From d5052c11fbf18d97fc91af4ef34b1eb4be7edfcd Mon Sep 17 00:00:00 2001 From: john-overton Date: Tue, 15 Apr 2025 16:04:02 -0500 Subject: [PATCH] updated documentation and made the correct changes to .env file --- .env | 2 +- CHANGELOG.md | 7 +++++++ README.md | 24 ++++++++++++++++++++++++ app/api/authReadme.md | 5 ++++- 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/.env b/.env index 7bde011..732e757 100644 --- a/.env +++ b/.env @@ -6,6 +6,6 @@ AUTH_LIFE="86400" #The idle time before being logged out IDLE_TIME="28800" # Version of the app -APP_VERSION="0.9.0" +APP_VERSION="0.9.2" # Whether to set cookies as secure (requires HTTPS) COOKIE_SECURE="false" \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index fa51804..a76290f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Sprout Track Changelog +## v0.9.2 (Release) - April 2025 + +### Changes + +- Fixed an issue where etc/timezones isn't available in docker images +- Added the ability to set cookie auth to require HTTPS or not. This is added to the .env file. When enabled the cookie will only be valid and sent when the app is accessed over HTTPS. When set to false the cookie will be valid and sent over HTTP or HTTPS. IMPORTANT: When setting this to true you must have an SSL certificate in place otherwise all main API's will be blocked. + ## v0.9.0 (Beta Release) - April 2025 The beta release of Sprout Track as a self-hostable baby tracking application. diff --git a/README.md b/README.md index d7f8c6e..db06b07 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ A Next.js application for tracking baby activities, milestones, and development. - [Database Scripts](#database-scripts) - [Utility Scripts](#utility-scripts) - [Updating the Application](#updating-the-application) +- [Environment Variables](#environment-variables) - [Docker Deployment](#docker-deployment) - [Prerequisites](#prerequisites-1) - [Quick Docker Setup](#quick-docker-setup) @@ -236,6 +237,29 @@ This will: Each script can also be run independently for specific operations. +## Environment Variables + +The application can be configured using environment variables in the `.env` file. Here are the available options: + +| Variable | Description | Default | Example | +|----------|-------------|---------|---------| +| `DATABASE_URL` | Path to the SQLite database | `"file:../db/baby-tracker.db"` | `"file:/path/to/custom/db.sqlite"` | +| `SERVICE_NAME` | Name of the systemd service | `"baby-tracker"` | `"sprout-track"` | +| `AUTH_LIFE` | Authentication token validity period in seconds | `"86400"` (24 hours) | `"43200"` (12 hours) | +| `IDLE_TIME` | Idle timeout before automatic logout in seconds | `"28800"` (8 hours) | `"3600"` (1 hour) | +| `APP_VERSION` | Application version | `"0.9.0"` | `"1.0.0"` | +| `COOKIE_SECURE` | Whether cookies require HTTPS connections | `"false"` | `"true"` | + +### Important Notes: + +- **DATABASE_URL**: Changing this after initial setup requires migrating your data manually. +- **AUTH_LIFE**: Lower values increase security but require more frequent logins. +- **IDLE_TIME**: Determines how long a user can be inactive before being logged out. +- **COOKIE_SECURE**: + - Set to `"false"` to allow cookies on non-HTTPS connections (development or initial setup) + - Set to `"true"` when you have an SSL certificate in place (recommended for production) + - When set to `"true"`, the application will only work over HTTPS connections + ## Docker Deployment The application can be easily deployed using Docker. This method provides a consistent environment and simplifies the setup process. diff --git a/app/api/authReadme.md b/app/api/authReadme.md index 77ad8b3..903b4f9 100644 --- a/app/api/authReadme.md +++ b/app/api/authReadme.md @@ -158,9 +158,12 @@ Authentication errors return appropriate HTTP status codes: 1. **Cookie Security**: - HTTP-only: Prevents JavaScript access to the cookie - - Secure: Only sent over HTTPS in production + - Secure: Only sent over HTTPS when `COOKIE_SECURE` environment variable is set to `"true"` - SameSite: Strict to prevent CSRF attacks - Limited expiration: 30 minutes + - The `COOKIE_SECURE` environment variable (in `.env` file) controls whether cookies require HTTPS: + - Set to `"false"` (default) to allow cookies on non-HTTPS connections + - Set to `"true"` when you have an SSL certificate in place and want to enforce secure cookies 2. **Session Management**: - Two separate timeout mechanisms are implemented: