update readme for allowed_iframe_origins

.env.example

@@ -9,6 +9,8 @@ PORT=3000
 # You must update this to the url you use to access your site
 BASE_URL=http://localhost:3000/
 
+#ALLOWED_IFRAME_ORIGINS= #DEPRECATED and will be used as ALLOWED_ORIGINS if SET
+
 # Comma-separated list of allowed origins for CORS
 # (default: '*' if empty, add your base_url if you want to restrict only to base_url)
 # When adding multiple origins, base_url will be included by default

README.md

@@ -125,6 +125,10 @@ See `.env.example` for a template and more details.
 <details>
 <summary>ALLOWED_IFRAME_ORIGINS (DEPRECATED: see ALLOWED_ORIGINS)</summary>
 
+- This is now deprecated but still works for backwards compatibility
+- ALLOWED_IFRAME_ORIGINS will be used as a fallback if ALLOWED_ORIGINS is not set
+- Please update to ALLOWED_ORIGINS for future compatibility
+
 ~~To allow this app to be embedded in an iframe on specific origins (such as Organizr), set the `ALLOWED_IFRAME_ORIGINS` environment variable. For example:~~
 
 ```env

docker-compose.yml

@@ -2,6 +2,8 @@ services:
     dumbdrop:
         image: dumbwareio/dumbdrop:latest
         # build: .
+        container_name: dumbdrop 
+        restart: unless-stopped 
         ports:
             - 3000:3000
         volumes:
@@ -19,6 +21,7 @@ services:
             # Comma-separated list of allowed origins for CORS
             # (default: '*' if empty, replace with your base_url if you want to restrict only to base_url)
             # When adding multiple origins, base_url will be included by default and does not need to the list
+            # ALLOWED_IFRAME_ORIGINS: #DEPRECATED and will be used as ALLOWED_ORIGINS if SET
             # ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
 
             # Additional available environment variables (commented out with defaults)

src/app.js

@@ -17,7 +17,7 @@ const logger = require('./utils/logger');
 const { ensureDirectoryExists } = require('./utils/fileUtils');
 const { getHelmetConfig, requirePin } = require('./middleware/security');
 const { safeCompare } = require('./utils/security');
-const { initUploadLimiter, pinVerifyLimiter, downloadLimiter } = require('./middleware/rateLimiter');
+const { initUploadLimiter, pinVerifyLimiter, pinStatusLimiter, downloadLimiter } = require('./middleware/rateLimiter');
 const { injectDemoBanner, demoMiddleware } = require('./utils/demoMode');
 const { originValidationMiddleware, getCorsOptions } = require('./middleware/cors');
 
@@ -41,6 +41,7 @@ app.use((req, res, next) => {
   const publicPaths = [
     '/login',
     '/login.html',
+    '/api/auth/logout',
     '/api/auth/verify-pin',
     '/api/auth/pin-required',
     '/api/auth/pin-length',
@@ -71,6 +72,9 @@ const fileRoutes = require('./routes/files');
 const authRoutes = require('./routes/auth');
 
 // Use routes with appropriate middleware
+// Apply strict rate limiting to PIN verification, but more permissive to status checks
+app.use('/api/auth/pin-required', pinStatusLimiter);
+app.use('/api/auth/logout', pinStatusLimiter);
 app.use('/api/auth', pinVerifyLimiter, authRoutes);
 app.use('/api/upload', requirePin(config.pin), initUploadLimiter, uploadRouter);
 app.use('/api/files', requirePin(config.pin), downloadLimiter, fileRoutes);

src/config/index.js

@@ -117,12 +117,12 @@ const config = {
    * Port for the server (default: 3000)
    * Set via PORT in .env
    */
-  port: process.env.PORT,
+  port: PORT,
   /**
    * Node environment (default: 'production')
    * Set via NODE_ENV in .env
    */
-  nodeEnv: process.env.NODE_ENV,
+  nodeEnv: NODE_ENV,
   /**
    * Base URL for the app (default: http://localhost:${PORT})
    * Set via BASE_URL in .env

src/middleware/cors.js

@@ -1,4 +1,4 @@
-const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS || '*';
+const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS || process.env.ALLOWED_IFRAME_ORIGINS || '*';
 const NODE_ENV = process.env.NODE_ENV || 'production';
 let allowedOrigins = [];
 
@@ -61,7 +61,7 @@ function validateOrigin(origin) {
 }
 
 function originValidationMiddleware(req, res, next) {
-  const origin = req.headers.referer || `${req.protocol}://${req.headers.host}`;
+  const origin = req.headers.origin || req.headers.referer || `${req.protocol}://${req.headers.host}`;
   const isOriginValid = validateOrigin(origin);
   if (isOriginValid) {
       next();

src/middleware/rateLimiter.js

@@ -48,7 +48,7 @@ const chunkUploadLimiter = createLimiter({
 
 /**
  * Rate limiter for PIN verification attempts
- * Prevents brute force attacks
+ * Prevents brute force attacks on actual PIN verification
  */
 const pinVerifyLimiter = createLimiter({
   windowMs: 15 * 60 * 1000, // 15 minutes
@@ -57,6 +57,24 @@ const pinVerifyLimiter = createLimiter({
     error: 'Too many PIN verification attempts. Please try again later.'
   },
   standardHeaders: true,
+  legacyHeaders: false,
+  // Apply strict rate limiting only to PIN verification, not PIN status checks
+  skip: (req) => {
+    return req.path === '/pin-required'; // Skip rate limiting for PIN requirement checks
+  }
+});
+
+/**
+ * Rate limiter for PIN status checks
+ * More permissive for checking if PIN is required
+ */
+const pinStatusLimiter = createLimiter({
+  windowMs: 60 * 1000, // 1 minute window
+  max: 30, // 30 requests per minute
+  message: {
+    error: 'Too many requests. Please wait before trying again.'
+  },
+  standardHeaders: true,
   legacyHeaders: false
 });
 
@@ -78,5 +96,6 @@ module.exports = {
   initUploadLimiter,
   chunkUploadLimiter,
   pinVerifyLimiter,
+  pinStatusLimiter,
   downloadLimiter
 }; 

src/middleware/security.js

@@ -48,16 +48,19 @@ const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
 // }
 
 function getHelmetConfig() {
+  // const isSecure = BASE_URL.startsWith('https://');
+  
   return {
     noSniff: true, // Prevent MIME type sniffing
     frameguard: { action: 'deny' }, // Prevent clickjacking
-    hsts: { maxAge: 31536000, includeSubDomains: true }, // Enforce HTTPS for one year
-    crossOriginEmbedderPolicy: true,
-    crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
-    crossOriginResourcePolicy: { policy: 'same-origin' },
+    crossOriginEmbedderPolicy: false, // Disable for local network access
+    crossOriginOpenerPolicy: false, // Disable to prevent warnings on HTTP
+    crossOriginResourcePolicy: { policy: 'cross-origin' }, // Allow cross-origin for local network
     referrerPolicy: { policy: 'no-referrer-when-downgrade' }, // Set referrer policy
     ieNoOpen: true, // Prevent IE from executing downloads
+    // hsts: isSecure ? { maxAge: 31536000, includeSubDomains: true } : false, // Only enforce HTTPS if using HTTPS
     // Disabled Helmet middlewares:
+    hsts: false,
     contentSecurityPolicy: false, // Disable CSP for now
     dnsPrefetchControl: true, // Disable DNS prefetching
     permittedCrossDomainPolicies: false,

src/server.js

@@ -22,10 +22,11 @@ async function startServer() {
     // Initialize the application
     await initialize();
     
-    // Start the server
-    const server = app.listen(config.port, () => {
+    // Start the server - bind to 0.0.0.0 for Docker compatibility
+    const server = app.listen(config.port, '0.0.0.0', () => {
       logger.info(`Server running at ${config.baseUrl}`);
-      logger.info(`Upload directory: ${config.uploadDisplayPath}`);
+      logger.info(`Server listening on 0.0.0.0:${config.port}`);
+      logger.info(`Upload directory: ${config.uploadDir}`);
       
       // List directory contents in development
       if (config.nodeEnv === 'development') {