TidyQuest/SECURITY.md
root a7cd81fe81 Initial release: TidyQuest v0.1.0
TidyQuest is a self-hosted web application that gamifies household chores
using RPG mechanics. Complete tasks, earn coins, unlock achievements, and
compete with your family on the leaderboard.

Features:
- 🎯 Health-based task tracking with visual decay over time
- 💰 Coin system with customizable rewards
- 🔥 Daily/weekly streak tracking
- 🏆 Family leaderboard (week/month/quarter/year)
- 🎖️ Automatic achievement unlocking
- 📅 Calendar view for upcoming tasks
- 🌍 Multilingual support (EN/FR/DE/ES)
- 📱 Optional Telegram notifications
- 🏖️ Vacation mode (pause task decay)
- 🐳 Docker deployment (single container)

Tech Stack:
- Frontend: React 19 + Vite + TypeScript
- Backend: Node.js + Express + TypeScript
- Database: SQLite3 with WAL mode
- Auth: JWT + bcrypt
- Deployment: Docker Compose

Includes:
- 8 room types with 60+ predefined tasks
- 10 preset rewards
- 12 achievement types
- Complete API documentation
- Security best practices guide
- Comprehensive README with examples

License: GNU Affero General Public License v3.0 (AGPL-3.0)
This ensures TidyQuest remains free and open-source forever, preventing
proprietary SaaS forks. Any modified hosted version must share source code.
2026-02-17 18:40:09 +01:00

4 KiB

Security Policy

🔒 Supported Versions

Version Supported
0.1.x

🛡️ Security Best Practices

Before Deploying to Production

1. Set a Strong JWT Secret

⚠️ CRITICAL: The JWT secret is used to sign authentication tokens. A weak or default secret compromises all user sessions.

How to set it:

# Generate a secure random secret
openssl rand -base64 32

# Add to .env file
echo "JWT_SECRET=<your-generated-secret>" > .env

In docker-compose.yml:

environment:
  - JWT_SECRET=${JWT_SECRET}

Never commit your .env file to version control.


2. Use HTTPS with a Reverse Proxy

TidyQuest should never be exposed directly to the internet over HTTP.

Recommended setup:

  • Use Caddy, Nginx, or Traefik as a reverse proxy
  • Obtain a valid TLS certificate (Let's Encrypt)
  • Forward port 443 → TidyQuest container port 3000

Example with Caddy:

tidyquest.yourdomain.com {
    reverse_proxy localhost:3020
}

3. Telegram Bot Token Protection

⚠️ Known Risk: Telegram bot tokens are stored unencrypted in the SQLite database.

Mitigation:

  • Restrict file system access to the ./data/ directory
  • Use proper file permissions: chmod 600 data/tidyquest.db
  • Never expose the database file publicly
  • Regularly back up and encrypt database backups

Future improvement (planned for v0.2): Encrypt sensitive settings using AES-256.


4. Database Backups

Location: ./data/tidyquest.db

Backup strategy:

# Manual backup
cp data/tidyquest.db backups/tidyquest-$(date +%Y%m%d).db

# Automated daily backup (crontab)
0 3 * * * cd /path/to/tidyquest && cp data/tidyquest.db backups/tidyquest-$(date +\%Y\%m\%d).db

Encrypt backups before storing offsite:

gpg -c backups/tidyquest-20260217.db

5. User Avatar Uploads

Current validation:

  • MIME type check: only image/* allowed
  • File size limit: 2MB

Additional hardening (recommended):

  • Serve avatars from a separate domain/subdomain
  • Implement Content-Security-Policy headers
  • Consider using image processing library to re-encode uploads

6. Network Exposure

Default setup (Docker Compose):

  • Port 3020:3000 is exposed on all interfaces (0.0.0.0)

For local-only access, bind to localhost:

ports:
  - "127.0.0.1:3020:3000"

For VPN/LAN access, ensure firewall rules are configured.


🚨 Reporting a Vulnerability

If you discover a security vulnerability in TidyQuest, please:

  1. Do NOT open a public GitHub issue
  2. Email the maintainer directly (see GitHub profile)
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if applicable)

Response time: We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.


📋 Security Checklist Before Going Public

  • JWT_SECRET set via environment variable (not default value)
  • HTTPS reverse proxy configured
  • Database file permissions restricted (chmod 600)
  • Regular backup strategy in place
  • Firewall rules configured (only allow necessary ports)
  • Docker image updated to latest version
  • OS and dependencies up to date
  • Telegram bot token kept secret (if using notifications)
  • .env file in .gitignore (verified not committed)

🔐 Authentication & Session Management

  • Algorithm: JWT (JSON Web Tokens)
  • Token expiry: 30 days
  • Password hashing: bcrypt (10 rounds)
  • Authorization: Role-based (admin, member, child)

Session invalidation: Currently, tokens remain valid until expiry. Manual revocation is not implemented (planned for v0.2).


📚 Additional Resources


Last updated: 2026-02-17