TidyQuest/SECURITY.md
root a7cd81fe81 Initial release: TidyQuest v0.1.0
TidyQuest is a self-hosted web application that gamifies household chores
using RPG mechanics. Complete tasks, earn coins, unlock achievements, and
compete with your family on the leaderboard.

Features:
- 🎯 Health-based task tracking with visual decay over time
- 💰 Coin system with customizable rewards
- 🔥 Daily/weekly streak tracking
- 🏆 Family leaderboard (week/month/quarter/year)
- 🎖️ Automatic achievement unlocking
- 📅 Calendar view for upcoming tasks
- 🌍 Multilingual support (EN/FR/DE/ES)
- 📱 Optional Telegram notifications
- 🏖️ Vacation mode (pause task decay)
- 🐳 Docker deployment (single container)

Tech Stack:
- Frontend: React 19 + Vite + TypeScript
- Backend: Node.js + Express + TypeScript
- Database: SQLite3 with WAL mode
- Auth: JWT + bcrypt
- Deployment: Docker Compose

Includes:
- 8 room types with 60+ predefined tasks
- 10 preset rewards
- 12 achievement types
- Complete API documentation
- Security best practices guide
- Comprehensive README with examples

License: GNU Affero General Public License v3.0 (AGPL-3.0)
This ensures TidyQuest remains free and open-source forever, preventing
proprietary SaaS forks. Any modified hosted version must share source code.
2026-02-17 18:40:09 +01:00

167 lines
4 KiB
Markdown

# Security Policy
## 🔒 Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
---
## 🛡️ Security Best Practices
### Before Deploying to Production
#### 1. **Set a Strong JWT Secret**
**⚠️ CRITICAL**: The JWT secret is used to sign authentication tokens. A weak or default secret compromises all user sessions.
**How to set it:**
```bash
# Generate a secure random secret
openssl rand -base64 32
# Add to .env file
echo "JWT_SECRET=<your-generated-secret>" > .env
```
**In docker-compose.yml:**
```yaml
environment:
- JWT_SECRET=${JWT_SECRET}
```
**Never commit your `.env` file to version control.**
---
#### 2. **Use HTTPS with a Reverse Proxy**
TidyQuest should **never** be exposed directly to the internet over HTTP.
**Recommended setup:**
- Use Caddy, Nginx, or Traefik as a reverse proxy
- Obtain a valid TLS certificate (Let's Encrypt)
- Forward port 443 → TidyQuest container port 3000
**Example with Caddy:**
```
tidyquest.yourdomain.com {
reverse_proxy localhost:3020
}
```
---
#### 3. **Telegram Bot Token Protection**
**⚠️ Known Risk**: Telegram bot tokens are stored **unencrypted** in the SQLite database.
**Mitigation:**
- Restrict file system access to the `./data/` directory
- Use proper file permissions: `chmod 600 data/tidyquest.db`
- Never expose the database file publicly
- Regularly back up and encrypt database backups
**Future improvement (planned for v0.2)**: Encrypt sensitive settings using AES-256.
---
#### 4. **Database Backups**
**Location**: `./data/tidyquest.db`
**Backup strategy:**
```bash
# Manual backup
cp data/tidyquest.db backups/tidyquest-$(date +%Y%m%d).db
# Automated daily backup (crontab)
0 3 * * * cd /path/to/tidyquest && cp data/tidyquest.db backups/tidyquest-$(date +\%Y\%m\%d).db
```
**Encrypt backups before storing offsite:**
```bash
gpg -c backups/tidyquest-20260217.db
```
---
#### 5. **User Avatar Uploads**
**Current validation:**
- MIME type check: only `image/*` allowed
- File size limit: 2MB
**Additional hardening (recommended):**
- Serve avatars from a separate domain/subdomain
- Implement Content-Security-Policy headers
- Consider using image processing library to re-encode uploads
---
#### 6. **Network Exposure**
**Default setup (Docker Compose):**
- Port `3020:3000` is exposed on all interfaces (`0.0.0.0`)
**For local-only access**, bind to localhost:
```yaml
ports:
- "127.0.0.1:3020:3000"
```
**For VPN/LAN access**, ensure firewall rules are configured.
---
## 🚨 Reporting a Vulnerability
If you discover a security vulnerability in TidyQuest, please:
1. **Do NOT open a public GitHub issue**
2. Email the maintainer directly (see GitHub profile)
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if applicable)
**Response time**: We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
---
## 📋 Security Checklist Before Going Public
- [ ] JWT_SECRET set via environment variable (not default value)
- [ ] HTTPS reverse proxy configured
- [ ] Database file permissions restricted (`chmod 600`)
- [ ] Regular backup strategy in place
- [ ] Firewall rules configured (only allow necessary ports)
- [ ] Docker image updated to latest version
- [ ] OS and dependencies up to date
- [ ] Telegram bot token kept secret (if using notifications)
- [ ] `.env` file in `.gitignore` (verified not committed)
---
## 🔐 Authentication & Session Management
- **Algorithm**: JWT (JSON Web Tokens)
- **Token expiry**: 30 days
- **Password hashing**: bcrypt (10 rounds)
- **Authorization**: Role-based (admin, member, child)
**Session invalidation**: Currently, tokens remain valid until expiry. Manual revocation is not implemented (planned for v0.2).
---
## 📚 Additional Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Docker Security Best Practices](https://docs.docker.com/engine/security/)
- [SQLite Security Considerations](https://www.sqlite.org/security.html)
---
**Last updated**: 2026-02-17