Commit Graph

15 Commits

Author SHA1 Message Date
88f3c1f964 refactor: extract inline CSS/JS from views into separate asset files (20+ files)
Phase A — HTML removed from PHP files:
- RateLimitMiddleware.php: heredoc moved to views/errors/429.php
- public/index.php: inline HTML replaced with View::error()
- AuthMiddleware.php: <script> redirect replaced with <meta refresh>

Phase B — Inline CSS/JS extracted from views:
- CSS: landing.css (459 lines), legal.css (shared by terms+privacy)
- JS: 17 new files extracted from ~20 view files
  - main.js (layout sidebar + notifications)
  - dashboard-chart.js, server-show.js, server-services.js
  - nginx-manager.js, database-manager.js
  - terminal.js, team-show.js, team-index.js
  - server-list.js, server-permissions.js (shared by edit+create)
  - server-ssl.js, server-processes.js, system-users.js
  - admin-users.js, audit-log.js, admin-notifications.js, admin-security.js
  - notifications.js

Total: -3264 lines from views, +288 lines in new assets
2026-06-14 08:04:01 -04:00
a5eb101d98 security: fix auth bypass, XSS, IDOR, command injection, session hardening, rate limiting
- Phase 1: Require authentication for API register endpoint; restrict role creation
- Phase 2: Add $fillable whitelist to Server model to prevent mass assignment
- Phase 3: Fix XSS via escapeHtml in sidebar, JSON_HEX_TAG in script embeds
- Phase 4: Add canView() checks to TerminalController history/clearHistory
- Phase 5: escapeshellarg() on certbot params, sanitize service names, regex-based command blocklist, suppress exception messages
- Phase 6: SESSION_SECURE=true, SameSite=Strict, logout via POST+CSRF, chmod 640 .env
- Phase 7: DB-based rate limiting replacing session-based, applied to API login/register
2026-06-14 07:32:18 -04:00
e92f51e36b replace number inputs with range sliders in threshold modal 2026-06-13 16:32:53 -04:00
dc34f29169 improve threshold modal design with card-based layout and color-coded inputs 2026-06-13 16:32:53 -04:00
c63c5ffcfd feat: per-server notification thresholds with alert on agent metrics push 2026-06-13 16:12:36 -04:00
b94ae16f69 fix: remove duplicate old() function causing 500 on create page
- Removed the local old() function definition from views/servers/create.php
  which conflicted with the global old() in src/Helpers/functions.php:37
- Replaced all old() calls with direct htmlspecialchars([...]) lookups
2026-06-13 11:31:52 -04:00
0cfed5bf27 feat: validate required SSH permissions before creating server
- New server_permissions table (migration 007) stores required SSH permissions per server
- PermissionValidator service connects via SSH and validates each permission before save
- ServerPermission model for CRUD on server_permissions table
- Web flow: create/edit forms include dynamic permission rows with quick-add presets
- API flow: serverAdd/serverUpdate accept permissions array, return 400 on failure
- Show view displays required permissions on server detail page
- Form input preserved on validation failure (credentials excluded)
- AGENTS.md updated with new conventions
2026-06-13 10:41:18 -04:00
85bb70fe0f fix: add sudo fallback to agent installer + improve error output
- AgentService: try sudo -n first, fall back to bash without sudo
- AgentService: add sudo to uninstall command
- AgentService: trim error output to last 20 lines for readability
- View: show SSH output inline in error toast
- Fix undefined $path variable in success path
2026-06-11 18:45:14 -04:00
bfa102cf97 feat: push-based monitoring with remote agent
- Add database migration 006 for agent_key, agent_installed, agent_install_path, agent_last_seen_at columns
- Add Server model methods: findByAgentKey, generateAgentKey, regenerateAgentKey, updateAgentLastSeen, setAgentInstalled
- Auto-generate agent_key on server creation
- Create AgentService for SSH-based install/uninstall of remote agent
- Create bin/agent.sh - bash agent script for remote servers
- Create install/agent-install.sh and install/agent-uninstall.sh
- Create install/servermanager-agent.service systemd unit
- Add POST /api/metrics/push endpoint (auth via agent_key)
- Add web routes for agent install/uninstall/regenerate-key
- Add agent status section to server detail view with install/uninstall modals
- Make MonitoringService::saveMetrics() public for reuse
2026-06-11 18:28:22 -04:00
e207ece614 Remove stale Team button from server detail page 2026-06-07 08:00:11 -04:00
5607a3e507 Replace old team system with work teams (equipos de trabajo)
- New migration 003_teams.sql: teams, team_user, team_server tables
- New Team model with CRUD, members, and server assignment
- New TeamController with full team management
- New views: teams/index, teams/create, teams/show
- Server model: getUserRole and getAccessibleServerIds now include team-based access
- Sidebar: Teams link under Administration (admin+ only)
- Routes: old /team routes removed, new /teams routes added
- Removed old ServerController team methods and views
- Fixed sidebar empty accessible IDs returning all servers
- Fixed dashboard and API to show empty when no accessible servers
2026-06-07 07:08:26 -04:00
5f5de248c6 Add server ownership, team access, role-based UI, and default admin role
- New migration 002_server_access.sql: created_by column + server_user table
- Server model: ownership, permission checks, team management methods
- Routes: /team routes, RoleMiddleware on /servers/create and /admin
- ServerController: permission checks via server_user, team CRUD methods
- TerminalController: server access checks
- DashboardController: filter servers by accessible ones
- ApiController: server access checks
- Views: team.php, team_server.php, sidebar Team link, hide actions by role
- Default user role changed from operator to admin on registration
- Admin user form defaults to admin role
2026-06-07 06:49:12 -04:00
7a8792a1e9 Add services management with pagination and conditional buttons 2026-06-06 18:56:42 -04:00
a55542564e Add system users management 2026-06-06 18:08:47 -04:00
c3009fbbf7 Add views directory and UI improvements
- Add all view templates (servers, auth, dashboard, admin, layouts, errors, terminal)
- Fix SSH double decryption bug in SSHService
- Fix router parameter type casting for strict_types
- Add missing error views (401, 403, 404)
- Add nginx manager with file editing
- Add SSL certificates management
- Add database manager with phpMyAdmin-like interface
- Add sidebar server accordion
2026-06-06 17:59:13 -04:00