Commit Graph

38 Commits

Author SHA1 Message Date
a5eb101d98 security: fix auth bypass, XSS, IDOR, command injection, session hardening, rate limiting
- Phase 1: Require authentication for API register endpoint; restrict role creation
- Phase 2: Add $fillable whitelist to Server model to prevent mass assignment
- Phase 3: Fix XSS via escapeHtml in sidebar, JSON_HEX_TAG in script embeds
- Phase 4: Add canView() checks to TerminalController history/clearHistory
- Phase 5: escapeshellarg() on certbot params, sanitize service names, regex-based command blocklist, suppress exception messages
- Phase 6: SESSION_SECURE=true, SameSite=Strict, logout via POST+CSRF, chmod 640 .env
- Phase 7: DB-based rate limiting replacing session-based, applied to API login/register
2026-06-14 07:32:18 -04:00
c16236314e fix: hide scroll-indicator on mobile to prevent overlap with hero terminal 2026-06-14 07:16:04 -04:00
fee7f3b24a fix: widen policy page containers to 85% width 2026-06-13 21:42:16 -04:00
9ef4eb2856 Merge pull request 'Privacy Policy, Terms & animated landing page' (#83) from feat/privacy-terms-landing into master
Reviewed-on: #83
Reviewed-by: rafaga21 <rafaelminaya20@hotmail.com>
2026-06-13 21:34:46 -04:00
b05c1120f0 feat: add privacy policy, terms, and animated landing page 2026-06-13 21:33:42 -04:00
60e0719eda fix: allow toggling notifications without password 2026-06-13 17:37:27 -04:00
ec38afe3e9 feat: add notifications_enabled toggle for users (web + Android) 2026-06-13 17:31:07 -04:00
045f33bbc1 fix: use server-side time_ago for notification timestamps 2026-06-13 16:56:43 -04:00
edd9933430 fix: move script block outside foreach to prevent const redeclaration error 2026-06-13 16:51:44 -04:00
e1b6650454 feat: notification dropdown panel and /notifications page 2026-06-13 16:48:05 -04:00
25dfb517ee feat: notification bell with modal showing 10 latest notifications 2026-06-13 16:41:56 -04:00
e92f51e36b replace number inputs with range sliders in threshold modal 2026-06-13 16:32:53 -04:00
dc34f29169 improve threshold modal design with card-based layout and color-coded inputs 2026-06-13 16:32:53 -04:00
c63c5ffcfd feat: per-server notification thresholds with alert on agent metrics push 2026-06-13 16:12:36 -04:00
12c3e23d9c feat: track notification read receipts per user
- New notification_reads table (migration 008) with unique (notification_id, user_id)
- Notification model: markAsRead inserts into notification_reads; getForUser JOINs
  to show per-user read status; getUnreadCount checks NOT EXISTS in reads table
- getAll() includes read_count subquery for admin view
- Admin view shows 'X / Y' read count for broadcast notifications,
  'Read'/'Unread' badge for user-targeted ones
- Migrates existing read notifications into notification_reads
- AGENTS.md updated with new conventions
2026-06-13 11:48:05 -04:00
b94ae16f69 fix: remove duplicate old() function causing 500 on create page
- Removed the local old() function definition from views/servers/create.php
  which conflicted with the global old() in src/Helpers/functions.php:37
- Replaced all old() calls with direct htmlspecialchars([...]) lookups
2026-06-13 11:31:52 -04:00
0cfed5bf27 feat: validate required SSH permissions before creating server
- New server_permissions table (migration 007) stores required SSH permissions per server
- PermissionValidator service connects via SSH and validates each permission before save
- ServerPermission model for CRUD on server_permissions table
- Web flow: create/edit forms include dynamic permission rows with quick-add presets
- API flow: serverAdd/serverUpdate accept permissions array, return 400 on failure
- Show view displays required permissions on server detail page
- Form input preserved on validation failure (credentials excluded)
- AGENTS.md updated with new conventions
2026-06-13 10:41:18 -04:00
8f3b5bd7ce feat: add aggregated resource usage chart to dashboard 2026-06-11 21:46:33 -04:00
85bb70fe0f fix: add sudo fallback to agent installer + improve error output
- AgentService: try sudo -n first, fall back to bash without sudo
- AgentService: add sudo to uninstall command
- AgentService: trim error output to last 20 lines for readability
- View: show SSH output inline in error toast
- Fix undefined $path variable in success path
2026-06-11 18:45:14 -04:00
bfa102cf97 feat: push-based monitoring with remote agent
- Add database migration 006 for agent_key, agent_installed, agent_install_path, agent_last_seen_at columns
- Add Server model methods: findByAgentKey, generateAgentKey, regenerateAgentKey, updateAgentLastSeen, setAgentInstalled
- Auto-generate agent_key on server creation
- Create AgentService for SSH-based install/uninstall of remote agent
- Create bin/agent.sh - bash agent script for remote servers
- Create install/agent-install.sh and install/agent-uninstall.sh
- Create install/servermanager-agent.service systemd unit
- Add POST /api/metrics/push endpoint (auth via agent_key)
- Add web routes for agent install/uninstall/regenerate-key
- Add agent status section to server detail view with install/uninstall modals
- Make MonitoringService::saveMetrics() public for reuse
2026-06-11 18:28:22 -04:00
c4277c937f feat: v1.5.0 + service actions + remove duplicate apk
- Services tab: start/stop/restart/reload via dialog
- Backend: POST /api/servers/:id/service-action
- Removed duplicate APK download from dashboard view
- Version bump to 1.5.0
2026-06-09 19:02:41 -04:00
e6717d0578 bump to 1.3.0 + teams filter client-side sin recarga 2026-06-09 18:19:27 -04:00
13f14416a4 feat: teams redesign — cards, filter, user autocomplete
- Teams index: cards with animation, search filter
- Team detail: user autocomplete via AJAX (search on type)
- CSS: card grid styles, autocomplete dropdown
- Backend: searchUsers endpoint, filter support
2026-06-09 18:11:20 -04:00
086bbda6e8 fix: app version form now uses POST redirect with flash message instead of AJAX 2026-06-09 17:15:47 -04:00
53e9b92a8d feat: admin app version mgmt + notification system
- New tables: app_config, notifications
- Admin views: App Version editor, Notification sender
- API: GET /api/notifications, POST /api/notifications/:id/read, POST /api/notifications/read-all
- App version now stored in DB, editable by super admin
- Notifications: send to all users or specific user
- Android notification models + API client
- Sidebar: App Version + Notifications links for super_admin
2026-06-09 17:06:22 -04:00
b613e43ab3 feat: redesign Android app with animations, charts, profile, and registration
- Register screen with validation (username, email, password, confirm)
- Profile screen with email editing and password change
- User greeting on dashboard showing logged-in username
- 401 auto-logout via SessionManager + AuthInterceptor
- MetricsChart with Canvas line graphs (CPU, RAM, Disk)
- Animated StatCard with counters and icons
- ServerCard with progress bars, pulsating status dot, dynamic elevation
- Shimmer loading placeholders
- Dark mode support with Material3
- Navigation transitions (slide + fade)
- New server rack launcher icon
- Splash screen
- Backend API: register, profile (GET/PUT) endpoints
2026-06-09 16:38:04 -04:00
c45354db11 Fix theme toggle (add light theme CSS) and improve mobile sidebar usability 2026-06-07 13:02:31 -04:00
cd24cc53a0 Add per-column filters, smart pagination (25/page), and date range filter to audit logs 2026-06-07 12:43:50 -04:00
e207ece614 Remove stale Team button from server detail page 2026-06-07 08:00:11 -04:00
5b13518672 Refactor sidebar: use is_super_admin/is_admin helpers, restrict Users/Audit/Security to super_admin only 2026-06-07 07:36:34 -04:00
016584e907 Restrict Users, Audit Logs, Security routes to super_admin only
- Sidebar: Users, Audit Logs and Security now only visible to super_admin
- AdminController: requireSuperAdmin() check on users() and auditLogs()
- AdminController: super_admin check on createUser, updateUser, deleteUser JSON endpoints
- securitySettings() already had the check in place
2026-06-07 07:34:16 -04:00
58be111745 Fix: wrap entire Administration section in admin+ check to prevent Security leak for operators 2026-06-07 07:31:34 -04:00
5607a3e507 Replace old team system with work teams (equipos de trabajo)
- New migration 003_teams.sql: teams, team_user, team_server tables
- New Team model with CRUD, members, and server assignment
- New TeamController with full team management
- New views: teams/index, teams/create, teams/show
- Server model: getUserRole and getAccessibleServerIds now include team-based access
- Sidebar: Teams link under Administration (admin+ only)
- Routes: old /team routes removed, new /teams routes added
- Removed old ServerController team methods and views
- Fixed sidebar empty accessible IDs returning all servers
- Fixed dashboard and API to show empty when no accessible servers
2026-06-07 07:08:26 -04:00
5f5de248c6 Add server ownership, team access, role-based UI, and default admin role
- New migration 002_server_access.sql: created_by column + server_user table
- Server model: ownership, permission checks, team management methods
- Routes: /team routes, RoleMiddleware on /servers/create and /admin
- ServerController: permission checks via server_user, team CRUD methods
- TerminalController: server access checks
- DashboardController: filter servers by accessible ones
- ApiController: server access checks
- Views: team.php, team_server.php, sidebar Team link, hide actions by role
- Default user role changed from operator to admin on registration
- Admin user form defaults to admin role
2026-06-07 06:49:12 -04:00
516ffbb579 Add user registration page with default operator role 2026-06-06 19:41:03 -04:00
7a8792a1e9 Add services management with pagination and conditional buttons 2026-06-06 18:56:42 -04:00
a55542564e Add system users management 2026-06-06 18:08:47 -04:00
c3009fbbf7 Add views directory and UI improvements
- Add all view templates (servers, auth, dashboard, admin, layouts, errors, terminal)
- Fix SSH double decryption bug in SSHService
- Fix router parameter type casting for strict_types
- Add missing error views (401, 403, 404)
- Add nginx manager with file editing
- Add SSL certificates management
- Add database manager with phpMyAdmin-like interface
- Add sidebar server accordion
2026-06-06 17:59:13 -04:00