rate-limiter-flexible), CSRF protection (csurf), secure headers (helmet), and logging (winston). Implemented secure token generation with HMAC-SHA256. - Bug Fixes: Fixed username validation to allow underscores. Relaxed IP and user-agent checks for local IPs to resolve "Invalid session" errors. Fixed CSP violation for inline scripts using a nonce-based approach. - Client-Side: Added debug logging, fallback meta refresh, and improved error handling in the auto-login script. - Logging: Enhanced logging for debugging (user-agent mismatches, invalid inputs). - Config: Added STRICT_USER_AGENT_CHECK env var for production flexibility.
This commit is contained in:
MCHost
@ -15,12 +15,14 @@
|
||||
"axios": "^1.10.0",
|
||||
"cookie-parser": "^1.4.7",
|
||||
"cors": "^2.8.5",
|
||||
"csurf": "^1.11.0",
|
||||
"dockerode": "^4.0.2",
|
||||
"dotenv": "^16.5.0",
|
||||
"envalid": "^8.0.0",
|
||||
"express": "^4.21.2",
|
||||
"helmet": "^8.1.0",
|
||||
"node-fetch": "^2.7.0",
|
||||
"rate-limiter-flexible": "^7.1.1",
|
||||
"sanitize-html": "^2.17.0",
|
||||
"ssh2-sftp-client": "^12.0.0",
|
||||
"unirest": "^0.6.0",
|
||||
|
||||
Reference in New Issue
Block a user