mporwoll/cms.c2sgmbh
1
0
Fork 0
mirror of https://github.com/complexcaresolutions/cms.c2sgmbh.git synced 2026-03-17 18:34:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
72 commits 17 branches 0 tags 17 MiB
Commit graph

9 commits

Author SHA1 Message Date
Martin Porwoll
fdc6876207 fix(ci): add CI stub to security integration tests 
Ensure CSRF validation works normally during security API tests.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2025-12-15 13:27:44 +00:00
Martin Porwoll
47d4825f77 revert: downgrade to Next.js 15.5.9 for Payload compatibility 
Payload CMS 3.68.4 doesn't officially support Next.js 16 yet.
Reverting to 15.5.9 restores full compatibility.

Changes:
- Revert next: 16.0.10 → 15.5.9
- Revert eslint-config-next: 16.0.10 → 15.5.9
- Revert proxy.ts → middleware.ts (Next.js 15 convention)
- Restore eslint config in next.config.mjs
- Remove turbopack config (not needed for Next.js 15)

Test fixes (TypeScript errors):
- Fix MockPayloadRequest interface (remove PayloadRequest extension)
- Add Where type imports to access control tests
- Fix headers type casting in rate-limiter tests
- Fix localization type guard in i18n tests
- Add type property to post creation in search tests
- Fix nodemailer mock typing in email tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2025-12-15 10:07:39 +00:00
Martin Porwoll
6ccb50c5f4 docs: consolidate and update documentation 
- Remove obsolete instruction documents (PROMPT_*.md, SECURITY_FIXES.md)
- Update CLAUDE.md with security features, test suite, audit logs
- Merge Techstack_Dokumentation into INFRASTRUCTURE.md
- Update SECURITY.md with custom login route documentation
- Add changelog to TODO.md
- Update email service and data masking for SMTP error handling
- Extend test coverage for CSRF and data masking

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-09 09:25:00 +00:00
Martin Porwoll
53f26e7349 feat: admin UX improvements with tenant switcher and email config 
Tenant-Wechsel UI:
- Add TenantBreadcrumb component showing active tenant in admin header
- Add German translations for multi-tenant plugin selector
- Integrate with existing plugin TenantSelector dropdown

Email-Konfiguration UX:
- Add SMTP field validation (host format, port range, required fields)
- Add EmailDeliverabilityInfo component with SPF/DKIM/DMARC guidance
- Add TestEmailButton component for SMTP configuration testing
- Create /api/test-email endpoint with full security:
  - CSRF protection (double-submit cookie)
  - IP allowlist (same rules as /api/send-email)
  - Rate limiting (10/min per user)
  - Tenant access control with proper object normalization

Security:
- Add comprehensive integration tests for /api/test-email
- Tests cover CSRF, IP blocking, auth, tenant access, input validation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-08 16:33:39 +00:00
Martin Porwoll
0cdc25c4f0 feat: comprehensive security test suite 
Add 143 security tests covering all security modules:

Unit Tests (125 tests):
- rate-limiter.unit.spec.ts: limiter creation, request tracking,
  blocking, window reset, IP extraction, header generation
- csrf.unit.spec.ts: token generation/validation, origin checking,
  double submit cookie pattern, referer validation
- ip-allowlist.unit.spec.ts: CIDR matching, wildcards, endpoint-
  specific allowlist/blocklist rules, IP extraction
- data-masking.unit.spec.ts: field detection, pattern matching,
  recursive masking, JWT/connection string/private key handling

API Integration Tests (18 tests):
- security-api.int.spec.ts: rate limiting responses, IP blocking,
  CSRF protection on state-changing endpoints

Test Infrastructure:
- tests/helpers/security-test-utils.ts: CSRF token generators,
  mock request builders, environment setup utilities
- vitest.config.mts: updated to include unit tests
- package.json: added test:unit and test:security scripts
- .github/workflows/security.yml: added security-tests CI job

Also updated detect-secrets.sh to ignore .spec.ts and .test.ts
files which may contain example secrets for testing purposes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-08 00:20:47 +00:00
Martin Porwoll
82b4a4e558 fix: standardize rate limit headers and remove dead code 
- Use rateLimitHeaders() spread on /api/posts success response
  to include X-RateLimit-Limit, X-RateLimit-Reset, Retry-After
  matching /api/search and /api/search/suggestions behavior
- Remove legacy checkRateLimit, RateLimitResult, rateLimitStore,
  and cleanup interval from src/lib/search.ts (dead code after
  migration to central searchLimiter)
- Update tests to use searchLimiter from @/lib/security instead
  of the removed checkRateLimit

All integration tests pass (20 passed, 12 skipped).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-08 00:00:19 +00:00
Martin Porwoll
19fcb4d837 feat: implement multi-tenant email system with logging 
- Add Payload email adapter for system emails (auth, password reset)
- Add EmailLogs collection for tracking all sent emails
- Extend Tenants collection with SMTP configuration fields
- Implement tenant-specific email service with transporter caching
- Add /api/send-email endpoint with:
  - Authentication required
  - Tenant access control (users can only send for their tenants)
  - Rate limiting (10 emails/minute per user)
- Add form submission notification hook with email logging
- Add cache invalidation hook for tenant email config changes

Security:
- SMTP passwords are never returned in API responses
- Passwords are preserved when field is left empty on update
- Only super admins can delete email logs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-07 20:16:54 +00:00
Martin Porwoll
a88e4f60d0 test: add E2E and integration tests with documentation 
Tests:
- Update frontend.e2e.spec.ts with locale testing
- Add search.e2e.spec.ts for search functionality
- Add i18n.int.spec.ts for localization tests
- Add search.int.spec.ts for search integration
- Update playwright.config.ts

Documentation:
- Add CLAUDE.md with project instructions
- Add docs/ directory with detailed documentation
- Add scripts/ for utility scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-01 08:19:52 +00:00
Martin Porwoll
9d6cb7e61b Initial commit 2025-11-26 21:18:31 +00:00