* CORS/CSP fix
* deprecate ALLOWED_IFRAME_ORIGINS
* Revert "deprecate ALLOWED_IFRAME_ORIGINS"
This reverts commit 9792f06691.
* Reapply "deprecate ALLOWED_IFRAME_ORIGINS"
This reverts commit 683ee93036.
* Add helmet config and deprecate previous ALLOWED_IFRAME_ORIGINS
* add build to docker compose for local builds
* set server to listen on 0.0.0.0 and control with cors
* Remove hsts from helmet and apply new pin status check limits
* add back allowed_iframe_origins env as a fallback for allowed_origins
* update readme for allowed_iframe_origins
* feat: Add ALLOWED_IFRAME_ORIGINS configuration and update security headers (#47)
- Introduced ALLOWED_IFRAME_ORIGINS environment variable to specify trusted origins for iframe embedding.
- Updated security headers middleware to conditionally allow specified origins in Content Security Policy.
- Enhanced documentation in README.md to explain the new configuration and its security implications.
Fixes#35
* feat: Update .env.example and .gitignore for improved configuration management
- Enhanced .env.example with detailed comments for environment variables, including upload settings, security options, and notification configurations.
- Updated .gitignore to include additional editor and OS-specific files, ensuring a cleaner repository.
- Modified package.json to add a predev script for Node.js version validation and adjusted the dev script for nodemon.
- Improved server.js shutdown handling to prevent multiple shutdowns and ensure graceful exits.
- Refactored config/index.js to log loaded environment variables and ensure the upload directory exists based on environment settings.
- Cleaned up fileUtils.js by removing unused functions and improving logging for directory creation.
This commit enhances clarity and maintainability of configuration settings and improves application shutdown behavior.
* feat: Update Docker configuration and documentation for upload handling
- Explicitly set the upload directory environment variable in docker-compose.yml to ensure clarity in file storage.
- Simplified the Dockerfile by removing the creation of the local_uploads directory, as it is now managed by the host system.
- Enhanced README.md to reflect changes in upload directory management and provide clearer instructions for users.
- Removed outdated development configuration files to streamline the development setup.
This commit improves the clarity and usability of the Docker setup for file uploads.
* feat: Add Local Development Guide and update README for clarity
- Introduced a comprehensive LOCAL_DEVELOPMENT.md file with setup instructions, testing guidelines, and troubleshooting tips for local development.
- Updated README.md to include a link to the new Local Development Guide and revised sections for clarity regarding upload directory management.
- Enhanced the Quick Start section to direct users to the dedicated local development documentation.
This commit improves the onboarding experience for developers and provides clear instructions for local setup.
* feat: Implement BASE_URL configuration for asset management and API requests
- Added BASE_URL configuration to README.md, emphasizing the need for a trailing slash when deploying under a subpath.
- Updated index.html and login.html to utilize BASE_URL for linking stylesheets, icons, and API requests, ensuring correct asset loading.
- Enhanced app.js to replace placeholders with the actual BASE_URL during HTML rendering.
- Implemented a validation check in config/index.js to ensure BASE_URL is a valid URL and ends with a trailing slash.
This commit improves the flexibility of the application for different deployment scenarios and enhances asset management.
Fixes#34, Fixes#39, Fixes#38
* Update app.js, borked some of the css n such
* resolved BASE_URL breaking frontend
* fix: Update BASE_URL handling and security headers
- Ensured BASE_URL has a trailing slash in app.js to prevent asset loading issues.
- Refactored index.html and login.html to remove leading slashes from API paths for correct concatenation with BASE_URL.
- Enhanced security headers middleware to include 'connect-src' directive in Content Security Policy.
This commit addresses issues with asset management and improves security configurations.
Chores & Configuration
• Enhanced development setup: optimized Dockerfile, refined scripts, and improved .gitignore.
• Updated docker-compose for better dev/prod separation.
• Improved documentation in README and source files.
Features & Enhancements
• Refactored project structure with modular architecture.
• Improved testing infrastructure and integration tests.
• Enhanced file upload logic, client-side handling, and API routes.
• Implemented robust server shutdown, rate limiting, and cleanup mechanisms.
• Improved upload progress tracking with UI enhancements.
• Strengthened security in PIN authentication and cookie handling.
Refactors & Fixes
• Cleaned up test infrastructure, logging, and error handling.
• Simplified API route paths and improved middleware.
• Fixed incorrect total storage size reporting.
• Optimized logging verbosity based on environment.
Documentation
• Expanded project documentation and comments for clarity.
