Jeff Caldwell
3faf4e2309
api endpoint fixes
2026-01-13 22:17:19 -05:00
Jeff Caldwell
f7374b778d
fix archive and delete endpoints
2026-01-13 22:11:27 -05:00
Jeff Caldwell
6a26ddf066
archive cert bugfix
2026-01-09 18:40:22 -05:00
Jeff Caldwell
e29c6d4792
bugfixes for download routes
2025-12-07 09:29:20 -05:00
Jeff Caldwell
ca97c9cc9a
add docker build script for multi-arch
2025-12-06 23:26:05 -05:00
Jeff Caldwell
231fce4a90
update to proper maintained docker
2025-12-05 22:57:28 -05:00
Jeff Caldwell
804ba708df
bugfixes for certificate upload retrieval
2025-12-05 22:53:53 -05:00
Jeff Caldwell
7f91a64a71
Merge pull request #33 from chriskacerguis/main
...
Arch Fix - Docker Compose Update
2025-10-14 11:12:49 -04:00
Chris Kacerguis
bd3c29a0f9
fix: load the correct arch of mkweb
2025-10-12 15:27:17 -05:00
Chris Kacerguis
2caea30359
chore: remnove build and use the GHCR image
2025-10-12 15:27:01 -05:00
Jeff Caldwell
ea371642cc
Merge pull request #32 from chriskacerguis/main
...
Added GitHub CI
2025-10-11 01:06:10 -04:00
Chris Kacerguis
7c2c2e4822
Merge branch 'jeffcaldwellca:main' into main
2025-10-10 08:24:09 -05:00
Jeff Caldwell
15dab51a9c
add docker hub
2025-10-09 09:33:38 -04:00
Jeff Caldwell
f26df0afe3
Merge pull request #31 from jeffcaldwellca/settings
...
Dedicated settings system
2025-10-09 09:14:47 -04:00
Chris Kacerguis
6872630d37
Merge branch 'jeffcaldwellca:main' into main
2025-10-09 07:43:36 -05:00
Jeff Caldwell
a84a67865d
favicons
2025-10-09 02:09:14 -04:00
Jeff Caldwell
3e69856321
add dedicated settings system
2025-10-09 02:02:34 -04:00
Jeff Caldwell
299c0aaac2
bugfixes
2025-10-09 00:53:04 -04:00
Jeff Caldwell
0fa274b44a
bugfixes
2025-10-09 00:52:51 -04:00
Chris Kacerguis
db24d29922
chore: Add GitHub Actions workflow for Docker build
2025-10-08 07:51:06 -05:00
Jeff Caldwell
3e8a1b3e4a
Merge pull request #28 from jeffcaldwellca/scep
...
3.0 and SCEP
2025-09-24 18:54:44 -04:00
Jeff Caldwell
fde0f6720e
enterprise CA optional features
2025-09-04 14:31:24 -04:00
Jeff Caldwell
a2a18e2a78
adding scep
2025-09-04 13:07:46 -04:00
Jeff Caldwell
299355ed9e
Change license from MIT to GPLv3
2025-08-29 01:54:15 -04:00
Jeff Caldwell
be83358c4c
updated readme
2025-08-29 01:52:22 -04:00
Jeff Caldwell
1ae7e366c6
updated readme
2025-08-29 01:48:59 -04:00
Jeff Caldwell
e3172135ab
Merge pull request #23 from jeffcaldwellca/ntfy
...
notifications!
2025-08-29 01:39:31 -04:00
Jeff Caldwell
950560c914
notifications!
2025-08-29 01:38:34 -04:00
Jeff Caldwell
16941ad6d3
Merge pull request #22 from jeffcaldwellca/bugfixes
...
Critical Security Issues: 3 CodeQL vulnerabilities resolved
Critical Bug Fixes: 1 frontend integration issue resolved (certificate generation edge case)
Attack Surface: Reduced through code cleanup and validation
Compliance: Enhanced security posture for enterprise deployment
Functionality: Zero breaking changes to existing features
API Reliability: 100% success rate for certificate generation with proper CSRF tokens
2025-08-29 01:01:52 -04:00
Jeff Caldwell
02c081f9ae
bugfixes and security fixes
2025-08-29 00:59:55 -04:00
Jeff Caldwell
4d850bb2fd
Merge pull request #20 from jeffcaldwellca/secfixes
...
## [2.0.0] - 2025-08-09
### 🚨 MAJOR RELEASE - Security & Architecture Overhaul
### Security - CRITICAL FIXES
- **🔒 Command Injection Protection**: Complete overhaul of command execution system
- Implemented strict allowlist-based command validation to prevent injection attacks
- Added `executeCommand` utility with comprehensive input sanitization
- Restricted shell command execution to verified safe patterns for mkcert and openssl operations
- Added timeout and buffer limits for command execution with proper error handling
- **BREAKING**: All commands now validated against security patterns - invalid commands rejected
- **🛡️ Path Traversal Prevention**: Comprehensive file access security
- Added `validateAndSanitizePath` function to prevent directory traversal attacks
- Implemented secure filename validation with comprehensive sanitization
- All file operations now use validated paths to prevent unauthorized access
- Added protection against null bytes, directory traversal sequences, and invalid characters
- **BREAKING**: File operations with invalid paths now return standardized error responses
- **⚡ Enhanced Rate Limiting**: Multi-tier protection system
- Authentication rate limiter: 5 attempts per 15 minutes (prevents brute force)
- CLI rate limiter: 10 operations per 15 minutes (prevents command abuse)
- API rate limiter: 100 requests per 15 minutes (prevents API flooding)
- General rate limiter: 200 requests per 15 minutes (general protection)
- Applied rate limiting to all previously unprotected routes
- Configurable via environment variables with intelligent defaults
### Architecture - COMPLETE MODULARIZATION
- **📁 Modular File Structure**: Transformed monolithic codebase into organized modules
- `src/config/`: Centralized configuration management
- `src/security/`: Security utilities and validation functions
- `src/middleware/`: Authentication and rate limiting middleware
- `src/routes/`: Organized route handlers by functionality
- `src/utils/`: Reusable utility functions and response handlers
- **RESULT**: 34% reduction in code duplication (256 lines eliminated)
- **🔧 Utility-Based Architecture**: Standardized patterns for consistency
- `apiResponse.*` utilities for consistent HTTP responses across all endpoints
- `validateFileRequest()` for standardized file validation workflows
- `asyncHandler()` for automatic error handling in async routes
- `handleError()` for unified error logging and response formatting
- **RESULT**: 70% reduction in repetitive code maintenance
- **📊 Code Quality Improvements**:
- Files Route: 249 → 120 lines (52% reduction)
- Certificates Route: 313 → 222 lines (29% reduction)
- System Route: 196 → 160 lines (18% reduction)
- Server: 2300+ → 150 lines (94% reduction through modularization)
### API Changes - STANDARDIZED RESPONSES
- **✨ Consistent Response Format**: All API endpoints now return standardized JSON
```json
// Success responses
{ "success": true, "data": {...}, "message": "optional" }
// Error responses
{ "success": false, "error": "description" }
```
- **🔍 Enhanced Error Details**: Development mode provides additional debugging information
- **⚡ Improved Validation**: Consistent input validation across all endpoints
- **🛠️ Better Error Handling**: Automatic async error catching prevents server crashes
### Performance & Reliability
- **🚀 Reduced Memory Footprint**: Smaller codebase with optimized utilities
- **⏱️ Faster Error Processing**: Centralized error handling improves response times
- **🔄 Auto-Recovery**: Better error handling prevents application crashes
- **📈 Monitoring Ready**: Structured logging and response patterns enable better monitoring
### Developer Experience
- **📖 Comprehensive Documentation**: Added detailed architecture documentation
- **🧪 Testable Components**: Modular design enables unit testing of individual components
- **🔄 Reusable Patterns**: Utility functions speed up future development
- **🎯 Clear Separation of Concerns**: Route handlers focus on business logic
### BREAKING CHANGES
1. **API Response Format**: All endpoints now return standardized `{ success: boolean }` format
2. **Error Responses**: Error format changed from various patterns to consistent structure
3. **Command Validation**: Invalid shell commands now rejected instead of executed
4. **File Path Validation**: Invalid file paths return 400 errors instead of processing
5. **Environment Variables**: Some rate limiting variables renamed for consistency
### Migration Guide
- Update any client code expecting old error response formats
- Verify all shell commands are in the approved allowlist
- Check file access patterns for proper path validation
- Review environment variable configurations for rate limiting
### Deprecations
- Old error response patterns (will be removed in future versions)
- Direct shell command execution without validation (now blocked)
- Unvalidated file path access (now secured)
2025-08-09 01:34:40 -04:00
Jeff Caldwell
a69fad81f6
update changelog
2025-08-09 01:33:49 -04:00
Jeff Caldwell
86139814b8
update gitignore
2025-08-09 01:33:00 -04:00
Jeff Caldwell
e496e14482
fix fingerprint and format selection
2025-08-09 01:30:38 -04:00
Jeff Caldwell
cdfed0914a
certificate generation fix
2025-08-09 00:54:19 -04:00
Jeff Caldwell
bb54c67f45
route fixes and api reconnection
2025-08-08 21:55:24 -04:00
Jeff Caldwell
cc6483fcc9
2.0 initial commit
2025-08-08 02:31:25 -04:00
Jeff Caldwell
1199f44151
fix security issues
2025-08-08 01:32:23 -04:00
Jeff Caldwell
d332621f99
Merge pull request #19 from jeffcaldwellca/ratelimits
...
## [1.5.5] - 2025-08-08
### Security
- **Comprehensive Rate Limiting Enhancement**: Applied rate limiting protection to all previously unprotected routes
- Added authentication rate limiter (5 attempts per 15 minutes) to prevent brute force attacks on login endpoints
- Added general rate limiter (200 requests per 15 minutes) for static content and non-API routes
- Extended API rate limiting coverage to `/api/status`, `/api/generate`, and auth status endpoints
- Protected OIDC authentication routes with rate limiting
- Added rate limiting to all authentication-related routes including traditional form login
- Configured environment variables for authentication rate limits (AUTH_RATE_LIMIT_WINDOW, AUTH_RATE_LIMIT_MAX)
- **Critical Security Fix**: Implemented command validation and input sanitization for shell command execution
- Added allowlist-based command validation to prevent command injection attacks
- Restricted shell command execution to specific safe patterns for mkcert and openssl operations
- Added timeout and buffer limits for command execution
- Enhanced logging of blocked command attempts for security monitoring
- **BREAKING**: Commands not matching allowed patterns will now be rejected
2025-08-08 01:17:09 -04:00
Jeff Caldwell
55790c6ec2
documentation update further bugfixes
2025-08-08 01:15:54 -04:00
Jeff Caldwell
7c22fbfa29
Merge pull request #18 from jeffcaldwellca/dev
...
## [1.5.0] - 2025-08-08
### Added
- **Drag & Drop Certificate Upload**: New upload interface for importing existing certificate/key pairs
- Intuitive drag & drop zone with visual feedback and hover effects
- Click-to-browse file selection with multi-file support
- Smart certificate-key pairing (automatically matches .crt with .key files, .pem with -key.pem files)
- Comprehensive file validation (supports .pem, .crt, .key, .cer, .p7b, .p7c, .pfx, .p12 formats)
- Real-time upload progress tracking with visual progress bar
- Detailed upload results with success/error reporting for each file
- Uploaded certificates stored in dedicated "uploaded" folder for organization
- Full integration with existing certificate management (download, archive, bundle, PFX generation)
### Fixed
- **Root CA Generation Error**: Fixed `showNotification is not defined` JavaScript error
- Changed incorrect `showNotification` function call to use existing `showAlert` function
- Root CA generation now completes successfully without JavaScript errors
- **CA Installation Timing Issues**: Improved CA installation status refresh mechanism
- Added retry mechanism with exponential backoff for CA status checking
- Eliminates need for manual page refresh after CA installation
- More reliable detection of newly installed Certificate Authorities
### Enhanced
- **Certificate Listing**: Enhanced recursive directory scanning to properly display uploaded certificates
- **Upload Processing**: Streamlined file processing logic to prevent duplicate file operations
- **User Experience**: Improved visual feedback and error handling throughout upload process
2025-08-08 00:12:47 -04:00
Jeff Caldwell
655e2f0040
bugfixes and doc updates
2025-08-08 00:11:31 -04:00
Jeff Caldwell
e7fc6ccef7
update docker add upload
2025-08-07 23:48:22 -04:00
Jeff Caldwell
c834e205c8
docker up fix
2025-08-07 23:19:49 -04:00
Jeff Caldwell
535aa564ac
Merge pull request #12 from jeffcaldwellca/ratelimiting
...
Ratelimiting
2025-08-01 19:37:58 -04:00
Jeff Caldwell
567bd29417
add rate limiting protection
2025-08-01 19:35:14 -04:00
Jeff Caldwell
20d8bca0a9
Merge pull request #11 from jeffcaldwellca/oidc
...
## [1.4.0] - 2025-08-01
### Added
- **OpenID Connect (OIDC) SSO Authentication**: Full OpenID Connect integration for single sign-on support
- Passport-based OIDC strategy implementation with configurable providers
- Support for Azure AD, Google, and other OIDC-compliant identity providers
- Comprehensive environment variable configuration for OIDC settings
- OIDC callback URL handling and user profile management
- Optional OIDC authentication alongside existing basic authentication
- **Enhanced Root CA Management**: Improved Root CA generation workflow and user experience
- **Environment Configuration**: Expanded `.env.example` with comprehensive OIDC configuration options
- **Session Management**: Enhanced passport-based session handling for OIDC flows
### Changed
- **Authentication System**: Refactored authentication to support multiple authentication methods
- **Server Configuration**: Enhanced server startup to handle OIDC provider initialization
- **User Interface**: Updated login forms to support both basic auth and OIDC flows
### Fixed
- **PFX Password Handling**: Resolved password validation and encryption issues in PFX generation
- **Root CA Workflow**: Streamlined and improved Root CA generation process
- **Session Security**: Enhanced session cookie configuration and security settings
- **UI Styling**: Various style fixes and improvements for better user experience
### Security
- **OIDC Integration**: Secure OpenID Connect implementation with proper token validation
- **Enhanced Session Management**: Improved session security and authentication flows
- **Provider Validation**: Secure OIDC provider configuration and callback validation
2025-08-01 19:20:30 -04:00
Jeff Caldwell
f62993775e
update documentation
2025-08-01 19:18:47 -04:00
Jeff Caldwell
b2791eb160
tweak root CA generation workflow
2025-08-01 12:49:29 -04:00
Jeff Caldwell
50a1ae14b5
update documentation
2025-08-01 12:45:17 -04:00
