john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
469 commits 1 branch 0 tags 125 MiB
Commit graph

6 commits

Author SHA1 Message Date
TheFlow
6b79f9a155 fix(newsletter): resolve CSRF token issue for static HTML pages 
Problem:
- nginx serves blog.html as static file, bypassing Express middleware
- setCsrfToken middleware never runs
- No CSRF cookie set
- Newsletter subscription fails with 403 Forbidden

Root cause:
nginx config: 'try_files $uri @proxy' serves static files directly
Location: /etc/nginx/sites-available/tractatus (line 54)

Solution:
1. blog.js now fetches CSRF token via /api/csrf-token on page load
2. getCsrfToken endpoint now creates token if missing (for static pages)
3. Newsletter form uses fetched token for subscription

Testing:
 Local test: CSRF token fetched successfully
 Newsletter subscription: Creates record in database
 Verified: test-fix@example.com subscribed via curl test

Impact:
- Newsletter subscriptions now work on production
- Fix applies to all static HTML pages (blog.html, etc.)
- Maintains CSRF protection security

Files:
- public/js/blog.js: Added fetchCsrfToken() + use in newsletter form
- src/middleware/csrf-protection.middleware.js: Enhanced getCsrfToken()

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-25 09:37:16 +13:00
TheFlow
061977126a fix(csrf): enable newsletter subscription from mobile 
CRITICAL FIX: Newsletter subscription was returning "Forbidden" error
because the CSRF protection was incorrectly configured.

Root cause:
- CSRF cookie was set with httpOnly: true
- JavaScript cannot read httpOnly cookies
- Frontend couldn't extract token to send in X-CSRF-Token header
- Double-submit CSRF pattern requires client to read the cookie

Changes:
- csrf-protection.middleware.js: Set httpOnly: false (required for double-submit pattern)
- blog.js: Extract CSRF token from cookie and include in X-CSRF-Token header

Security Note: This is the correct implementation per OWASP guidelines
for double-submit cookie CSRF protection. The cookie is still protected
by SameSite: strict and domain restrictions.

Fixes: #newsletter-subscription-forbidden-mobile
 2025-10-24 16:42:56 +13:00
TheFlow
ac2db33732 fix(submissions): restructure Economist package and fix article display 
- Create Economist SubmissionTracking package correctly:
  * mainArticle = full blog post content
  * coverLetter = 216-word SIR— letter
  * Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge

Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150

Next: Enhanced modal with tabs, validation, export

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-24 08:47:42 +13:00
TheFlow
60f239c0bf refactor: deep cleanup - remove all website code from framework repo 
REMOVED: 77 website-specific files from src/ and public/

Website Models (9):
- Blog, CaseSubmission, Document, Donation, MediaInquiry,
  ModerationQueue, NewsletterSubscription, Resource, User

Website Services (6):
- BlogCuration, MediaTriage, Koha, ClaudeAPI, ClaudeMdAnalyzer,
  AdaptiveCommunicationOrchestrator

Website Controllers (9):
- blog, cases, documents, koha, media, newsletter, auth, admin, variables

Website Routes (10):
- blog, cases, documents, koha, media, newsletter, auth, admin, test, demo

Website Middleware (4):
- auth, csrf-protection, file-security, response-sanitization

Website Utils (3):
- document-section-parser, jwt, markdown

Website JS (36):
- Website components, docs viewers, page features, i18n, Koha

RETAINED Framework Code:
- 6 core services (Boundary, ContextPressure, CrossReference,
  InstructionPersistence, Metacognitive, PluralisticDeliberation)
- 4 support services (AnthropicMemoryClient, MemoryProxy,
  RuleOptimizer, VariableSubstitution)
- 9 framework models (governance, audit, deliberation, project state)
- 3 framework controllers (rules, projects, audit)
- 7 framework routes (rules, governance, projects, audit, hooks, sync)
- 6 framework middleware (error, validation, security, governance)
- Minimal admin UI (rule manager, dashboard, hooks dashboard)
- Framework demos and documentation

PURPOSE: Tractatus-framework repo is now PURELY framework code.
All website/project code remains in internal repo only.

🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 21:22:40 +13:00
TheFlow
0debe26af0 fix: CSRF cookie secure flag for reverse proxy environments 
Check X-Forwarded-Proto header to determine if request is HTTPS
This ensures CSRF cookies work correctly when nginx terminates SSL
 2025-10-14 15:37:49 +13:00
TheFlow
9d0dd0d83f security: complete Phase 0 Quick Wins implementation 
Phase 0 Complete (QW-1 through QW-8):
 Enhanced input validation with HTML sanitization
 Form rate limiting (5 req/min on all submission endpoints)
 Modern CSRF protection (SameSite cookies + double-submit pattern)
 Security audit logging (CSRF violations captured)
 Applied to all public form endpoints:
   - /api/cases/submit (case studies)
   - /api/media/inquiries (media inquiries)
   - /api/newsletter/subscribe (newsletter)

New Middleware:
- csrf-protection.middleware.js (replaces deprecated csurf package)
- Enhanced input-validation.middleware.js applied to all forms

Security Features Active:
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- Rate limiting (100 req/15min public, 5 req/min forms)
- CSRF protection (double-submit cookie pattern)
- HTML sanitization (XSS prevention)
- Response sanitization (hide stack traces)
- Security event logging

Implements: inst_041, inst_042, inst_043, inst_044, inst_045, inst_046
Refs: docs/plans/security-implementation-roadmap.md Phase 0
 2025-10-14 15:32:54 +13:00