Fix case-insensitive auth and harden for production

- Fix login/register to treat usernames case-insensitively (HeagBoKaT == heagbokat) using LOWER() in SQL with JS .toLowerCase() for Unicode safety
- Add helmet for HTTP security headers and express-rate-limit on auth endpoints (20 req / 15 min) to prevent brute-force
- Lock CORS to ALLOWED_ORIGIN env var; warn if JWT_SECRET is the default dev key
- Serve built client/dist from Express so a single PM2 process handles everything
- Add deploy.sh, README.md with full first-run and auto-restart instructions, and server/.env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-25 23:29:06 +03:00
parent 68c17b16fe
commit e0247bc288
9 changed files with 231 additions and 16 deletions

3
server/.env.example Normal file
View File

@@ -0,0 +1,3 @@
PORT=3040
JWT_SECRET=заменитеа_случайную_строку_32_символа
ALLOWED_ORIGIN=http://cats.heagbokat-server.ru