admin/changemaker.lite
1
0
Fork 0
Code Issues Packages Projects Releases 31 Wiki Activity
changemaker.lite/api/package.json
bunker-admin b215cda018 Security audit follow-up: httpOnly cookies, ticket reservations, MongoDB keyfile 
Deferred findings from the March 27 security audit, plus a bug fix:

MongoDB keyfile (bug fix):
- Generate replica.key on first boot via entrypoint script
- Fixes crash from --auth + --keyFile without an existing keyfile
- Applied to docker-compose.yml, docker-compose.prod.yml, CCP template

I7 — Ticket overselling prevention (reservation pattern):
- Add reservedCount field to TicketTier schema
- Atomically increment reservedCount inside transaction on checkout
- Release reservation on checkout.session.completed (webhook)
- Release reservation on checkout.session.expired (webhook)
- Include reservedCount in availability calculations

I17 — Move refresh token to httpOnly cookie:
- Server sets httpOnly SameSite=Strict cookie on login/register/refresh
- Cookie scoped to /api/auth path, secure in production
- Refresh/logout endpoints read from cookie (with body fallback for compat)
- Frontend no longer stores refreshToken in localStorage
- Auth store simplified: removed refreshToken from state + persistence
- API interceptor uses withCredentials:true for automatic cookie sending
- Updated media-api, media-public-api, QuickJoinPage, volunteer-invite
- Renamed getTokens → getAccessToken across all media components
- Install cookie-parser middleware

L2 — FeatureGate loading state:
- Show Skeleton instead of children while settings are loading
- Prevents briefly exposing disabled feature pages

Bunker Admin
2026-03-27 09:20:26 -06:00

83 lines
2.3 KiB
JSON
Raw Blame History

{
"name": "changemaker-v2-api",
"version": "2.0.0",
"description": "Unified Express.js API for Changemaker Lite v2",
"main": "dist/server.js",
"scripts": {
"dev": "tsx watch src/server.ts",
"dev:media": "tsx watch src/media-server.ts",
"build": "tsc",
"start": "node dist/server.js",
"start:media": "node dist/media-server.js",
"prisma:generate": "prisma generate",
"prisma:migrate": "prisma migrate dev",
"prisma:migrate:deploy": "prisma migrate deploy",
"prisma:seed": "tsx prisma/seed.ts",
"prisma:studio": "prisma studio"
},
"dependencies": {
"@fastify/cors": "^11.2.0",
"@fastify/multipart": "^9.4.0",
"@fastify/static": "^9.0.0",
"@hocuspocus/server": "^3.4.4",
"@prisma/client": "^6.3.0",
"@types/mime-types": "^3.0.1",
"bcryptjs": "^2.4.3",
"bullmq": "^5.34.0",
"compression": "^1.7.5",
"cookie-parser": "^1.4.7",
"cors": "^2.8.5",
"csv-parse": "^6.1.0",
"csv-stringify": "^6.6.0",
"dotenv": "^16.4.7",
"drizzle-orm": "^0.45.1",
"exif-reader": "^2.0.3",
"express": "^4.21.2",
"express-rate-limit": "^7.5.0",
"fastify": "^5.7.4",
"helmet": "^8.0.0",
"ical-generator": "^10.0.0",
"ioredis": "^5.4.2",
"jsonwebtoken": "^9.0.2",
"mime-types": "^3.0.2",
"multer": "^2.1.1",
"node-addon-api": "^8.5.0",
"node-ical": "^0.25.5",
"nodemailer": "^8.0.1",
"pg": "^8.18.0",
"proj4": "^2.20.2",
"prom-client": "^15.1.3",
"qrcode": "^1.5.4",
"rate-limit-redis": "^4.2.0",
"sharp": "^0.34.5",
"stripe": "^20.3.1",
"winston": "^3.17.0",
"winston-daily-rotate-file": "^5.0.0",
"ws": "^8.19.0",
"yaml": "^2.8.2",
"yjs": "^13.6.29",
"zod": "^3.24.1"
},
"devDependencies": {
"@types/bcryptjs": "^2.4.6",
"@types/compression": "^1.7.5",
"@types/cookie-parser": "^1.4.10",
"@types/cors": "^2.8.17",
"@types/express": "^5.0.0",
"@types/jsonwebtoken": "^9.0.7",
"@types/multer": "^2.0.0",
"@types/node": "^22.19.11",
"@types/nodemailer": "^7.0.11",
"@types/pg": "^8.16.0",
"@types/qrcode": "^1.5.6",
"@types/ws": "^8.18.1",
"drizzle-kit": "^0.31.9",
"prisma": "^6.3.0",
"tsx": "^4.19.2",
"typescript": "^5.7.3"
},
"prisma": {
"seed": "npx tsx prisma/seed.ts"
}
}
Reference in New Issue View Git Blame Copy Permalink