chore: wip.

Author: PttCodingMan

.env.example

@@ -8,6 +8,9 @@ DATA_DIR=./data
 DB_PATH=./data/just-wiki.db
 MEDIA_DIR=./data/media
 
+# ── Security ──
+COOKIE_SECURE=false  # Set to true in production with HTTPS
+
 # ── Frontend ──
 VITE_API_URL=http://localhost:8000
 

backend/app/auth.py

@@ -58,7 +58,8 @@ async def get_current_user(request: Request):
 
     db = await get_db()
     row = await db.execute_fetchall(
-        "SELECT id, username, role FROM users WHERE id = ?", (user_id,)
+        "SELECT id, username, role, display_name, email FROM users WHERE id = ?",
+        (user_id,),
     )
     if not row:
         raise HTTPException(

backend/app/config.py

@@ -12,6 +12,7 @@ class Settings(BaseSettings):
     MEDIA_DIR: str = "./data/media"
 
     VITE_API_URL: str = "http://localhost:8000"
+    COOKIE_SECURE: bool = False  # Set to True in production with HTTPS
 
     AI_ENABLED: bool = False
     GEMINI_API_KEY: str = ""

backend/app/database.py

@@ -9,6 +9,8 @@
     username      TEXT UNIQUE NOT NULL,
     password_hash TEXT NOT NULL,
     role          TEXT NOT NULL DEFAULT 'editor',
+    display_name  TEXT DEFAULT '',
+    email         TEXT DEFAULT '',
     created_at    TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );
 
@@ -299,6 +301,15 @@ async def init_db():
             await db.execute(statement)
     await db.commit()
 
+    # Migrate: add new user columns if missing
+    cols = await db.execute_fetchall("PRAGMA table_info(users)")
+    col_names = {c["name"] for c in cols}
+    if "display_name" not in col_names:
+        await db.execute("ALTER TABLE users ADD COLUMN display_name TEXT DEFAULT ''")
+    if "email" not in col_names:
+        await db.execute("ALTER TABLE users ADD COLUMN email TEXT DEFAULT ''")
+    await db.commit()
+
     # Rebuild search index for existing pages
     await rebuild_all_search_indexes(db)
 

backend/app/main.py

@@ -1,14 +1,44 @@
+import logging
+import secrets
 from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
+from app.config import settings
 from app.database import init_db, close_db
 from app.auth import ensure_admin_exists
-from app.routers import auth_router, pages, media, templates, search, tags, activity, bookmarks, versions, diagrams
+from app.routers import auth_router, pages, media, templates, search, tags, activity, bookmarks, versions, diagrams, users, comments, backup, export
+
+logger = logging.getLogger("justwiki")
+
+_INSECURE_SECRETS = {"change-me-to-random-string", "secret", ""}
+
+
+def _check_security():
+    """Warn loudly about insecure defaults on startup."""
+    if settings.SECRET_KEY in _INSECURE_SECRETS:
+        safe_key = secrets.token_urlsafe(32)
+        logger.critical(
+            "\n"
+            "╔══════════════════════════════════════════════════════╗\n"
+            "║  ⚠  SECRET_KEY is set to an insecure default!      ║\n"
+            "║  Anyone can forge JWT tokens with this key.         ║\n"
+            "║  Set SECRET_KEY in .env to a random value, e.g.:   ║\n"
+            "║  SECRET_KEY=%s  ║\n"
+            "╚══════════════════════════════════════════════════════╝",
+            safe_key[:44],
+        )
+    if settings.ADMIN_PASS in {"admin", "password", "123456", ""}:
+        logger.warning(
+            "ADMIN_PASS is set to a weak default ('%s'). "
+            "Change it in .env before deploying to production.",
+            settings.ADMIN_PASS,
+        )
 
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
+    _check_security()
     await init_db()
     await ensure_admin_exists()
     yield
@@ -35,6 +65,10 @@ async def lifespan(app: FastAPI):
 app.include_router(bookmarks.router)
 app.include_router(versions.router)
 app.include_router(diagrams.router)
+app.include_router(users.router)
+app.include_router(comments.router)
+app.include_router(backup.router)
+app.include_router(export.router)
 
 
 @app.get("/api/health")

backend/app/routers/activity.py

@@ -30,7 +30,7 @@ async def list_activity(
 
     rows = await db.execute_fetchall(
         """SELECT a.id, a.user_id, a.action, a.target_type, a.target_id, a.metadata, a.created_at,
-                  u.username
+                  u.username, u.display_name
            FROM activity_log a
            LEFT JOIN users u ON u.id = a.user_id
            ORDER BY a.created_at DESC, a.id DESC

backend/app/routers/auth_router.py

@@ -1,16 +1,42 @@
-from fastapi import APIRouter, HTTPException, Response, Depends
+import time
+from collections import defaultdict
+from fastapi import APIRouter, HTTPException, Response, Depends, Request
 from app.schemas import LoginRequest, UserResponse
-from app.auth import verify_password, create_token, get_current_user
+from typing import Optional
+from pydantic import BaseModel
+from app.auth import verify_password, create_token, get_current_user, hash_password
+from app.config import settings
 from app.database import get_db
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
+# Simple in-memory rate limiter for login: max 5 attempts per IP per 60 seconds
+_login_attempts: dict[str, list[float]] = defaultdict(list)
+_RATE_LIMIT_MAX = 5
+_RATE_LIMIT_WINDOW = 60  # seconds
+
+
+def _check_rate_limit(ip: str):
+    now = time.monotonic()
+    attempts = _login_attempts[ip]
+    # Prune old entries
+    _login_attempts[ip] = [t for t in attempts if now - t < _RATE_LIMIT_WINDOW]
+    if len(_login_attempts[ip]) >= _RATE_LIMIT_MAX:
+        raise HTTPException(
+            status_code=429,
+            detail="Too many login attempts. Please wait before trying again.",
+        )
+    _login_attempts[ip].append(now)
+
 
 @router.post("/login")
-async def login(body: LoginRequest, response: Response):
+async def login(body: LoginRequest, request: Request, response: Response):
+    client_ip = request.client.host if request.client else "unknown"
+    _check_rate_limit(client_ip)
+
     db = await get_db()
     rows = await db.execute_fetchall(
-        "SELECT id, username, password_hash, role FROM users WHERE username = ?",
+        "SELECT id, username, password_hash, role, display_name, email FROM users WHERE username = ?",
         (body.username,),
     )
     if not rows or not verify_password(body.password, rows[0]["password_hash"]):
@@ -22,12 +48,18 @@ async def login(body: LoginRequest, response: Response):
         key="token",
         value=token,
         httponly=True,
+        secure=settings.COOKIE_SECURE,
         samesite="lax",
         max_age=86400,
     )
     return {
-        "token": token,
-        "user": {"id": user["id"], "username": user["username"], "role": user["role"]},
+        "user": {
+            "id": user["id"],
+            "username": user["username"],
+            "role": user["role"],
+            "display_name": user["display_name"] or "",
+            "email": user["email"] or "",
+        },
     }
 
 
@@ -40,3 +72,71 @@ async def logout(response: Response):
 @router.get("/me", response_model=UserResponse)
 async def me(user=Depends(get_current_user)):
     return user
+
+
+class ProfileUpdateRequest(BaseModel):
+    display_name: Optional[str] = None
+    email: Optional[str] = None
+
+
+@router.get("/profile")
+async def get_profile(user=Depends(get_current_user)):
+    db = await get_db()
+    rows = await db.execute_fetchall(
+        "SELECT id, username, role, display_name, email, created_at FROM users WHERE id = ?",
+        (user["id"],),
+    )
+    return dict(rows[0])
+
+
+@router.put("/profile")
+async def update_profile(body: ProfileUpdateRequest, user=Depends(get_current_user)):
+    db = await get_db()
+    updates = []
+    values = []
+    if body.display_name is not None:
+        updates.append("display_name = ?")
+        values.append(body.display_name)
+    if body.email is not None:
+        updates.append("email = ?")
+        values.append(body.email)
+
+    if not updates:
+        raise HTTPException(status_code=400, detail="No fields to update")
+
+    values.append(user["id"])
+    await db.execute(
+        f"UPDATE users SET {', '.join(updates)} WHERE id = ?", values
+    )
+    await db.commit()
+
+    rows = await db.execute_fetchall(
+        "SELECT id, username, role, display_name, email, created_at FROM users WHERE id = ?",
+        (user["id"],),
+    )
+    return dict(rows[0])
+
+
+class ChangePasswordRequest(BaseModel):
+    old_password: str
+    new_password: str
+
+
+@router.put("/password")
+async def change_password(body: ChangePasswordRequest, user=Depends(get_current_user)):
+    if len(body.new_password) < 4:
+        raise HTTPException(status_code=400, detail="New password must be at least 4 characters")
+
+    db = await get_db()
+    rows = await db.execute_fetchall(
+        "SELECT password_hash FROM users WHERE id = ?", (user["id"],)
+    )
+    if not rows or not verify_password(body.old_password, rows[0]["password_hash"]):
+        raise HTTPException(status_code=400, detail="Current password is incorrect")
+
+    await db.execute(
+        "UPDATE users SET password_hash = ? WHERE id = ?",
+        (hash_password(body.new_password), user["id"]),
+    )
+    await db.commit()
+    return {"ok": True}

backend/app/routers/backup.py

@@ -0,0 +1,102 @@
+import io
+import os
+import shutil
+import zipfile
+from pathlib import Path
+
+from fastapi import APIRouter, Depends, HTTPException, UploadFile, File
+from fastapi.responses import StreamingResponse
+
+from app.auth import require_admin
+from app.config import settings
+from app.database import get_db, close_db, init_db
+
+router = APIRouter(prefix="/api/backup", tags=["backup"])
+
+
+@router.get("")
+async def create_backup(user=Depends(require_admin)):
+    """Create a .zip backup containing the DB and media files."""
+    db_path = Path(settings.DB_PATH)
+    media_dir = Path(settings.MEDIA_DIR)
+
+    if not db_path.exists():
+        raise HTTPException(status_code=500, detail="Database file not found")
+
+    # Flush WAL to main db before backup
+    db = await get_db()
+    await db.execute("PRAGMA wal_checkpoint(TRUNCATE)")
+
+    buf = io.BytesIO()
+    with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as zf:
+        # Add database
+        zf.write(db_path, "just-wiki.db")
+
+        # Add media files
+        if media_dir.exists():
+            for fpath in media_dir.iterdir():
+                if fpath.is_file():
+                    zf.write(fpath, f"media/{fpath.name}")
+
+    buf.seek(0)
+    return StreamingResponse(
+        buf,
+        media_type="application/zip",
+        headers={"Content-Disposition": "attachment; filename=just-wiki-backup.zip"},
+    )
+
+
+@router.post("/restore")
+async def restore_backup(
+    file: UploadFile = File(...),
+    user=Depends(require_admin),
+):
+    """Restore from a .zip backup. Replaces DB and media."""
+    if not file.filename.endswith(".zip"):
+        raise HTTPException(status_code=400, detail="File must be a .zip")
+
+    content = await file.read()
+    max_restore_size = 500 * 1024 * 1024  # 500 MB
+    if len(content) > max_restore_size:
+        raise HTTPException(status_code=413, detail="Backup file too large (max 500 MB)")
+    try:
+        zf = zipfile.ZipFile(io.BytesIO(content))
+    except zipfile.BadZipFile:
+        raise HTTPException(status_code=400, detail="Invalid zip file")
+
+    names = zf.namelist()
+    if "just-wiki.db" not in names:
+        raise HTTPException(status_code=400, detail="Zip must contain just-wiki.db")
+
+    # Close current DB connection
+    await close_db()
+
+    db_path = Path(settings.DB_PATH)
+    media_dir = Path(settings.MEDIA_DIR)
+
+    # Write DB file atomically: write to temp first, then rename
+    tmp_db = db_path.with_suffix(".db.tmp")
+    with zf.open("just-wiki.db") as src, open(tmp_db, "wb") as dst:
+        shutil.copyfileobj(src, dst)
+    tmp_db.replace(db_path)
+
+    # Restore media files (with Zip Slip protection)
+    media_dir.mkdir(parents=True, exist_ok=True)
+    resolved_media = media_dir.resolve()
+    for name in names:
+        if name.startswith("media/") and not name.endswith("/"):
+            fname = name.split("/", 1)[1]
+            target = (media_dir / fname).resolve()
+            # Prevent path traversal: target must stay within media_dir
+            if not str(target).startswith(str(resolved_media) + "/"):
+                continue  # skip malicious entries silently
+            target.parent.mkdir(parents=True, exist_ok=True)
+            with zf.open(name) as src, open(target, "wb") as dst:
+                shutil.copyfileobj(src, dst)
+
+    zf.close()
+
+    # Re-initialize DB connection
+    await init_db()
+
+    return {"status": "ok", "message": "Backup restored successfully"}