Entrypoint runs as root, ensures /data/{db,uploads,logo} and
/webdav-config exist with UID 1000 ownership, then drops privileges
via gosu. Removes the manual sudo chown step from the README and
makes a fresh docker compose up succeed without prep.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Explorer optimistically removes icons on a rejected DELETE, and apps
that LOCK before open get stuck for 30-60s on the WebClient negative
cache when the user only has read access. New disable-webdav-locking.reg
turns SupportLocking off as an opt-in workaround for view-only setups.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- helmet, express-rate-limit (login/setup/customer-auth/me-password)
- Constant-time login (bcrypt always runs against a dummy hash on miss)
- Cookie secure flag follows req.protocol; trust proxy is env-gated to
prevent X-Forwarded-For spoofing on direct exposure
- Drop SVG from accepted logo types (same-origin XSS) and resolve the
served logo path against LOGO_DIR as defense in depth
- Self-service /me/password endpoint plus header button; bumps minimum
password length to 8 across backend, prompts and edit modal
- Multer 1.x → 2.x for current security backports
- Customer edit modal replaces stacked prompts; user role is now an
inline dropdown with a confirm-and-revert flow
- Windows .reg helper plus README section for Basic-Auth-over-HTTP and
the http:// vs \\HOST@PORT\DavWWWRoot\ mapping syntax
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Customer upload via token link (no login), optional password + expiry,
drag & drop for files and folders with preserved structure
- Admin portal with setup wizard, role-based users (admin/staff),
per-customer WebDAV access rules (read/write), session auth
- WebDAV container (Debian apache2) with htpasswd + access.conf
auto-generated from the SQLite DB and reloaded via inotifywait
- Configurable public base URL and janitor cron interval in admin UI;
janitor reconciles the uploads table with the filesystem
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Stefan Hacker