* ci: prevent duplicate test runs - tests only on PRs, inline tests for builds
* docs: add testing and CI/CD documentation
* security: fix CodeQL vulnerabilities (SSRF, XSS, rate limiting)
- Add URL validation to prevent SSRF attacks on notification endpoints
- Block private IPs (10.x, 172.16-31.x, 192.168.x, 169.254.x)
- Block localhost and internal hostnames
- Only allow HTTP/HTTPS protocols
- Add HTML escaping for medication names in email templates (XSS)
- Add stricter rate limiting for auth routes (5 req/15min for login/register)
- Add SSRF protection tests (405 tests total)
* security: add rate limiting to remaining auth routes
* chore: add CodeQL config to suppress rate-limit false positives
Rate limiting IS implemented via @fastify/rate-limit plugin:
- Global: 100 req/min (index.ts)
- Auth routes: 5-10 req/min via config.rateLimit option
CodeQL doesn't recognize Fastify's plugin-based rate limiting pattern.
* ci: switch to CodeQL Advanced Setup
- Add custom codeql.yml workflow
- Configure to use codeql-config.yml
- Exclude js/missing-rate-limiting rule (false positive)
Rate limiting is implemented via @fastify/rate-limit plugin
* ci: add explicit permissions to workflows
Fixes CodeQL 'Workflow does not contain permissions' warnings.
Sets minimal 'contents: read' at top level.
* ci: add manual trigger to CodeQL workflow
* ci: add explicit permissions to all workflow jobs
* build(deps): bump esbuild, @vitest/coverage-v8 and vitest in /backend
Bumps [esbuild](https://github.com/evanw/esbuild) to 0.27.2 and updates ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). These dependencies need to be updated together.
Updates `esbuild` from 0.21.5 to 0.27.2
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.21.5...v0.27.2)
Updates `@vitest/coverage-v8` from 2.1.9 to 4.0.16
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.16/packages/coverage-v8)
Updates `vitest` from 2.1.9 to 4.0.16
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.16/packages/vitest)
---
updated-dependencies:
- dependency-name: esbuild
dependency-version: 0.27.2
dependency-type: indirect
- dependency-name: "@vitest/coverage-v8"
dependency-version: 4.0.16
dependency-type: direct:development
- dependency-name: vitest
dependency-version: 4.0.16
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
* docs: add GitHub issue templates
- Bug report template with deployment type, browser info, logs
- Feature request template with affected area, priority
- Config with link to discussions and README
- Optimize test.yml to skip tests for non-code changes
* Initial plan
* Remove database schema duplication by creating shared schema-sql.ts module
Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>
* Refactor frontend date formatting to eliminate duplication
Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>
* docs: Add branch protection warning and PR workflow to instructions
* ci: remove paths filter from test workflow to fix branch protection
* fix: add .js extension to schema-sql imports for ESM compatibility (#15)
* feat: add setting to skip reminders for taken doses
- Add skipRemindersForTakenDoses setting to database schema
- Extend settings API to save and load new setting
- Update intake reminder scheduler to filter taken doses
- Add frontend toggle in settings with i18n (EN/DE)
- Only check doses from today (timezone-aware)
- Update all test schemas with new field
- All 405 tests passing
* feat: add repeat reminders for missed doses
- Add repeatRemindersEnabled and reminderRepeatIntervalMinutes settings
- Refactor intake reminder state from array to object with sendCount tracking
- Update scheduler to send repeated reminders at configurable intervals
- Only remind for today's doses (timezone-aware filtering)
- Add frontend toggle and interval input (5-480 minutes) in settings
- Maintain backward compatibility for old state file format
- Update all test schemas and assertions
- All 406 tests passing
* feat: add nagging reminders with max limit and ENV defaults
- Add maxNaggingReminders setting to limit repeat reminders (1-20)
- Add ENV defaults for all user settings (DEFAULT_*)
- Add ALTER TABLE migrations for backward compatibility
- Add smtpConfigured/shoutrrrConfigured to health endpoint
- Fix Push toggle to allow enabling without existing URL
- Disable skip/repeat toggles when no notifications enabled
- Add Pocket ID button to registration page
- Add getTodaysIntakes() for repeat reminder logic
- Update translations (en/de) for new settings
- Add comprehensive tests for new features
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>
Daniel Volz
d0a40bde88