Private
Public Access
1
0
Commit Graph

7 Commits

Author SHA1 Message Date
Catherine Renelle c32c828512 Add restart: unless-stopped to all services
Containers had no restart policy, so they didn't auto-start after a Docker
daemon restart or host reboot. unless-stopped restarts on boot and crashes
but respects manual stops.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 21:32:01 -04:00
Catherine Renelle 62792e73e1 Remove docker-cleanup container from docker-compose
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 19:17:50 -05:00
Catherine Renelle 8b57aee672 Set ASPNETCORE_ENVIRONMENT to Development in docker-compose and pass through encryption key
The Docker container defaults to Production when no environment is set,
which triggers the new startup secret validation. Default to Development
for docker-compose (local dev) and expose BANKSYNC_ENCRYPTION_KEY env var
so production deployments can override it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 13:36:40 -05:00
Catherine Renelle 2f389ab8e9 Security hardening: fix IDOR vulnerabilities, add rate limiting, SSRF protection, and encryption upgrades
- Fix ReconciliationController and BankSync LinkAccount/UpdateLinkedAccount IDOR (verify account ownership)
- Add ASP.NET Core rate limiting: strict on auth endpoints, global on all API routes
- Harden SSRF validation on Ollama URL (IPv6-mapped bypass, link-local, 0.0.0.0 blocking)
- Upgrade encryption from AES-CBC to AES-GCM with HKDF key derivation (backward-compatible decrypt)
- Add startup validation that rejects default JWT/encryption keys in Production
- Add security headers (X-Frame-Options, CSP, HSTS, Cache-Control, nosniff) to API and nginx
- Mask account numbers in API responses (show last 4 digits only)
- Add password strength validation (min 8 chars) and BCrypt work factor 12
- Hash refresh tokens (SHA-256) before database storage
- Set JWT ClockSkew to zero for immediate expiry enforcement
- Add file upload size limit (10 MB) and filename sanitization
- Cap transaction search PageSize to 200
- Fix FileWatcherService cross-user account matching in multi-user deployments
- Sanitize console.error calls to prevent token leakage in browser logs
- Parameterize raw SQL in SimpleFinConnectionMigration
- Make AuthService.GenerateAuthResponse fully async

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 12:53:20 -05:00
Catherine Renelle 31e99e72de Add Docker image cleanup container to compose stack
Adds a lightweight docker:cli sidecar that prunes dangling images
every 24 hours to prevent untagged image buildup from redeployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 19:07:53 -05:00
Catherine Renelle 3db02f8472 Change frontend port to 9080 to avoid conflicts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 09:06:29 -05:00
Catherine Renelle 6520ebf221 Initial commit: Purrse personal finance app
Self-hosted, plugin-extensible personal finance manager built with
ASP.NET Core 9.0, Vue 3 + Vuetify 3, and PostgreSQL 17.

Backend (8 .NET projects):
- Core: 19 domain models, 6 enums, 14 DTOs, 12 service interfaces
- Data: EF Core DbContext, 16 entity configurations, category seeder
- API: 14 controllers, 15 services, JWT auth, SignalR, middleware
- Plugins: Abstractions + OFX/CSV/QIF file parsers
- Tests: 28 xUnit tests (fingerprinting, duplicate detection, parsers)

Frontend (Vue 3 + Vuetify 3 + TypeScript):
- 13 views, Pinia stores, Axios API services with JWT interceptors
- Dashboard, accounts, transactions, categories, imports, and more

Deployment:
- Docker Compose (PostgreSQL 17 + .NET API + nginx frontend)
- Auto-migration on startup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 08:56:46 -05:00