Patrick/medassist-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
318f63657b06b7e7e7ab4273cd19320537bd85a8
medassist-ng/.env.example
T
Daniel Volz d0a40bde88 feat: Nagging reminders with max limit + ENV defaults for settings (#18) 
* ci: prevent duplicate test runs - tests only on PRs, inline tests for builds

* docs: add testing and CI/CD documentation

* security: fix CodeQL vulnerabilities (SSRF, XSS, rate limiting)

- Add URL validation to prevent SSRF attacks on notification endpoints
  - Block private IPs (10.x, 172.16-31.x, 192.168.x, 169.254.x)
  - Block localhost and internal hostnames
  - Only allow HTTP/HTTPS protocols
- Add HTML escaping for medication names in email templates (XSS)
- Add stricter rate limiting for auth routes (5 req/15min for login/register)
- Add SSRF protection tests (405 tests total)

* security: add rate limiting to remaining auth routes

* chore: add CodeQL config to suppress rate-limit false positives

Rate limiting IS implemented via @fastify/rate-limit plugin:
- Global: 100 req/min (index.ts)
- Auth routes: 5-10 req/min via config.rateLimit option

CodeQL doesn't recognize Fastify's plugin-based rate limiting pattern.

* ci: switch to CodeQL Advanced Setup

- Add custom codeql.yml workflow
- Configure to use codeql-config.yml
- Exclude js/missing-rate-limiting rule (false positive)
  Rate limiting is implemented via @fastify/rate-limit plugin

* ci: add explicit permissions to workflows

Fixes CodeQL 'Workflow does not contain permissions' warnings.
Sets minimal 'contents: read' at top level.

* ci: add manual trigger to CodeQL workflow

* ci: add explicit permissions to all workflow jobs

* build(deps): bump esbuild, @vitest/coverage-v8 and vitest in /backend

Bumps [esbuild](https://github.com/evanw/esbuild) to 0.27.2 and updates ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). These dependencies need to be updated together.


Updates `esbuild` from 0.21.5 to 0.27.2
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.21.5...v0.27.2)

Updates `@vitest/coverage-v8` from 2.1.9 to 4.0.16
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.16/packages/coverage-v8)

Updates `vitest` from 2.1.9 to 4.0.16
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.16/packages/vitest)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.27.2
  dependency-type: indirect
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.0.16
  dependency-type: direct:development
- dependency-name: vitest
  dependency-version: 4.0.16
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* docs: add GitHub issue templates

- Bug report template with deployment type, browser info, logs
- Feature request template with affected area, priority
- Config with link to discussions and README
- Optimize test.yml to skip tests for non-code changes

* Initial plan

* Remove database schema duplication by creating shared schema-sql.ts module

Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>

* Refactor frontend date formatting to eliminate duplication

Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>

* docs: Add branch protection warning and PR workflow to instructions

* ci: remove paths filter from test workflow to fix branch protection

* fix: add .js extension to schema-sql imports for ESM compatibility (#15)

* feat: add setting to skip reminders for taken doses

- Add skipRemindersForTakenDoses setting to database schema
- Extend settings API to save and load new setting
- Update intake reminder scheduler to filter taken doses
- Add frontend toggle in settings with i18n (EN/DE)
- Only check doses from today (timezone-aware)
- Update all test schemas with new field
- All 405 tests passing

* feat: add repeat reminders for missed doses

- Add repeatRemindersEnabled and reminderRepeatIntervalMinutes settings
- Refactor intake reminder state from array to object with sendCount tracking
- Update scheduler to send repeated reminders at configurable intervals
- Only remind for today's doses (timezone-aware filtering)
- Add frontend toggle and interval input (5-480 minutes) in settings
- Maintain backward compatibility for old state file format
- Update all test schemas and assertions
- All 406 tests passing

* feat: add nagging reminders with max limit and ENV defaults

- Add maxNaggingReminders setting to limit repeat reminders (1-20)
- Add ENV defaults for all user settings (DEFAULT_*)
- Add ALTER TABLE migrations for backward compatibility
- Add smtpConfigured/shoutrrrConfigured to health endpoint
- Fix Push toggle to allow enabling without existing URL
- Disable skip/repeat toggles when no notifications enabled
- Add Pocket ID button to registration page
- Add getTodaysIntakes() for repeat reminder logic
- Update translations (en/de) for new settings
- Add comprehensive tests for new features

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>
2026-01-10 21:05:44 +01:00

121 lines
4.3 KiB
Bash
Raw Blame History

# =============================================================================
# MedAssist-ng Configuration
# =============================================================================
# Copy this file to .env and adjust values for your setup
# =============================================================================
# Container user/group IDs (for bind mount permissions)
# Set to your host user's UID/GID: id -u && id -g
PUID=1000
PGID=1000
PORT=3000
CORS_ORIGINS=http://localhost:4174
LOG_LEVEL=info
# Timezone for scheduled reminders (e.g., Europe/Berlin, America/New_York)
TZ=Europe/Berlin
# =============================================================================
# Authentication (optional - disabled by default for easy setup)
# =============================================================================
# Enable authentication (default: false = open access)
AUTH_ENABLED=false
# Allow new user registrations (auto-enabled when no users exist)
# REGISTRATION_ENABLED=false
# JWT Secrets - REQUIRED when AUTH_ENABLED=true
# Generate with: openssl rand -hex 32
# JWT_SECRET=
# REFRESH_SECRET=
# COOKIE_SECRET=
# Token TTL (optional - defaults shown)
# ACCESS_TOKEN_TTL_MINUTES=15
# REFRESH_TOKEN_TTL_DAYS=7
# =============================================================================
# OIDC SSO (optional - for Pocket ID, Authelia, Authentik, etc.)
# =============================================================================
# Enable OIDC authentication
# OIDC_ENABLED=false
# OIDC Provider URL (discovery endpoint will be auto-detected)
# OIDC_ISSUER_URL=https://auth.example.com
# Client credentials (from your OIDC provider)
# OIDC_CLIENT_ID=medassist
# OIDC_CLIENT_SECRET=your-client-secret
# Callback URL (must match what's configured in your OIDC provider)
# OIDC_REDIRECT_URI=https://medassist.example.com/api/auth/oidc/callback
# OIDC scopes to request (default: openid profile email)
# OIDC_SCOPES=openid profile email
# Claim to use as username (options: preferred_username, email, sub)
# OIDC_USERNAME_CLAIM=preferred_username
# Auto-create users on first SSO login (default: true)
# OIDC_AUTO_CREATE_USERS=true
# Provider name for login button (e.g., "Pocket ID", "Authelia", "SSO")
# OIDC_PROVIDER_NAME=SSO
# SMTP (optional - for email notifications and password reset)
SMTP_HOST=
SMTP_PORT=587
SMTP_USER=
SMTP_PASS= # Traditional password auth
SMTP_TOKEN= # OAuth2/App token auth (takes precedence over SMTP_PASS)
SMTP_FROM=
SMTP_SECURE=false
# Admin settings default value only - frontend settings (stored in settings.json) take precedence
REMINDER_DAYS_BEFORE=7
# Admin settings (not editable in UI)
REMINDER_HOUR=6 # 24h format (0-23), e.g. 6 = 6:00 AM, 18 = 6:00 PM
REMINDER_MINUTES_BEFORE=15 # Minutes before intake to send reminder
EXPIRY_WARNING_DAYS=30 # Days before expiry to show yellow warning
# =============================================================================
# Default User Settings (applied when new user is created)
# =============================================================================
# These ENV values are only used as DEFAULTS when a new user is created.
# Once a user saves their settings in the app, these ENV values are ignored
# for that user - their saved preferences take precedence.
#
# Useful for server admins to pre-configure settings for all new users.
# =============================================================================
# Email notifications (requires SMTP config above)
# DEFAULT_EMAIL_ENABLED=false
# DEFAULT_NOTIFICATION_EMAIL=
# DEFAULT_EMAIL_STOCK_REMINDERS=true
# DEFAULT_EMAIL_INTAKE_REMINDERS=true
# Push notifications (ntfy/gotify via Shoutrrr)
# DEFAULT_SHOUTRRR_ENABLED=false
# DEFAULT_SHOUTRRR_URL=
# DEFAULT_SHOUTRRR_STOCK_REMINDERS=true
# DEFAULT_SHOUTRRR_INTAKE_REMINDERS=true
# Repeat/nagging reminders for missed doses
# DEFAULT_REPEAT_REMINDERS_ENABLED=false
# DEFAULT_REMINDER_REPEAT_INTERVAL_MINUTES=30
# DEFAULT_MAX_NAGGING_REMINDERS=5
# DEFAULT_SKIP_REMINDERS_FOR_TAKEN_DOSES=false
# Stock reminder settings
# DEFAULT_REPEAT_DAILY_REMINDERS=false
# Stock thresholds (days of supply)
# DEFAULT_LOW_STOCK_DAYS=30
# DEFAULT_NORMAL_STOCK_DAYS=90
# DEFAULT_HIGH_STOCK_DAYS=180
# UI defaults
# DEFAULT_LANGUAGE=en # en or de
# DEFAULT_STOCK_CALCULATION_MODE=automatic # automatic or manual
Reference in New Issue View Git Blame Copy Permalink