Reduce image size, update feature requset yamls and fix OIDC

2025-09-29 21:21:51 -05:00
parent a09fe0a271
commit 59094ec25d
10 changed files with 250 additions and 73 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -51,6 +51,18 @@ repo-images/
 # Uploads directory
 uploads/
 # Electron files (not needed for Docker)
 electron/
 electron-builder.json
 # Development and build artifacts
 *.log
 *.tmp
 *.temp
 # Font files (we'll optimize these in Dockerfile)
 # public/fonts/*.ttf
 # Logs
 logs
 *.log
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,32 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help Termix improve
 title: "[BUG]"
 labels: bug
 assignees: ""
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screenshots/Logs**
 If applicable, add screenshots or console/Docker logs to help explain your problem.
 **Environment (please complete the following information):**
 - Browser [e.g. chrome, safari]
 - Version [e.g. 1.6.0]
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,82 @@
 name: Bug report
 description: Create a report to help Termix improve
 title: "[BUG]"
 labels: [bug]
 assignees: []
 body:
  - type: input
    id: title
    attributes:
      label: Title
      description: Brief, descriptive title for the bug
      placeholder: "Brief description of the bug"
    validations:
      required: true
  - type: dropdown
    id: platform
    attributes:
      label: Platform
      description: How are you using Termix?
      options:
        - Website - Firefox
        - Website - Safari
        - Website - Chrome
        - Website - Other Browser
        - App - Windows
        - App - Linux
        - App - iOS
        - App - Android
    validations:
      required: true
  - type: dropdown
    id: server-installation-method
    attributes:
      label: Server Installation Method
      description: How is the Termix server installed?
      options:
        - Docker
        - Manual Build
    validations:
      required: true
  - type: input
    id: version
    attributes:
      label: Version
      description: Find your version in the User Profile tab
      placeholder: "e.g., 1.6.0"
    validations:
      required: true
  - type: checkboxes
    id: troubleshooting
    attributes:
      label: Troubleshooting
      description: Please check all that apply
      options:
        - label: I have examined logs and tried to find the issue
        - label: I have reviewed opened and closed issues
        - label: I have tried restarting the application
  - type: textarea
    id: problem-description
    attributes:
      label: The Problem
      description: Describe the bug in detail. Include as much information as possible with screenshots if applicable.
      placeholder: "Describe what went wrong..."
    validations:
      required: true
  - type: textarea
    id: reproduction-steps
    attributes:
      label: How to Reproduce
      description: Use as few steps as possible to reproduce the issue
      placeholder: |
        1. 
        2. 
        3.
    validations:
      required: true
  - type: textarea
    id: additional-context
    attributes:
      label: Additional Context
      description: Any other context about the problem
      placeholder: "Add any other context about the problem here..."
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,19 +0,0 @@
 ---
 name: Feature request
 about: Suggest an idea for Termix
 title: "[FEATURE]"
 labels: enhancement
 assignees: ""
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,36 @@
 name: Feature request
 description: Suggest an idea for Termix
 title: "[FEATURE]"
 labels: [enhancement]
 assignees: []
 body:
  - type: input
    id: title
    attributes:
      label: Title
      description: Brief, descriptive title for the feature request
      placeholder: "Brief description of the feature"
    validations:
      required: true
  - type: textarea
    id: related-issue
    attributes:
      label: Is it related to an issue?
      description: Describe the problem this feature would solve
      placeholder: "Describe what problem this feature would solve..."
    validations:
      required: true
  - type: textarea
    id: solution
    attributes:
      label: The Solution
      description: Describe your proposed solution in detail
      placeholder: "Describe how you envision this feature working..."
    validations:
      required: true
  - type: textarea
    id: additional-context
    attributes:
      label: Additional Context
      description: Any other context or screenshots about the feature request
      placeholder: "Add any other context about the feature request here..."
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -20,6 +20,8 @@ WORKDIR /app
 COPY . .
 RUN find public/fonts -name "*.ttf" ! -name "*Regular.ttf" ! -name "*Bold.ttf" ! -name "*Italic.ttf" -delete
 RUN npm cache clean --force && \
    npm run build
@@ -69,16 +71,14 @@ RUN apt-get update && apt-get install -y nginx gettext-base openssl && \
 COPY docker/nginx.conf /etc/nginx/nginx.conf
 COPY docker/nginx-https.conf /etc/nginx/nginx-https.conf
 COPY --from=frontend-builder /app/dist /usr/share/nginx/html
 COPY --from=frontend-builder /app/src/locales /usr/share/nginx/html/locales
 COPY --from=frontend-builder /app/public/fonts /usr/share/nginx/html/fonts
 RUN chown -R nginx:nginx /usr/share/nginx/html
-COPY --from=production-deps /app/node_modules /app/node_modules
+COPY --chown=nginx:nginx --from=frontend-builder /app/dist /usr/share/nginx/html
-COPY --from=backend-builder /app/dist/backend ./dist/backend
+COPY --chown=nginx:nginx --from=frontend-builder /app/src/locales /usr/share/nginx/html/locales
 COPY --chown=nginx:nginx --from=frontend-builder /app/public/fonts /usr/share/nginx/html/fonts
-COPY package.json ./
+COPY --chown=node:node --from=production-deps /app/node_modules /app/node_modules
-RUN chown -R node:node /app
+COPY --chown=node:node --from=backend-builder /app/dist/backend ./dist/backend
 COPY --chown=node:node package.json ./
 VOLUME ["/app/data"]
--- a/src/backend/database/routes/users.ts
+++ b/src/backend/database/routes/users.ts
@@ -75,12 +75,8 @@ async function verifyOIDCToken(
            );
          }
        } else {
          authLogger.error(
            `JWKS fetch failed from ${url}: ${response.status} ${response.statusText}`,
          );
        }
      } catch (error) {
        authLogger.error(`JWKS fetch error from ${url}:`, error);
        continue;
      }
    }
@@ -117,7 +113,6 @@ async function verifyOIDCToken(
    return payload;
  } catch (error) {
    authLogger.error("OIDC token verification failed:", error);
    throw error;
  }
 }
@@ -655,10 +650,6 @@ router.get("/oidc/callback", async (req, res) => {
          config.client_id,
        );
      } catch (error) {
        authLogger.error(
          "OIDC token verification failed, trying userinfo endpoints",
          error,
        );
        try {
          const parts = tokenData.id_token.split(".");
          if (parts.length === 3) {
@@ -767,6 +758,23 @@ router.get("/oidc/callback", async (req, res) => {
        scopes: config.scopes,
      });
      try {
        await authManager.registerOIDCUser(id);
      } catch (encryptionError) {
        await db.delete(users).where(eq(users.id, id));
        authLogger.error(
          "Failed to setup OIDC user encryption, user creation rolled back",
          encryptionError,
          {
            operation: "oidc_user_create_encryption_failed",
            userId: id,
          },
        );
        return res.status(500).json({
          error: "Failed to setup user security - user creation cancelled",
        });
      }
      user = await db.select().from(users).where(eq(users.id, id));
    } else {
      await db
@@ -779,6 +787,15 @@ router.get("/oidc/callback", async (req, res) => {
    const userRecord = user[0];
    try {
      await authManager.authenticateOIDCUser(userRecord.id);
    } catch (setupError) {
      authLogger.error("Failed to setup OIDC user encryption", setupError, {
        operation: "oidc_user_encryption_setup_failed",
        userId: userRecord.id,
      });
    }
    const token = await authManager.generateJWTToken(userRecord.id, {
      expiresIn: "50d",
    });
--- a/src/backend/utils/auth-manager.ts
+++ b/src/backend/utils/auth-manager.ts
@@ -53,6 +53,20 @@ class AuthManager {
    await this.userCrypto.setupUserEncryption(userId, password);
  }
  async registerOIDCUser(userId: string): Promise<void> {
    await this.userCrypto.setupOIDCUserEncryption(userId);
  }
  async authenticateOIDCUser(userId: string): Promise<boolean> {
    const authenticated = await this.userCrypto.authenticateOIDCUser(userId);
    if (authenticated) {
      await this.performLazyEncryptionMigration(userId);
    }
    return authenticated;
  }
  async authenticateUser(userId: string, password: string): Promise<boolean> {
    const authenticated = await this.userCrypto.authenticateUser(
      userId,
--- a/src/backend/utils/user-crypto.ts
+++ b/src/backend/utils/user-crypto.ts
@@ -69,6 +69,19 @@ class UserCrypto {
    DEK.fill(0);
  }
  async setupOIDCUserEncryption(userId: string): Promise<void> {
    const DEK = crypto.randomBytes(UserCrypto.DEK_LENGTH);
    const now = Date.now();
    this.userSessions.set(userId, {
      dataKey: Buffer.from(DEK),
      lastActivity: now,
      expiresAt: now + UserCrypto.SESSION_DURATION,
    });
    DEK.fill(0);
  }
  async authenticateUser(userId: string, password: string): Promise<boolean> {
    try {
      const kekSalt = await this.getKEKSalt(userId);
@@ -119,6 +132,52 @@ class UserCrypto {
    }
  }
  async authenticateOIDCUser(userId: string): Promise<boolean> {
    try {
      const kekSalt = await this.getKEKSalt(userId);
      if (!kekSalt) {
        await this.setupOIDCUserEncryption(userId);
        return true;
      }
      const systemKey = this.deriveOIDCSystemKey(userId);
      const encryptedDEK = await this.getEncryptedDEK(userId);
      if (!encryptedDEK) {
        systemKey.fill(0);
        await this.setupOIDCUserEncryption(userId);
        return true;
      }
      const DEK = this.decryptDEK(encryptedDEK, systemKey);
      systemKey.fill(0);
      if (!DEK || DEK.length === 0) {
        await this.setupOIDCUserEncryption(userId);
        return true;
      }
      const now = Date.now();
      const oldSession = this.userSessions.get(userId);
      if (oldSession) {
        oldSession.dataKey.fill(0);
      }
      this.userSessions.set(userId, {
        dataKey: Buffer.from(DEK),
        lastActivity: now,
        expiresAt: now + UserCrypto.SESSION_DURATION,
      });
      DEK.fill(0);
      return true;
    } catch (error) {
      await this.setupOIDCUserEncryption(userId);
      return true;
    }
  }
  getUserDataKey(userId: string): Buffer | null {
    const session = this.userSessions.get(userId);
    if (!session) {
@@ -259,6 +318,18 @@ class UserCrypto {
    );
  }
  private deriveOIDCSystemKey(userId: string): Buffer {
    const systemSecret = process.env.OIDC_SYSTEM_SECRET || "termix-oidc-system-secret-default";
    const salt = Buffer.from(userId, "utf8");
    return crypto.pbkdf2Sync(
      systemSecret,
      salt,
      100000,
      UserCrypto.KEK_LENGTH,
      "sha256",
    );
  }
  private encryptDEK(dek: Buffer, kek: Buffer): EncryptedDEK {
    const iv = crypto.randomBytes(16);
    const cipher = crypto.createCipheriv("aes-256-gcm", kek, iv);
--- a/src/ui/Desktop/Homepage/HomepageAuth.tsx
+++ b/src/ui/Desktop/Homepage/HomepageAuth.tsx
@@ -428,12 +428,10 @@ export function HomepageAuth({
      return;
    }
-    if (success && token) {
+    if (success) {
      setOidcLoading(true);
      setError(null);
      // JWT token is now automatically set as HttpOnly cookie by backend
      console.log("OIDC login successful - JWT set as secure HttpOnly cookie");
      getUserInfo()
        .then((meRes) => {
          setInternalLoggedIn(true);
@@ -455,13 +453,11 @@ export function HomepageAuth({
          );
        })
        .catch((err) => {
          toast.error(t("errors.failedUserInfo"));
          setInternalLoggedIn(false);
          setLoggedIn(false);
          setIsAdmin(false);
          setUsername(null);
          setUserId(null);
          // HttpOnly cookies cannot be cleared from JavaScript - backend handles this
          window.history.replaceState(
            {},
            document.title,