greend-server 1.0.3 → 1.0.5

package/.env.example

@@ -5,20 +5,40 @@
 PORT=3001
 HOST=0.0.0.0
 
-# Directory where all ESG data, user accounts, and audit logs are stored.
-# Use an absolute path outside the npm package so data survives upgrades.
-# Example: DATA_DIR=/opt/greend/data
-DATA_DIR=./data
+# Directory where all ESG data, user accounts, audit logs, and sessions are stored.
+# Use an absolute path outside the app/package directory so data survives upgrades.
+# If omitted, GreenD defaults to an OS-managed shared data location:
+#   Windows: %PROGRAMDATA%\GreenD\data
+#   macOS:   ~/Library/Application Support/GreenD/data
+#   Linux:   ~/.local/share/GreenD/data
+# Example:
+# DATA_DIR=C:\ProgramData\GreenD\data
+# DATA_DIR=/opt/greend/data
+# DATA_DIR=
 
 # REQUIRED in production: set this to a long random string (32+ chars).
 # Never use the default in production.
 SESSION_SECRET=change-this-to-a-long-random-string
 
+# ──────────────────────────────────────────────────────────────────────────────
+# Session cookie security
+# ──────────────────────────────────────────────────────────────────────────────
+# Controls whether session cookies require a secure (HTTPS) transport.
+#   false — required for local HTTP setups (Electron desktop, dev, LAN installs)
+#   true  — required when greend-server is behind HTTPS
+#   auto  — derives from NODE_ENV (production → true, anything else → false)
+#
+# Common mistake: leaving this unset while NODE_ENV=production on a plain HTTP
+# server causes a login loop — login succeeds server-side but the Secure cookie
+# is never accepted by the client.
+SESSION_COOKIE_SECURE=false
+
 # Origins allowed to make cross-origin requests (comma-separated).
 # The GreenD desktop app connects from app://localhost.
 # If you also access GreenD from a browser, add that origin too.
 # Example: CORS_ORIGIN=app://localhost,https://greend.yourcompany.com
 CORS_ORIGIN=app://localhost
 
-# Set to 'production' to enable secure cookie flags.
+# Node environment. Does NOT control cookie security when SESSION_COOKIE_SECURE
+# is set explicitly. Still affects other Express/library defaults.
 NODE_ENV=production

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "greend-server",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "GreenD ESG backend — self-hosted Express.js API server",
   "type": "module",
   "main": "server.js",
@@ -33,7 +33,6 @@
   "files": [
     "server.js",
     "bin/",
-    "data/.gitkeep",
     ".env.example"
   ],
   "publishConfig": { "access": "public" }

package/server.js

@@ -7,6 +7,7 @@ import { readFile, writeFile, mkdir, readdir } from 'fs/promises';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 import path from 'path';
+import os from 'os';
 import { createRequire } from 'module';
 
 const require = createRequire(import.meta.url);
@@ -29,9 +30,50 @@ if (
   process.exit(1);
 }
 
+function getDefaultDataDir() {
+  if (process.platform === 'win32') {
+    const programData = process.env.PROGRAMDATA || path.join(process.env.SystemDrive || 'C:', 'ProgramData');
+    return path.join(programData, 'GreenD', 'data');
+  }
+  if (process.platform === 'darwin') {
+    return path.join(os.homedir(), 'Library', 'Application Support', 'GreenD', 'data');
+  }
+  const xdgDataHome = process.env.XDG_DATA_HOME || path.join(os.homedir(), '.local', 'share');
+  return path.join(xdgDataHome, 'GreenD', 'data');
+}
+
 const DATA_DIR = process.env.DATA_DIR
   ? path.resolve(process.env.DATA_DIR)
-  : join(__dirname, 'data');
+  : getDefaultDataDir();
+
+const SESSION_COOKIE_NAME = 'connect.sid';
+
+function resolveCookieSecure() {
+  const raw = (process.env.SESSION_COOKIE_SECURE ?? 'auto').toLowerCase().trim();
+  if (raw === 'true')  return true;
+  if (raw === 'false') return false;
+  // 'auto' or unrecognised: derive from NODE_ENV for backward compatibility
+  return process.env.NODE_ENV === 'production';
+}
+
+const SESSION_COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: resolveCookieSecure(),
+  sameSite: 'lax',
+  path: '/',
+  maxAge: 8 * 60 * 60 * 1000,
+};
+
+const CLEAR_SESSION_COOKIE_OPTIONS = {
+  httpOnly: SESSION_COOKIE_OPTIONS.httpOnly,
+  secure: SESSION_COOKIE_OPTIONS.secure,
+  sameSite: SESSION_COOKIE_OPTIONS.sameSite,
+  path: SESSION_COOKIE_OPTIONS.path,
+};
+
+if (!SESSION_COOKIE_OPTIONS.secure && process.env.NODE_ENV === 'production') {
+  console.warn('[greend-server] WARNING: Session cookies are insecure (SESSION_COOKIE_SECURE=false) while NODE_ENV=production. Acceptable only for local HTTP deployments.');
+}
 
 // ---------------------------------------------------------------------------
 // File-backed session store — persists sessions to DATA_DIR/sessions.json so
@@ -110,12 +152,7 @@ app.use(session({
   secret: process.env.SESSION_SECRET || 'greend-dev-secret-change-in-production',
   resave: false,
   saveUninitialized: false,
-  cookie: {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    maxAge: 8 * 60 * 60 * 1000, // 8 hours
-  },
+  cookie: SESSION_COOKIE_OPTIONS,
 }));
 
 // Generic helpers for simple single-file read/write
@@ -260,13 +297,35 @@ app.post('/api/auth/login', async (req, res) => {
   const valid = await bcrypt.compare(password, user.passwordHash);
   if (!valid) return res.status(401).json({ error: 'Invalid username or password' });
 
-  req.session.userId = user.id;
   const { passwordHash, ...safeUser } = user;
-  res.json(safeUser);
+  req.session.regenerate((err) => {
+    if (err) {
+      console.error('[auth] failed to regenerate session:', err.message);
+      return res.status(500).json({ error: 'Failed to start a new session' });
+    }
+    req.session.userId = user.id;
+    res.json(safeUser);
+  });
 });
 
 app.post('/api/auth/logout', (req, res) => {
-  req.session.destroy(() => res.sendStatus(204));
+  const finalize = () => {
+    res.clearCookie(SESSION_COOKIE_NAME, CLEAR_SESSION_COOKIE_OPTIONS);
+    res.sendStatus(204);
+  };
+
+  if (!req.session) {
+    finalize();
+    return;
+  }
+
+  req.session.destroy((err) => {
+    if (err) {
+      console.error('[auth] failed to destroy session:', err.message);
+      return res.status(500).json({ error: 'Failed to close the session' });
+    }
+    finalize();
+  });
 });
 
 app.put('/api/auth/password', requireAuth, async (req, res) => {
@@ -289,7 +348,11 @@ app.put('/api/auth/password', requireAuth, async (req, res) => {
 app.get('/api/auth/me', requireAuth, async (req, res) => {
   const users = await readUsers();
   const user = users.find(u => u.id === req.session.userId);
-  if (!user) return res.status(401).json({ error: 'Session invalid' });
+  if (!user) {
+    req.session.destroy(() => {});
+    res.clearCookie(SESSION_COOKIE_NAME, CLEAR_SESSION_COOKIE_OPTIONS);
+    return res.status(401).json({ error: 'Session invalid' });
+  }
   const { passwordHash, ...safeUser } = user;
   res.json(safeUser);
 });
@@ -419,8 +482,15 @@ async function seedDefaultAdmin() {
 const PORT = Number(process.env.PORT) || 3001;
 const HOST = process.env.HOST || '0.0.0.0';
 
-seedDefaultAdmin().then(() => {
-  app.listen(PORT, HOST, () =>
-    console.log(`GreenD server running on http://${HOST}:${PORT}`)
-  );
-});
+mkdir(DATA_DIR, { recursive: true })
+  .then(() => seedDefaultAdmin())
+  .then(() => {
+    console.log(`GreenD data directory: ${DATA_DIR}`);
+    app.listen(PORT, HOST, () =>
+      console.log(`GreenD server running on http://${HOST}:${PORT}`)
+    );
+  })
+  .catch((err) => {
+    console.error('Failed to initialize GreenD server:', err.message);
+    process.exit(1);
+  });