This commit significantly improves the security and reliability of the
authentication module while maintaining all original functionality. Key changes:
- Security: Added input sanitization (sanitize-html, validator), rate limiting
(rate-limiter-flexible), CSRF protection (csurf), secure headers (helmet),
and logging (winston). Implemented secure token generation with HMAC-SHA256.
- Bug Fixes: Fixed username validation to allow underscores. Relaxed IP and
user-agent checks for local IPs to resolve "Invalid session" errors. Fixed
CSP violation for inline scripts using a nonce-based approach.
- Client-Side: Added debug logging, fallback meta refresh, and improved error
handling in the auto-login script.
- Logging: Enhanced logging for debugging (user-agent mismatches, invalid inputs).
- Config: Added STRICT_USER_AGENT_CHECK env var for production flexibility.
- Reorganized backend logic by moving API, authentication, Docker, status, and WebSocket handling into separate modules (api.js, auth.js, docker.js, status.js, websocket.js) within ./includes/
- Converted codebase to ES modules with import/export syntax for modern JavaScript
- Updated index.js to serve as main entry point, importing from ./includes/
- Reduced code duplication and improved readability with modularized functions
- Ensured full functionality preservation, including Docker stats and WebSocket communication
- Updated README to reflect new folder structure and ES module setup
