NW
4657b1dfb5
feat: web admin panel + better-sqlite3 migration + Docker fixes
...
- Added Express.js admin panel on port 3001 (ADMIN_PORT env)
- Dashboard: stats (users, products, purchases, revenue)
- Users: list, details, ban/unban toggle
- Products: CRUD by category
- Wallets: list with balances
- Purchases: history with filters
- Audit log: view audit trail
- Auth: token-based login with ADMIN_SECRET env var
- Migrated sqlite3 → better-sqlite3
- database.js: async adapter (runAsync/allAsync/getAsync)
- purchaseService.js: lastID → lastInsertRowid
- userService.js: lastID → lastInsertRowid
- Removed sqlite3 from package.json
- Fixed: dotenv/config import added to index.js
- Fixed: ENCRYPTION_KEY validation (32+ char hex)
- Fixed: Dockerfile multi-stage build (no python needed)
- Fixed: Docker DNS (network: host in build)
- Fixed: docker-compose port 3001, healthcheck on 3001
- Added express, cookie-parser, pino-pretty, better-sqlite3 deps
2026-06-22 10:54:01 +01:00
NW
ba80784ae7
security(docker): remove privileged mode, SYS_MODULE; harden WireGuard ( #49 #50 )
...
- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example
SECURITY: Rotate WireGuard keys on server if previously used in production
2026-06-22 01:26:35 +01:00
NW
de415633be
feat(security): Phase 1 — critical security fixes and hardening
...
- #42 : Remove hardcoded ENCRYPTION_KEY fallback from config.js,
add startup validation for BOT_TOKEN and ENCRYPTION_KEY length
- #43 : Fix SQL injection vulnerabilities — add ALLOWED_TABLES
whitelist in database.js, ALLOWED_USER_FIELDS in userService.js,
validate table names before PRAGMA
- #44 : Fix race condition in purchaseService.js — wrap createPurchase
in BEGIN IMMEDIATE TRANSACTION, add atomic balance/stock checks
- #41 : Move all secrets from docker-compose.yml to .env file,
use env_file directive
- #45 : Replace MD5 tx_hash with crypto.randomUUID()
- #46 : Upgrade KDF from SHA-256 to HKDF for mnemonic encryption,
add backward compatibility for legacy format
- #47 : Add input validation across all handlers — walletType
whitelist, string length limits, numeric ID checks, price bounds
New files:
- src/utils/encryption.js (HKDF key derivation)
- src/__tests__/security.test.js (SQL injection prevention tests)
Closes : #41 , #42 , #43 , #44 , #45 , #46 , #47
2026-06-17 21:52:49 +01:00
2f3459b670
mart litle update
2025-03-06 16:13:11 +00:00
23b7f8b4bd
big update WG-TOR bot connecting
2025-02-03 09:43:25 +00:00
633a27164b
upgrade comission wallet function
2025-01-26 22:21:13 +00:00
ae1cd45aea
create functional commission
2025-01-25 13:35:22 +00:00
d918de0386
docker file update
2024-12-14 13:46:03 +00:00
68a220de2e
update docker file
2024-11-22 10:03:53 +00:00
Artyom Ashirov
3872ddbb68
docker
2024-11-14 16:44:00 +03:00