TidyQuest is a self-hosted web application that gamifies household chores using RPG mechanics. Complete tasks, earn coins, unlock achievements, and compete with your family on the leaderboard. Features: - 🎯 Health-based task tracking with visual decay over time - 💰 Coin system with customizable rewards - 🔥 Daily/weekly streak tracking - 🏆 Family leaderboard (week/month/quarter/year) - 🎖️ Automatic achievement unlocking - 📅 Calendar view for upcoming tasks - 🌍 Multilingual support (EN/FR/DE/ES) - 📱 Optional Telegram notifications - 🏖️ Vacation mode (pause task decay) - 🐳 Docker deployment (single container) Tech Stack: - Frontend: React 19 + Vite + TypeScript - Backend: Node.js + Express + TypeScript - Database: SQLite3 with WAL mode - Auth: JWT + bcrypt - Deployment: Docker Compose Includes: - 8 room types with 60+ predefined tasks - 10 preset rewards - 12 achievement types - Complete API documentation - Security best practices guide - Comprehensive README with examples License: GNU Affero General Public License v3.0 (AGPL-3.0) This ensures TidyQuest remains free and open-source forever, preventing proprietary SaaS forks. Any modified hosted version must share source code.
4 KiB
Security Policy
🔒 Supported Versions
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
🛡️ Security Best Practices
Before Deploying to Production
1. Set a Strong JWT Secret
⚠️ CRITICAL: The JWT secret is used to sign authentication tokens. A weak or default secret compromises all user sessions.
How to set it:
# Generate a secure random secret
openssl rand -base64 32
# Add to .env file
echo "JWT_SECRET=<your-generated-secret>" > .env
In docker-compose.yml:
environment:
- JWT_SECRET=${JWT_SECRET}
Never commit your .env file to version control.
2. Use HTTPS with a Reverse Proxy
TidyQuest should never be exposed directly to the internet over HTTP.
Recommended setup:
- Use Caddy, Nginx, or Traefik as a reverse proxy
- Obtain a valid TLS certificate (Let's Encrypt)
- Forward port 443 → TidyQuest container port 3000
Example with Caddy:
tidyquest.yourdomain.com {
reverse_proxy localhost:3020
}
3. Telegram Bot Token Protection
⚠️ Known Risk: Telegram bot tokens are stored unencrypted in the SQLite database.
Mitigation:
- Restrict file system access to the
./data/directory - Use proper file permissions:
chmod 600 data/tidyquest.db - Never expose the database file publicly
- Regularly back up and encrypt database backups
Future improvement (planned for v0.2): Encrypt sensitive settings using AES-256.
4. Database Backups
Location: ./data/tidyquest.db
Backup strategy:
# Manual backup
cp data/tidyquest.db backups/tidyquest-$(date +%Y%m%d).db
# Automated daily backup (crontab)
0 3 * * * cd /path/to/tidyquest && cp data/tidyquest.db backups/tidyquest-$(date +\%Y\%m\%d).db
Encrypt backups before storing offsite:
gpg -c backups/tidyquest-20260217.db
5. User Avatar Uploads
Current validation:
- MIME type check: only
image/*allowed - File size limit: 2MB
Additional hardening (recommended):
- Serve avatars from a separate domain/subdomain
- Implement Content-Security-Policy headers
- Consider using image processing library to re-encode uploads
6. Network Exposure
Default setup (Docker Compose):
- Port
3020:3000is exposed on all interfaces (0.0.0.0)
For local-only access, bind to localhost:
ports:
- "127.0.0.1:3020:3000"
For VPN/LAN access, ensure firewall rules are configured.
🚨 Reporting a Vulnerability
If you discover a security vulnerability in TidyQuest, please:
- Do NOT open a public GitHub issue
- Email the maintainer directly (see GitHub profile)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if applicable)
Response time: We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
📋 Security Checklist Before Going Public
- JWT_SECRET set via environment variable (not default value)
- HTTPS reverse proxy configured
- Database file permissions restricted (
chmod 600) - Regular backup strategy in place
- Firewall rules configured (only allow necessary ports)
- Docker image updated to latest version
- OS and dependencies up to date
- Telegram bot token kept secret (if using notifications)
.envfile in.gitignore(verified not committed)
🔐 Authentication & Session Management
- Algorithm: JWT (JSON Web Tokens)
- Token expiry: 30 days
- Password hashing: bcrypt (10 rounds)
- Authorization: Role-based (admin, member, child)
Session invalidation: Currently, tokens remain valid until expiry. Manual revocation is not implemented (planned for v0.2).
📚 Additional Resources
Last updated: 2026-02-17