mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-05-20 05:10:26 -05:00

Files

T

Dries Peeters 29f7186ee8 docs: Reorganize documentation structure for better navigation

Complete reorganization of project documentation to improve discoverability,
navigation, and maintainability. All documentation has been restructured into
a clear, role-based hierarchy.

## Major Changes

### New Directory Structure
- Created `docs/api/` for API documentation
- Created `docs/admin/` with subdirectories:
  - `admin/configuration/` - Configuration guides
  - `admin/deployment/` - Deployment guides
  - `admin/security/` - Security documentation
  - `admin/monitoring/` - Monitoring and analytics
- Created `docs/development/` for developer documentation
- Created `docs/guides/` for user-facing guides
- Created `docs/reports/` for analysis reports and summaries
- Created `docs/changelog/` for detailed changelog entries (ready for future use)

### File Organization

#### Moved from Root Directory (40+ files)
- Implementation notes → `docs/implementation-notes/`
- Test reports → `docs/testing/`
- Analysis reports → `docs/reports/`
- User guides → `docs/guides/`

#### Reorganized within docs/
- API documentation → `docs/api/`
- Administrator documentation → `docs/admin/` (with subdirectories)
- Developer documentation → `docs/development/`
- Security documentation → `docs/admin/security/`
- Telemetry documentation → `docs/admin/monitoring/`

### Documentation Updates

#### docs/README.md
- Complete rewrite with improved navigation
- Added visual documentation map
- Organized by role (Users, Administrators, Developers)
- Better categorization and quick links
- Updated all internal links to new structure

#### README.md (root)
- Updated all documentation links to reflect new structure
- Fixed 8 broken links

#### app/templates/main/help.html
- Enhanced "Where can I get additional help?" section
- Added links to new documentation structure
- Added documentation index link
- Added admin documentation link for administrators
- Improved footer with organized documentation links
- Added "Complete Documentation" section with role-based links

### New Index Files
- Created README.md files for all new directories:
  - `docs/api/README.md`
  - `docs/guides/README.md`
  - `docs/reports/README.md`
  - `docs/development/README.md`
  - `docs/admin/README.md`

### Cleanup
- Removed empty `docs/security/` directory (moved to `admin/security/`)
- Removed empty `docs/telemetry/` directory (moved to `admin/monitoring/`)
- Root directory now only contains: README.md, CHANGELOG.md, LICENSE

## Results

**Before:**
- 45+ markdown files cluttering root directory
- Documentation scattered across root and docs/
- Difficult to find relevant documentation
- No clear organization structure

**After:**
- 3 files in root directory (README, CHANGELOG, LICENSE)
- Clear directory structure organized by purpose and audience
- Easy navigation with role-based organization
- All documentation properly categorized
- Improved discoverability

## Benefits

1. Better Organization - Documentation grouped by purpose and audience
2. Easier Navigation - Role-based sections (Users, Admins, Developers)
3. Improved Discoverability - Clear structure with README files in each directory
4. Cleaner Root - Only essential files at project root
5. Maintainability - Easier to add and organize new documentation

## Files Changed

- 40+ files moved from root to appropriate docs/ subdirectories
- 15+ files reorganized within docs/
- 3 major documentation files updated (docs/README.md, README.md, help.html)
- 5 new README index files created
- 2 empty directories removed

All internal links have been updated to reflect the new structure.

2025-12-14 07:56:07 +01:00

9.3 KiB

Raw Blame History

CSRF Token Docker Configuration - Implementation Summary

Overview

Successfully configured CSRF token support across all Docker deployment configurations to ensure CSRF protection works reliably with built Docker images.

Changes Made

1. Troubleshooting Comments Added

All docker-compose files now include inline troubleshooting guidance:

✅ Step-by-step checklist for common CSRF issues
✅ Clear diagnostic steps
✅ Reference to detailed documentation
✅ Context-specific advice for each deployment type

New Troubleshooting Resources:

CSRF_TROUBLESHOOTING.md - Quick reference guide with solutions
Inline comments in all docker-compose*.yml files
Extended troubleshooting section in env.example

2. Configuration Files Updated

`app/config.py`

✅ Added environment variable support for WTF_CSRF_ENABLED
✅ Added environment variable support for WTF_CSRF_TIME_LIMIT
✅ Updated DevelopmentConfig to allow CSRF override via environment
Impact: CSRF settings can now be controlled via environment variables

# Base Config
WTF_CSRF_ENABLED = os.getenv('WTF_CSRF_ENABLED', 'true').lower() == 'true'
WTF_CSRF_TIME_LIMIT = int(os.getenv('WTF_CSRF_TIME_LIMIT', 3600))

# Development Config
WTF_CSRF_ENABLED = os.getenv('WTF_CSRF_ENABLED', 'false').lower() == 'true'

`env.example`

✅ Fixed default WTF_CSRF_ENABLED=true for production
✅ Added comprehensive documentation about SECRET_KEY importance
✅ Added instructions for generating secure keys
Impact: New deployments will have correct CSRF defaults

2. Docker Compose Files Updated

All four docker-compose files have been updated with consistent CSRF configuration:

`docker-compose.yml` (Local Development with PostgreSQL)

environment:
  # IMPORTANT: Change SECRET_KEY in production! Used for sessions and CSRF tokens.
  # Generate a secure key: python -c "import secrets; print(secrets.token_hex(32))"
  - SECRET_KEY=${SECRET_KEY:-your-secret-key-change-this}
  # CSRF Protection (enabled by default for security)
  - WTF_CSRF_ENABLED=${WTF_CSRF_ENABLED:-true}
  - WTF_CSRF_TIME_LIMIT=${WTF_CSRF_TIME_LIMIT:-3600}

`docker-compose.remote.yml` (Production)

environment:
  # IMPORTANT: Change SECRET_KEY in production! Used for sessions and CSRF tokens.
  # Generate a secure key: python -c "import secrets; print(secrets.token_hex(32))"
  # The app will refuse to start with the default key in production mode.
  - SECRET_KEY=${SECRET_KEY:-your-secret-key-change-this}
  # CSRF Protection (enabled by default for security)
  - WTF_CSRF_ENABLED=${WTF_CSRF_ENABLED:-true}
  - WTF_CSRF_TIME_LIMIT=${WTF_CSRF_TIME_LIMIT:-3600}

`docker-compose.remote-dev.yml` (Remote Development)

environment:
  # IMPORTANT: Change SECRET_KEY in production! Used for sessions and CSRF tokens.
  # Generate a secure key: python -c "import secrets; print(secrets.token_hex(32))"
  - SECRET_KEY=${SECRET_KEY:-your-secret-key-change-this}
  # CSRF Protection (enabled by default for security)
  - WTF_CSRF_ENABLED=${WTF_CSRF_ENABLED:-true}
  - WTF_CSRF_TIME_LIMIT=${WTF_CSRF_TIME_LIMIT:-3600}

`docker-compose.local-test.yml` (Local Testing with SQLite)

environment:
  - SECRET_KEY=${SECRET_KEY:-local-test-secret-key}
  # CSRF Protection (can be disabled for local testing)
  - WTF_CSRF_ENABLED=${WTF_CSRF_ENABLED:-false}
  - WTF_CSRF_TIME_LIMIT=${WTF_CSRF_TIME_LIMIT:-3600}

3. Documentation Created

`docs/CSRF_CONFIGURATION.md`

Comprehensive documentation covering:

✅ How CSRF tokens work
✅ SECRET_KEY importance and generation
✅ Environment variable configuration
✅ Docker deployment scenarios
✅ Troubleshooting common issues
✅ Security best practices
✅ API endpoint exemptions

Key Improvements

1. SECRET_KEY Management

Clear warnings added to all docker-compose files
Generation instructions provided inline
Consistency requirement documented
Production validation already exists in app/__init__.py (app refuses to start with weak key)

2. CSRF Protection

Enabled by default in production environments
Configurable via environment variables
Proper defaults for different deployment scenarios
Consistent across all docker-compose files

3. Developer Experience

Clear inline comments in docker-compose files
Comprehensive documentation for troubleshooting
Environment variable examples in env.example
Flexible configuration for different use cases

How CSRF Tokens Work in Docker

┌─────────────────────────────────────────────────────────┐
│ 1. User visits form page                                │
│    → App generates CSRF token using SECRET_KEY          │
│    → Token embedded in form                             │
└─────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────┐
│ 2. User submits form                                     │
│    → Browser sends CSRF token with request              │
└─────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────┐
│ 3. App validates token                                   │
│    → Verifies signature using same SECRET_KEY           │
│    → Checks expiration (WTF_CSRF_TIME_LIMIT)           │
│    → ✓ Valid → Process request                          │
│    → ✗ Invalid → Return 400 error                       │
└─────────────────────────────────────────────────────────┘

Critical Requirements for CSRF Tokens

✅ Same SECRET_KEY Must Be Used

Across container restarts
Across multiple app replicas/containers
Between token generation and validation

✅ CSRF Protection Must Be Enabled

WTF_CSRF_ENABLED=true

✅ Appropriate Timeout

WTF_CSRF_TIME_LIMIT=3600  # 1 hour default

SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true

Testing the Configuration

1. Verify Environment Variables

docker-compose exec app env | grep -E "(SECRET_KEY|CSRF)"

2. Check CSRF Token in Forms

# View any form in the browser developer tools
# Look for: <input type="hidden" name="csrf_token" value="...">

3. Test Form Submission

Submit a form normally → Should work
Remove csrf_token field → Should get 400 error

4. Verify Logs

docker-compose logs app | grep -i csrf

Production Deployment Checklist

Generate secure SECRET_KEY: python -c "import secrets; print(secrets.token_hex(32))"
Set SECRET_KEY in .env file or environment
Verify WTF_CSRF_ENABLED=true (default)
Enable HTTPS and set SESSION_COOKIE_SECURE=true
Set REMEMBER_COOKIE_SECURE=true
Test form submissions after deployment
Monitor logs for CSRF errors

Backward Compatibility

✅ All changes are backward compatible

Default values match previous behavior
Existing deployments continue to work
No breaking changes to API

Security Improvements

✅ CSRF enabled by default in production
✅ Clear documentation about SECRET_KEY importance
✅ Inline warnings in configuration files
✅ Consistent configuration across deployments
✅ Environment-based control for flexibility

app/__init__.py - CSRF initialization and error handling
app/config.py - Configuration classes
env.example - Environment variable examples with troubleshooting
docker-compose*.yml - Docker deployment configurations (with inline troubleshooting)
docs/CSRF_CONFIGURATION.md - Detailed documentation
CSRF_TROUBLESHOOTING.md - Quick troubleshooting reference
CSRF_TOKEN_FIX_SUMMARY.md - Original CSRF implementation
scripts/verify_csrf_config.sh - Automated configuration checker (Linux/Mac)
scripts/verify_csrf_config.bat - Automated configuration checker (Windows)

References

Conclusion

CSRF tokens are now properly configured for Docker deployments with:

✅ Clear documentation and warnings
✅ Proper defaults for all deployment scenarios
✅ Environment variable control
✅ Consistent configuration across all docker-compose files
✅ Security best practices enforced

The application will now properly validate CSRF tokens in Docker deployments as long as a consistent SECRET_KEY is maintained.

9.3 KiB Raw Blame History