90750ee8df
* Initial plan * Fix security vulnerabilities: MD5→SHA-256, XSS via dangerouslySetInnerHTML/innerHTML, insecure randomness, CodeQL config Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> * Clean up README: remove decorative emojis for a professional tone Remove all emojis from section headers, list item prefixes, and decorative positions. Replace ✅ phase status markers with '(Complete)' text. Keep the ⭐ in the final call-to-action line. No changes to links, badges, code blocks, or technical content. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: remove emoji characters from CONTRIBUTING.md Remove all emoji from section headers and closing line while preserving links, code blocks, and technical content. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: remove emoji characters from documentation files Remove all emoji characters from 8 documentation files in docs/. Replace status-marker checkmarks (✅) with '(Done)' text. Remove decorative emojis from headers and body text entirely. Preserve emojis inside code blocks unchanged. Clean up trailing whitespace introduced by removals. Files modified: - DEPLOYMENT_GUIDE.md - IMPLEMENTATION_PLAN.md - MILESTONE_6_SUMMARY.md - PRODUCTION_ROADMAP.md - PROJECT_STATUS.md - REPOSITORY_ENHANCEMENT.md - ROADMAP.md - SECURITY_AUDIT_ROADMAP.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: remove emoji characters from documentation files Remove all emoji characters from 9 markdown files while preserving code block content (box-drawing characters, indentation). Emojis removed from headers, list items, and body text across READMEs, issue templates, PR template, runbook, and mobile docs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Remove excessive emoji from all documentation for professional presentation Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> * Fix PluginWidget initial state and remove || true from security audit steps Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> * Remediate all failing CI checks: update deprecated actions, fix npm vulnerabilities, fix migrations YAML Co-authored-by: SynOSdev <257853113+SynOSdev@users.noreply.github.com> * Fix all remaining CI failures: Node 18→20, fix test API contract, fix pytest version, fix Postgres health checks Co-authored-by: SynOSdev <257853113+SynOSdev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: SynOSdev <257853113+SynOSdev@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| ai_models | ||
| alembic | ||
| tests | ||
| .dev_liferpg_key | ||
| .env.dev | ||
| .env.example | ||
| adapters.py | ||
| advanced_analytics.py | ||
| advanced_cache.py | ||
| advanced_gamification.py | ||
| advanced_rate_limiting.py | ||
| ai_assistant.py | ||
| ai_insights.py | ||
| ai_monitoring.py | ||
| ai_test_api.py | ||
| alembic.ini | ||
| analytics.py | ||
| api_docs.py | ||
| api_versioning.py | ||
| app.py | ||
| auth.py | ||
| authorization.py | ||
| backup_security.py | ||
| community_features.py | ||
| compliance_framework.py | ||
| config.py | ||
| crypto.py | ||
| data_retention.py | ||
| db_security.sql | ||
| db.py | ||
| demo_app.py | ||
| development_config.py | ||
| Dockerfile | ||
| gamification.py | ||
| gdpr_api.py | ||
| gdpr_compliance.py | ||
| health_monitoring.py | ||
| hooks.py | ||
| huggingface_ai.py | ||
| kms_rotate.py | ||
| legacy_import_api.py | ||
| legacy_importer.py | ||
| metrics.py | ||
| middleware.py | ||
| mobile_api.py | ||
| models.py | ||
| modern_dev.db | ||
| momentum_system.py | ||
| notifier.py | ||
| oauth.py | ||
| plugin_runtime.py | ||
| plugins.py | ||
| rbac.py | ||
| README_ENCRYPTION.md | ||
| README_OAUTH.md | ||
| README.md | ||
| realtime_notifications.py | ||
| request_limiter.py | ||
| requirements_ai.txt | ||
| requirements_full.txt | ||
| requirements.txt | ||
| schema.sql | ||
| schemas.py | ||
| secure_logging.py | ||
| security_monitor.py | ||
| security_tests.py | ||
| server.py | ||
| setup_ai.py | ||
| simple_app.py | ||
| simple_demo.py | ||
| simple_gdpr.py | ||
| start.sh | ||
| telemetry.config | ||
| telemetry.py | ||
| test_utils.py | ||
| tokens.py | ||
| totp.py | ||
| transaction.py | ||
| worker.py | ||
Backend README
FastAPI backend for LifeRPG with SQLAlchemy, Alembic, JWT auth, and security middleware.
Run (dev):
- Use the app module: uvicorn modern.backend.app:app --reload
- Or via docker-compose: see modern/docker-compose.yml
Security configuration (env):
- FRONTEND_ORIGINS or FRONTEND_ORIGIN: Allowed CORS origins
- FORCE_HTTPS=true: Redirect http->https when behind a reverse proxy
- HSTS_ENABLE=true: Add Strict-Transport-Security header (TLS-only deployments)
- COOKIE_SECURE=true and COOKIE_SAMESITE=none|lax|strict: Configure session cookie
- MAX_BODY_BYTES=1048576: Request body size limit (bytes)
- REQUESTS_PER_MINUTE=120: Naive per-IP rate limit
- CSRF_ENABLE=false: Enable CSRF protection for cookie-based state-changing requests
- CSRF_HEADER_NAME=x-csrf-token and CSRF_COOKIE_NAME=csrf_token
Reverse proxy notes (production):
- Terminate TLS at your proxy (nginx/Traefik/ALB) and forward to the app over HTTP
- Set and trust X-Forwarded-Proto to preserve original scheme; enable FORCE_HTTPS for redirects
- Forward client IP via X-Forwarded-For; the app’s rate limiter reads the first address
- Configure CORS at the proxy if you prefer, or rely on the app’s CORS middleware
CSRF guidance:
- If you rely on cookie-based auth for state-changing requests, enable CSRF (double-submit cookie pattern)
- For pure Bearer token APIs from JS, CSRF is not required if cookies aren’t used
Two-Factor Auth (2FA) and session_alt
Flows that create users while an admin is already logged in need to configure 2FA for the new user without replacing the admin’s session. To support this, the backend issues an alternate cookie named session_alt on signup when a session already exists.
-
Signup:
- If no existing session is present, the normal
sessioncookie is set for the newly created user. - If an admin (or any logged-in user) creates a new user, the backend preserves the admin’s
sessionand additionally setssession_altfor the newly created user.
- If no existing session is present, the normal
-
2FA endpoints:
/api/v1/auth/2fa/setup,/api/v1/auth/2fa/enable,/api/v1/auth/2fa/disableprefersession_altwhen present. This lets admins guide users through TOTP setup immediately after signup in admin-driven flows.
-
Logout:
/api/v1/auth/logoutclears bothsessionandsession_alt.
TOTP setup and recovery codes
Endpoints:
-
POST /api/v1/auth/2fa/setup- Requires an authenticated session (or
session_alt). - Generates a new TOTP secret and a set of plaintext recovery codes.
- Returns
{ otpauth_uri, recovery_codes }. Only bcrypt hashes of recovery codes are stored server-side.
- Requires an authenticated session (or
-
POST /api/v1/auth/2fa/enablewith body{ code }- Verifies the current TOTP code and enables 2FA for the account.
-
POST /api/v1/auth/2fa/disablewith body{ password, code? }- Validates password and (if enabled) optionally validates a TOTP code.
- Disables 2FA and clears the TOTP secret and recovery codes.
-
POST /api/v1/auth/loginwith body{ email, password, totp_code? | recovery_code? }- If 2FA is enabled on the account, a valid
totp_codeor a one-timerecovery_codeis required. - Recovery codes are consumed on use and cannot be reused.
- If 2FA is enabled on the account, a valid
Frontend UX tips:
- After admin-driven signup, read
session_altto complete TOTP setup for the new account in the same browser without disrupting the admin session. - Display the recovery codes exactly once at the end of setup and prompt the user to store them securely. The server cannot show them again.