dashcaddy

sami7777/dashcaddy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Krystie	970e862533	refactor(routes): Phase 3.4 - standardize dns.js with explicit dependencies - Replaced god object ctx with explicit dependency injection - Added JSDoc documenting required dependencies (7 deps vs 50+) - Updated response calls to use response-helpers (success/error) - Dependencies: dns, siteConfig, asyncHandler, log, safeErrorMessage, fetchT, credentialManager - DNS record management, Technitium proxy, credential storage all preserved - 632 lines, now self-documenting and testable	2026-03-28 19:28:17 -07:00
Sami	59b6d7d360	Fix 16 HIGH/MEDIUM security bugs across API HIGH fixes: - TOTP disable now requires valid code verification - TOTP secret removed from plaintext file storage - Container ID validated before update/check-update/logs operations - DNS server parameter restricted to configured servers (SSRF prevention) - Backup export no longer includes encryption key - Backup restore of sensitive files requires TOTP re-authentication MEDIUM fixes: - Session cookie Secure flag added - Caddy reload errors no longer leaked to client - saveConfig uses atomic locked updates via configStateManager - Log file path traversal prevented via symlink resolution - Credential cache entries now expire after 5 minutes - _httpFetch enforces 10MB response size limit - External URL path injection into Caddyfile blocked - Custom volume host paths validated against allowed roots - Error logs endpoint no longer returns stack traces - Logo delete path traversal prevented via path.basename() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-07 00:15:28 -08:00
Sami	f61e85d9a7	Initial commit: DashCaddy v1.0 Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills.	2026-03-05 02:26:12 -08:00

Author

SHA1

Message

Date

Krystie

970e862533

refactor(routes): Phase 3.4 - standardize dns.js with explicit dependencies

- Replaced god object ctx with explicit dependency injection
- Added JSDoc documenting required dependencies (7 deps vs 50+)
- Updated response calls to use response-helpers (success/error)
- Dependencies: dns, siteConfig, asyncHandler, log, safeErrorMessage, fetchT, credentialManager
- DNS record management, Technitium proxy, credential storage all preserved
- 632 lines, now self-documenting and testable

2026-03-28 19:28:17 -07:00

Sami

59b6d7d360

Fix 16 HIGH/MEDIUM security bugs across API

HIGH fixes:
- TOTP disable now requires valid code verification
- TOTP secret removed from plaintext file storage
- Container ID validated before update/check-update/logs operations
- DNS server parameter restricted to configured servers (SSRF prevention)
- Backup export no longer includes encryption key
- Backup restore of sensitive files requires TOTP re-authentication

MEDIUM fixes:
- Session cookie Secure flag added
- Caddy reload errors no longer leaked to client
- saveConfig uses atomic locked updates via configStateManager
- Log file path traversal prevented via symlink resolution
- Credential cache entries now expire after 5 minutes
- _httpFetch enforces 10MB response size limit
- External URL path injection into Caddyfile blocked
- Custom volume host paths validated against allowed roots
- Error logs endpoint no longer returns stack traces
- Logo delete path traversal prevented via path.basename()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-07 00:15:28 -08:00

Sami

f61e85d9a7

Initial commit: DashCaddy v1.0

Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.

2026-03-05 02:26:12 -08:00

3 Commits