Fix case-insensitive auth and harden for production

- Fix login/register to treat usernames case-insensitively (HeagBoKaT == heagbokat) using LOWER() in SQL with JS .toLowerCase() for Unicode safety
- Add helmet for HTTP security headers and express-rate-limit on auth endpoints (20 req / 15 min) to prevent brute-force
- Lock CORS to ALLOWED_ORIGIN env var; warn if JWT_SECRET is the default dev key
- Serve built client/dist from Express so a single PM2 process handles everything
- Add deploy.sh, README.md with full first-run and auto-restart instructions, and server/.env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-25 23:29:06 +03:00
parent 68c17b16fe
commit e0247bc288
9 changed files with 231 additions and 16 deletions

View File

@@ -11,6 +11,8 @@
"cors": "^2.8.5",
"dotenv": "^16.4.0",
"express": "^4.21.0",
"express-rate-limit": "^8.5.2",
"helmet": "^8.2.0",
"jsonwebtoken": "^9.0.2",
"multer": "^1.4.5-lts.1",
"sql.js": "^1.14.1"
@@ -19,6 +21,7 @@
"@types/bcryptjs": "^2.4.6",
"@types/cors": "^2.8.17",
"@types/express": "^4.17.21",
"@types/express-rate-limit": "^5.1.3",
"@types/jsonwebtoken": "^9.0.7",
"@types/multer": "^1.4.12",
"@types/node": "^22.0.0",