jubnl 358afd2428 fix: require ENCRYPTION_KEY at startup instead of auto-generating ...

Auto-generating and persisting the key to data/.encryption_key co-locates
the key with the database, defeating encryption at rest if an attacker can
read the data directory. It also silently loses all encrypted secrets if the
data volume is recreated.

Replace the auto-generation fallback with a hard startup error that tells
operators exactly what to do:
- Upgraders from the JWT_SECRET-derived encryption era: set ENCRYPTION_KEY
  to their old JWT_SECRET so existing ciphertext remains readable.
- Fresh installs: generate a key with `openssl rand -hex 32`.

2026-04-01 08:43:36 +02:00

..

db

fix: encrypt Immich API key at rest using AES-256-GCM

2026-04-01 07:57:29 +02:00

demo

v2.6.2 — TREK Rebrand, OSM Enrichment, File Management, Hotel Bookings & Bug Fixes

2026-03-28 16:38:08 +01:00

mcp

Merge pull request #179 from shanelord01/audit/remediation-clean

2026-03-31 20:53:48 +02:00

middleware

fix: pin JWT algorithm to HS256 and harden token security

2026-03-31 00:33:53 +00:00

routes

fix: add SSRF protection for link preview and Immich URL

2026-04-01 07:59:03 +02:00

services

fix: add SSRF protection for link preview and Immich URL

2026-04-01 07:59:03 +02:00

utils

fix: add SSRF protection for link preview and Immich URL

2026-04-01 07:59:03 +02:00

config.ts

fix: require ENCRYPTION_KEY at startup instead of auto-generating

2026-04-01 08:43:36 +02:00

index.ts

fix: remove JWT_SECRET env var — server manages it exclusively

2026-04-01 07:58:05 +02:00

scheduler.ts

feat: configurable trip reminders, admin full access, and enhanced audit logging

2026-03-31 22:23:38 +03:00

types.ts

feat: notifications, audit logging, and admin improvements

2026-03-31 22:23:23 +03:00

websocket.ts

fix: replace JWT tokens in URL query params with short-lived ephemeral tokens

2026-04-01 07:57:14 +02:00