6ccb50c5f4
docs: consolidate and update documentation
...
- Remove obsolete instruction documents (PROMPT_*.md, SECURITY_FIXES.md)
- Update CLAUDE.md with security features, test suite, audit logs
- Merge Techstack_Dokumentation into INFRASTRUCTURE.md
- Update SECURITY.md with custom login route documentation
- Add changelog to TODO.md
- Update email service and data masking for SMTP error handling
- Extend test coverage for CSRF and data masking
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-09 09:25:00 +00:00
53f26e7349
feat: admin UX improvements with tenant switcher and email config
...
Tenant-Wechsel UI:
- Add TenantBreadcrumb component showing active tenant in admin header
- Add German translations for multi-tenant plugin selector
- Integrate with existing plugin TenantSelector dropdown
Email-Konfiguration UX:
- Add SMTP field validation (host format, port range, required fields)
- Add EmailDeliverabilityInfo component with SPF/DKIM/DMARC guidance
- Add TestEmailButton component for SMTP configuration testing
- Create /api/test-email endpoint with full security:
- CSRF protection (double-submit cookie)
- IP allowlist (same rules as /api/send-email)
- Rate limiting (10/min per user)
- Tenant access control with proper object normalization
Security:
- Add comprehensive integration tests for /api/test-email
- Tests cover CSRF, IP blocking, auth, tenant access, input validation
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-08 16:33:39 +00:00
0cdc25c4f0
feat: comprehensive security test suite
...
Add 143 security tests covering all security modules:
Unit Tests (125 tests):
- rate-limiter.unit.spec.ts: limiter creation, request tracking,
blocking, window reset, IP extraction, header generation
- csrf.unit.spec.ts: token generation/validation, origin checking,
double submit cookie pattern, referer validation
- ip-allowlist.unit.spec.ts: CIDR matching, wildcards, endpoint-
specific allowlist/blocklist rules, IP extraction
- data-masking.unit.spec.ts: field detection, pattern matching,
recursive masking, JWT/connection string/private key handling
API Integration Tests (18 tests):
- security-api.int.spec.ts: rate limiting responses, IP blocking,
CSRF protection on state-changing endpoints
Test Infrastructure:
- tests/helpers/security-test-utils.ts: CSRF token generators,
mock request builders, environment setup utilities
- vitest.config.mts: updated to include unit tests
- package.json: added test:unit and test:security scripts
- .github/workflows/security.yml: added security-tests CI job
Also updated detect-secrets.sh to ignore .spec.ts and .test.ts
files which may contain example secrets for testing purposes.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-08 00:20:47 +00:00
