pushed new svg

added configuration over https / http
2025-11-30 22:45:46 +01:00 · 2025-11-01 18:25:36 +01:00 · 2025-11-01 17:54:12 +01:00 · 2025-11-01 17:20:45 +01:00
9 changed files with 424 additions and 61 deletions
--- a/.env.template
+++ b/.env.template
@@ -1,27 +1,29 @@
-# === SCHICHTPLANER DOCKER COMPOSE ENVIRONMENT VARIABLES ===
-# Diese Datei wird von docker-compose automatisch geladen
+# .env.template
+# ============================================
+# DOCKER COMPOSE ENVIRONMENT TEMPLATE
+# Copy this file to .env and adjust values
+# ============================================

-# Security
-JWT_SECRET=${JWT_SECRET:-your-secret-key-please-change}
-NODE_ENV=${NODE_ENV:-production}
+# Application settings
+NODE_ENV=production
+JWT_SECRET=your-secret-key-please-change
+HOSTNAME=localhost
+
+# Security & Network
+TRUST_PROXY_ENABLED=false
+TRUSTED_PROXY_IPS=127.0.0.1,::1
+FORCE_HTTPS=false

 # Database
-DB_PATH=${DB_PATH:-/app/data/database.db}
+DATABASE_PATH=/app/data/schichtplaner.db

-# Server
-PORT=${PORT:-3002}
+# Optional features
+ENABLE_PRO=false
+DEBUG=false

-# App Configuration
-APP_TITLE="Shift Planning App"
-ENABLE_PRO=${ENABLE_PRO:-false}
+# Port configuration
+APP_PORT=3002

-# Trust Proxy Configuration
-TRUST_PROXY_ENABLED=false
-TRUSTED_PROXY_IPS=  # Your load balancer/reverse proxy IPs
-TRUSTED_PROXY_HEADER=x-forwarded-for
-
-# Rate Limiting Configuration  
-RATE_LIMIT_WINDOW_MS=900000
-RATE_LIMIT_MAX_REQUESTS=100
-RATE_LIMIT_SKIP_PATHS=/api/health,/api/status
-RATE_LIMIT_WHITELIST=127.0.0.1,::1
+# ============================================
+# END OF TEMPLATE
+# ============================================
--- a/backend/src/server.ts
+++ b/backend/src/server.ts
@@ -85,7 +85,7 @@ if (process.env.NODE_ENV === 'production') {

 const configureTrustProxy = (): string | string[] | boolean | number => {
  const trustedProxyIps = process.env.TRUSTED_PROXY_IPS;
-  const trustProxyEnabled = process.env.TRUST_PROXY_ENABLED !== 'false'; // Default true for production
+  const trustProxyEnabled = process.env.TRUST_PROXY_ENABLED !== 'false';

  // If explicitly disabled
  if (!trustProxyEnabled) {
@@ -106,25 +106,28 @@ const configureTrustProxy = (): string | string[] | boolean | number => {
    return trustedProxyIps.trim();
  }

-  // Default behavior based on environment
-  if (process.env.NODE_ENV === 'production') {
-    console.log('🔒 Trust proxy: Using production defaults (private networks)');
-    return [
-      'loopback', 
-      'linklocal', 
-      'uniquelocal',
-      '10.0.0.0/8',
-      '172.16.0.0/12', 
-      '192.168.0.0/16'
-    ];
-  } else {
-    console.log('🔒 Trust proxy: Development mode (disabled)');
-    return false;
-  }
+  // Default behavior for reverse proxy setup
+  console.log('🔒 Trust proxy: Using reverse proxy defaults (trust all)');
+  return true; // Trust all proxies when behind nginx
 };

 app.set('trust proxy', configureTrustProxy());

+app.use((req, res, next) => {
+  const protocol = req.headers['x-forwarded-proto'] || req.protocol;
+  const isHttps = protocol === 'https';
+  
+  // Add security warning for HTTP requests
+  if (!isHttps && process.env.NODE_ENV === 'production') {
+    res.setHeader('X-Security-Warning', 'This application is being accessed over HTTP. For secure communication, please use HTTPS.');
+    
+    // Log HTTP access in production
+    console.warn(`⚠️  HTTP access detected: ${req.method} ${req.path} from ${req.ip}`);
+  }
+  
+  next();
+});
+
 // Security headers
 app.use(helmet({
  contentSecurityPolicy: {
@@ -138,9 +141,14 @@ app.use(helmet({
      objectSrc: ["'none'"],
      mediaSrc: ["'self'"],
      frameSrc: ["'none'"],
+      upgradeInsecureRequests: process.env.FORCE_HTTPS === 'true' ? [] : null
    },
  },
-  hsts: false,
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true
+  }, // Enable HSTS for HTTPS
  crossOriginEmbedderPolicy: false
 }));

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,17 +6,22 @@ services:
    image: ghcr.io/donpat1to/schichtenplaner:v1.0.0
    environment:
      - NODE_ENV=production
-      - JWT_SECRET=${JWT_SECRET:-your-secret-key-please-change}
-    ports:
-      - "3002:3002"
+      - JWT_SECRET=${JWT_SECRET}
+      - TRUST_PROXY_ENABLED=true
+      - TRUSTED_PROXY_IPS=nginx-proxy,172.0.0.0/8,10.0.0.0/8,192.168.0.0/16
+      - FORCE_HTTPS=${FORCE_HTTPS:-false}
+    networks:
+      - app-network
    volumes:
      - app_data:/app/data
    restart: unless-stopped
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:3002/api/health"]
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3002/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
+    expose:
+      - "3002"

 volumes:
  app_data:
--- a/docker-init.sh
+++ b/docker-init.sh
@@ -3,17 +3,15 @@ set -e

 echo "🚀 Container Initialisierung gestartet..."

-# Funktion zum Generieren eines sicheren Secrets
 generate_secret() {
    length=$1
    tr -dc 'A-Za-z0-9!@#$%^&*()_+-=' < /dev/urandom | head -c $length
 }

-# Prüfe ob .env existiert
+# Create .env if it doesn't exist
 if [ ! -f /app/.env ]; then
    echo "📝 Erstelle .env Datei..."
    
-    # Verwende vorhandenes JWT_SECRET oder generiere ein neues
    if [ -z "$JWT_SECRET" ] || [ "$JWT_SECRET" = "your-secret-key-please-change" ]; then
        export JWT_SECRET=$(generate_secret 64)
        echo "🔑 Automatisch sicheres JWT Secret generiert"
@@ -21,30 +19,37 @@ if [ ! -f /app/.env ]; then
        echo "🔑 Verwende vorhandenes JWT Secret aus Umgebungsvariable"
    fi
    
-    # Erstelle .env aus Template mit envsubst
-    envsubst < /app/.env.template > /app/.env
-    echo "✅ .env Datei erstellt"
+    # Create .env with all proxy settings
+    cat > /app/.env << EOF
+NODE_ENV=production
+JWT_SECRET=${JWT_SECRET}
+TRUST_PROXY_ENABLED=${TRUST_PROXY_ENABLED:-true}
+TRUSTED_PROXY_IPS=${TRUSTED_PROXY_IPS:-172.0.0.0/8,10.0.0.0/8,192.168.0.0/16}
+HOSTNAME=${HOSTNAME:-localhost}
+EOF
    
+    echo "✅ .env Datei erstellt"
 else
    echo "ℹ️  .env Datei existiert bereits"
    
-    # Wenn .env existiert, aber JWT_SECRET Umgebungsvariable gesetzt ist, aktualisiere sie
+    # Update JWT_SECRET if provided
    if [ -n "$JWT_SECRET" ] && [ "$JWT_SECRET" != "your-secret-key-please-change" ]; then
        echo "🔑 Aktualisiere JWT Secret in .env Datei"
-        # Aktualisiere nur das JWT_SECRET in der .env Datei
        sed -i "s/^JWT_SECRET=.*/JWT_SECRET=$JWT_SECRET/" /app/.env
    fi
 fi

-# Validiere dass JWT_SECERT nicht der Standardwert ist
+# Validate JWT_SECRET
 if grep -q "JWT_SECRET=your-secret-key-please-change" /app/.env; then
    echo "❌ FEHLER: Standard JWT Secret in .env gefunden!"
    echo "❌ Bitte setzen Sie JWT_SECRET Umgebungsvariable"
    exit 1
 fi

-# Setze sichere Berechtigungen
 chmod 600 /app/.env

+echo "🔧 Proxy Configuration:"
+echo "   - TRUST_PROXY_ENABLED: ${TRUST_PROXY_ENABLED:-true}"
+echo "   - TRUSTED_PROXY_IPS: ${TRUSTED_PROXY_IPS:-172.0.0.0/8,10.0.0.0/8,192.168.0.0/16}"
 echo "🔧 Starte Anwendung..."
 exec "$@"
--- a/frontend/donpat1to.svg
+++ b/frontend/donpat1to.svg
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -2,7 +2,7 @@
 <html lang="en">
  <head>
    <meta charset="UTF-8" />
-    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <link rel="icon" type="image/svg+xml" href="/donpat1to.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Shift Planning App</title>
  </head>
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -15,6 +15,8 @@ import EmployeeManagement from './pages/Employees/EmployeeManagement';
 import Settings from './pages/Settings/Settings';
 import Help from './pages/Help/Help';
 import Setup from './pages/Setup/Setup';
+import ErrorBoundary from './components/ErrorBoundary/ErrorBoundary';
+import SecurityWarning from './components/SecurityWarning/SecurityWarning';

 // Free Footer Link Pages (always available)
 import FAQ from './components/Layout/FooterLinks/FAQ/FAQ';
@@ -160,14 +162,17 @@ const AppContent: React.FC = () => {

 function App() {
  return (
+    <ErrorBoundary>
      <NotificationProvider>
        <AuthProvider>
          <Router>
+            <SecurityWarning />
            <NotificationContainer />
            <AppContent />
          </Router>
        </AuthProvider>
      </NotificationProvider>
+    </ErrorBoundary>
  );
 }

--- a/frontend/src/components/ErrorBoundary/ErrorBoundary.tsx
+++ b/frontend/src/components/ErrorBoundary/ErrorBoundary.tsx
@@ -0,0 +1,101 @@
+// src/components/ErrorBoundary/ErrorBoundary.tsx
+import React from 'react';
+
+interface Props {
+  children: React.ReactNode;
+  fallback?: React.ReactNode;
+}
+
+interface State {
+  hasError: boolean;
+  error?: Error;
+}
+
+class ErrorBoundary extends React.Component<Props, State> {
+  constructor(props: Props) {
+    super(props);
+    this.state = { hasError: false };
+  }
+
+  static getDerivedStateFromError(error: Error): State {
+    return { hasError: true, error };
+  }
+
+  componentDidCatch(error: Error, errorInfo: React.ErrorInfo) {
+    console.error('🚨 Application Error:', error);
+    console.error('📋 Error Details:', errorInfo);
+    
+    // In production, send to your error reporting service
+    // logErrorToService(error, errorInfo);
+  }
+
+  render() {
+    if (this.state.hasError) {
+      // You can render any custom fallback UI
+      return this.props.fallback || (
+        <div style={{ 
+          padding: '40px', 
+          textAlign: 'center',
+          fontFamily: 'Arial, sans-serif'
+        }}>
+          <div style={{ fontSize: '48px', marginBottom: '20px' }}>⚠️</div>
+          <h2>Oops! Something went wrong</h2>
+          <p style={{ margin: '20px 0', color: '#666' }}>
+            We encountered an unexpected error. Please try refreshing the page.
+          </p>
+          <div style={{ marginTop: '30px' }}>
+            <button
+              onClick={() => window.location.reload()}
+              style={{
+                padding: '10px 20px',
+                backgroundColor: '#007bff',
+                color: 'white',
+                border: 'none',
+                borderRadius: '4px',
+                cursor: 'pointer',
+                marginRight: '10px'
+              }}
+            >
+              Refresh Page
+            </button>
+            <button
+              onClick={() => this.setState({ hasError: false })}
+              style={{
+                padding: '10px 20px',
+                backgroundColor: '#6c757d',
+                color: 'white',
+                border: 'none',
+                borderRadius: '4px',
+                cursor: 'pointer'
+              }}
+            >
+              Try Again
+            </button>
+          </div>
+          {process.env.NODE_ENV === 'development' && this.state.error && (
+            <details style={{ 
+              marginTop: '20px', 
+              textAlign: 'left',
+              background: '#f8f9fa',
+              padding: '15px',
+              borderRadius: '4px'
+            }}>
+              <summary>Error Details (Development)</summary>
+              <pre style={{ 
+                whiteSpace: 'pre-wrap',
+                fontSize: '12px',
+                color: '#dc3545'
+              }}>
+                {this.state.error.stack}
+              </pre>
+            </details>
+          )}
+        </div>
+      );
+    }
+
+    return this.props.children;
+  }
+}
+
+export default ErrorBoundary;
--- a/frontend/src/components/SecurityWarning/SecurityWarning.tsx
+++ b/frontend/src/components/SecurityWarning/SecurityWarning.tsx
@@ -0,0 +1,59 @@
+// src/components/SecurityWarning/SecurityWarning.tsx
+import React, { useState, useEffect } from 'react';
+
+const SecurityWarning: React.FC = () => {
+  const [isHttp, setIsHttp] = useState(false);
+  const [isDismissed, setIsDismissed] = useState(false);
+
+  useEffect(() => {
+    // Check if current protocol is HTTP
+    const checkProtocol = () => {
+      setIsHttp(window.location.protocol === 'http:');
+    };
+
+    checkProtocol();
+    window.addEventListener('load', checkProtocol);
+    
+    return () => window.removeEventListener('load', checkProtocol);
+  }, []);
+
+  if (!isHttp || isDismissed) {
+    return null;
+  }
+
+  return (
+    <div style={{
+      position: 'fixed',
+      top: 0,
+      left: 0,
+      right: 0,
+      backgroundColor: '#ff6b35',
+      color: 'white',
+      padding: '10px 20px',
+      textAlign: 'center',
+      zIndex: 10000,
+      fontSize: '14px',
+      fontWeight: 'bold',
+      boxShadow: '0 2px 4px rgba(0,0,0,0.2)'
+    }}>
+      ⚠️ SECURITY WARNING: This site is being accessed over HTTP. 
+      For secure communication, please use HTTPS.
+      <button 
+        onClick={() => setIsDismissed(true)}
+        style={{
+          marginLeft: '15px',
+          background: 'rgba(255,255,255,0.2)',
+          border: '1px solid white',
+          color: 'white',
+          padding: '2px 8px',
+          borderRadius: '3px',
+          cursor: 'pointer'
+        }}
+      >
+        Dismiss
+      </button>
+    </div>
+  );
+};
+
+export default SecurityWarning;
Author	SHA1	Message	Date
donpat1to	da2b3b0126	pushed new svg	2025-11-01 18:25:36 +01:00
donpat1to	7a87c49703	added configuration over https / http	2025-11-01 17:54:12 +01:00
donpat1to	52f559199d	added configuration over https / http	2025-11-01 17:20:45 +01:00