e3b93ff96d
Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.
77 lines
1.7 KiB
YAML
77 lines
1.7 KiB
YAML
# ============================================================
|
|
# ZCLAW SaaS Backend - Docker Compose
|
|
# ============================================================
|
|
# Usage:
|
|
# cp saas-env.example .env # then edit .env with real values
|
|
# docker compose up -d
|
|
# docker compose logs -f saas
|
|
# ============================================================
|
|
|
|
services:
|
|
# ---- PostgreSQL 16 ----
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: zclaw-postgres
|
|
restart: unless-stopped
|
|
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER:-postgres}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-your_secure_password}
|
|
POSTGRES_DB: ${POSTGRES_DB:-zclaw}
|
|
|
|
ports:
|
|
- "${POSTGRES_PORT:-5432}:5432"
|
|
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-postgres} -d ${POSTGRES_DB:-zclaw}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 10s
|
|
|
|
networks:
|
|
- zclaw-saas
|
|
|
|
# ---- SaaS Backend ----
|
|
saas:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
|
|
container_name: zclaw-saas
|
|
restart: unless-stopped
|
|
|
|
ports:
|
|
- "127.0.0.1:${SAAS_PORT:-8080}:8080"
|
|
|
|
env_file:
|
|
- .env
|
|
|
|
environment:
|
|
DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-your_secure_password}@postgres:5432/${POSTGRES_DB:-zclaw}
|
|
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 15s
|
|
|
|
networks:
|
|
- zclaw-saas
|
|
|
|
volumes:
|
|
postgres_data:
|
|
driver: local
|
|
|
|
networks:
|
|
zclaw-saas:
|
|
driver: bridge
|