mirror of
https://github.com/zadam/trilium.git
synced 2025-12-10 01:14:25 +01:00
f0ba83c2ad
Production-ready security improvements: 1. Password Security Enhancements: - Increased minimum password length from 4 to 8 characters - Added maximum length limit (100 chars) to prevent DoS - Migration now validates password exists and is not empty - Proper validation before creating admin user 2. Timing Attack Prevention: - Implemented constant-time comparison using crypto.timingSafeEqual - Added dummy hash computation for non-existent users - Prevents username enumeration via timing analysis 3. Comprehensive Input Validation: - Username: 3-50 chars, alphanumeric + . _ - only - Email: Format validation, 100 char limit - All validation centralized in user_management service - Proper error messages without leaking info 4. Code Quality Improvements: - Fixed parseInt() calls to use radix 10 and check NaN - Added try-catch for validation errors in API routes - Improved error handling throughout 5. Security Documentation: - Added comprehensive 'Security Considerations' section - Documented implemented protections - Listed recommended infrastructure-level protections - Documented known limitations (username enumeration, etc.) - Clear guidance on rate limiting, HTTPS, monitoring All changes maintain backward compatibility and pass TypeScript validation. Zero errors, production-ready security posture.