2026-03-28 01:40:18 +08:00
|
|
|
import crypto from 'crypto';
|
|
|
|
|
import fs from 'fs';
|
|
|
|
|
import path from 'path';
|
2026-03-19 06:58:08 +08:00
|
|
|
|
2026-03-28 01:40:18 +08:00
|
|
|
let JWT_SECRET: string = process.env.JWT_SECRET || '';
|
2026-03-19 06:58:08 +08:00
|
|
|
|
|
|
|
|
if (!JWT_SECRET) {
|
v2.1.0 — Real-time collaboration, performance & security overhaul
Real-Time Collaboration (WebSocket):
- WebSocket server with JWT auth and trip-based rooms
- Live sync for all CRUD operations (places, assignments, days, notes, budget, packing, reservations, files)
- Socket-based exclusion to prevent duplicate updates
- Auto-reconnect with exponential backoff
- Assignment move sync between days
Performance:
- 16 database indexes on all foreign key columns
- N+1 query fix in places, assignments and days endpoints
- Marker clustering (react-leaflet-cluster) with configurable radius
- List virtualization (react-window) for places sidebar
- useMemo for filtered places
- SQLite WAL mode + busy_timeout for concurrent writes
- Weather API: server-side cache (1h forecast, 15min current) + client sessionStorage
- Google Places photos: persisted to DB after first fetch
- Google Details: 3-tier cache (memory → sessionStorage → API)
Security:
- CORS auto-configuration (production: same-origin, dev: open)
- API keys removed from /auth/me response
- Admin-only endpoint for reading API keys
- Path traversal prevention in cover image deletion
- JWT secret persisted to file (survives restarts)
- Avatar upload file extension whitelist
- API key fallback: normal users use admin's key without exposure
- Case-insensitive email login
Dark Mode:
- Fixed hardcoded colors across PackingList, Budget, ReservationModal, ReservationsPanel
- Mobile map buttons and sidebar sheets respect dark mode
- Cluster markers always dark
UI/UX:
- Redesigned login page with animated planes, stars and feature cards
- Admin: create user functionality with CustomSelect
- Mobile: day-picker popup for assigning places to days
- Mobile: touch-friendly reorder buttons (32px targets)
- Mobile: responsive text (shorter labels on small screens)
- Packing list: index-based category colors
- i18n: translated date picker placeholder, fixed German labels
- Default map tile: CartoDB Light
2026-03-19 19:44:22 +08:00
|
|
|
const dataDir = path.resolve(__dirname, '../data');
|
|
|
|
|
const secretFile = path.join(dataDir, '.jwt_secret');
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
JWT_SECRET = fs.readFileSync(secretFile, 'utf8').trim();
|
|
|
|
|
} catch {
|
|
|
|
|
JWT_SECRET = crypto.randomBytes(32).toString('hex');
|
|
|
|
|
try {
|
|
|
|
|
if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
|
|
|
|
|
fs.writeFileSync(secretFile, JWT_SECRET, { mode: 0o600 });
|
|
|
|
|
console.log('Generated and saved JWT secret to', secretFile);
|
2026-03-28 01:40:18 +08:00
|
|
|
} catch (writeErr: unknown) {
|
|
|
|
|
console.warn('WARNING: Could not persist JWT secret to disk:', writeErr instanceof Error ? writeErr.message : writeErr);
|
v2.1.0 — Real-time collaboration, performance & security overhaul
Real-Time Collaboration (WebSocket):
- WebSocket server with JWT auth and trip-based rooms
- Live sync for all CRUD operations (places, assignments, days, notes, budget, packing, reservations, files)
- Socket-based exclusion to prevent duplicate updates
- Auto-reconnect with exponential backoff
- Assignment move sync between days
Performance:
- 16 database indexes on all foreign key columns
- N+1 query fix in places, assignments and days endpoints
- Marker clustering (react-leaflet-cluster) with configurable radius
- List virtualization (react-window) for places sidebar
- useMemo for filtered places
- SQLite WAL mode + busy_timeout for concurrent writes
- Weather API: server-side cache (1h forecast, 15min current) + client sessionStorage
- Google Places photos: persisted to DB after first fetch
- Google Details: 3-tier cache (memory → sessionStorage → API)
Security:
- CORS auto-configuration (production: same-origin, dev: open)
- API keys removed from /auth/me response
- Admin-only endpoint for reading API keys
- Path traversal prevention in cover image deletion
- JWT secret persisted to file (survives restarts)
- Avatar upload file extension whitelist
- API key fallback: normal users use admin's key without exposure
- Case-insensitive email login
Dark Mode:
- Fixed hardcoded colors across PackingList, Budget, ReservationModal, ReservationsPanel
- Mobile map buttons and sidebar sheets respect dark mode
- Cluster markers always dark
UI/UX:
- Redesigned login page with animated planes, stars and feature cards
- Admin: create user functionality with CustomSelect
- Mobile: day-picker popup for assigning places to days
- Mobile: touch-friendly reorder buttons (32px targets)
- Mobile: responsive text (shorter labels on small screens)
- Packing list: index-based category colors
- i18n: translated date picker placeholder, fixed German labels
- Default map tile: CartoDB Light
2026-03-19 19:44:22 +08:00
|
|
|
console.warn('Sessions will reset on server restart. Set JWT_SECRET env var for persistent sessions.');
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-03-19 06:58:08 +08:00
|
|
|
}
|
|
|
|
|
|
2026-03-31 07:34:47 +08:00
|
|
|
const JWT_SECRET_IS_GENERATED = !process.env.JWT_SECRET;
|
|
|
|
|
|
|
|
|
|
export { JWT_SECRET, JWT_SECRET_IS_GENERATED };
|