Add user invitation system, public pages, and reverse proxy documentation #11

Merged

Copilot merged 6 commits from copilot/add-user-management-and-ui-improvements into main

2025-11-04 16:03:39 -06:00

Copilot commented

2025-11-04 15:26:33 -06:00

(Migrated from github.com)

Implements admin-controlled user invitations, public page visibility controls, uniform button styling, and comprehensive reverse proxy deployment guides.

User Invitation System

Backend: New /api/invitations endpoints for CRUD operations with secure token generation (crypto.randomBytes(32)) and 7-day expiration
Database: invitations table tracking email, token, role, invited_by, expiration, and usage status
Admin UI: Full invitation management in Admin Dashboard with role selection and link copying
Registration flow: Token validation pre-fills email and assigns role automatically
Delivery methods: Link copy (active), SMTP/webhook (placeholders for future config)

// Invitation token in registration URL
/register?token=a3f8b2c1d4e5... 
// Pre-fills email, disables field, auto-assigns role on completion

Public Pages

Access control: Pages default to private (authenticated users only), optional is_public flag for unauthenticated access
Backend: Helper function isAuthenticated() checks JWT, filters queries accordingly
UI: Checkbox in PageEditor with clear helper text
Migration: Added is_public BOOLEAN DEFAULT false column with backward-compatible migration

Button Styling

Unified all buttons to border-radius: 0.75rem with consistent hover states (transform + shadow). Updated .btn-primary, .btn-secondary, .btn-danger classes to eliminate inline style overrides.

Reverse Proxy Documentation

Created REVERSE_PROXY.md (16KB) with production-ready configurations for:

Nginx Proxy Manager (web UI + Let's Encrypt)
Nginx (SSL, security headers, Certbot)
Traefik (Docker labels, automatic SSL)
Caddy (Caddyfile + automatic HTTPS)

Each section includes Docker Compose examples, security hardening, and troubleshooting.

Security

Invitation tokens: 256-bit entropy via crypto.randomBytes
Host header injection protection: BASE_URL env variable fallback
Refactored duplicate JWT verification into reusable helper
Public page queries use parameterized SQL with authentication gates

Database Schema

CREATE TABLE invitations (
  id SERIAL PRIMARY KEY,
  email VARCHAR(255) UNIQUE NOT NULL,
  token VARCHAR(255) UNIQUE NOT NULL,
  role VARCHAR(20) DEFAULT 'viewer',
  invited_by INTEGER REFERENCES users(id),
  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
  expires_at TIMESTAMP NOT NULL,
  used BOOLEAN DEFAULT false
);

ALTER TABLE pages ADD COLUMN is_public BOOLEAN DEFAULT false;

Files Changed

Backend: 6 files (new routes/invitations.js, updated auth/pages routes, db schema)
Frontend: 5 files (AdminDashboard invitation UI, Register token handling, PageEditor public toggle, API methods)
Docs: 4 new files (REVERSE_PROXY.md, IMPLEMENTATION_SUMMARY.md, TESTING_CHECKLIST.md)

Original prompt

I want to add the below features and improvements

Allow User management through the UI, invite users via SMTP or a Webhook, Change Roles, Etc.

Allow to set Pages to be Public (Should be only viewed by Logged in Users by default

Add Documentation for running behind Nginx Reverse Proxy Manager, Nginx Reverse Proxy, Trafaek, and Caddy.

Make all the buttons uniformly rounded and pretty. The specific ones that I noticed were the Dashboard, and New Page buttons on the sidebar, the Markdown, Rich Text, Create Page, and Cancel buttons on the editor, and the Edit and Delete buttons on the wiki pages.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Implements admin-controlled user invitations, public page visibility controls, uniform button styling, and comprehensive reverse proxy deployment guides. ## User Invitation System - **Backend**: New `/api/invitations` endpoints for CRUD operations with secure token generation (`crypto.randomBytes(32)`) and 7-day expiration - **Database**: `invitations` table tracking email, token, role, invited_by, expiration, and usage status - **Admin UI**: Full invitation management in Admin Dashboard with role selection and link copying - **Registration flow**: Token validation pre-fills email and assigns role automatically - **Delivery methods**: Link copy (active), SMTP/webhook (placeholders for future config) ```javascript // Invitation token in registration URL /register?token=a3f8b2c1d4e5... // Pre-fills email, disables field, auto-assigns role on completion ``` ## Public Pages - **Access control**: Pages default to private (authenticated users only), optional `is_public` flag for unauthenticated access - **Backend**: Helper function `isAuthenticated()` checks JWT, filters queries accordingly - **UI**: Checkbox in PageEditor with clear helper text - **Migration**: Added `is_public BOOLEAN DEFAULT false` column with backward-compatible migration ## Button Styling Unified all buttons to `border-radius: 0.75rem` with consistent hover states (transform + shadow). Updated `.btn-primary`, `.btn-secondary`, `.btn-danger` classes to eliminate inline style overrides. ## Reverse Proxy Documentation Created `REVERSE_PROXY.md` (16KB) with production-ready configurations for: - Nginx Proxy Manager (web UI + Let's Encrypt) - Nginx (SSL, security headers, Certbot) - Traefik (Docker labels, automatic SSL) - Caddy (Caddyfile + automatic HTTPS) Each section includes Docker Compose examples, security hardening, and troubleshooting. ## Security - Invitation tokens: 256-bit entropy via `crypto.randomBytes` - Host header injection protection: `BASE_URL` env variable fallback - Refactored duplicate JWT verification into reusable helper - Public page queries use parameterized SQL with authentication gates ## Database Schema ```sql CREATE TABLE invitations ( id SERIAL PRIMARY KEY, email VARCHAR(255) UNIQUE NOT NULL, token VARCHAR(255) UNIQUE NOT NULL, role VARCHAR(20) DEFAULT 'viewer', invited_by INTEGER REFERENCES users(id), created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, expires_at TIMESTAMP NOT NULL, used BOOLEAN DEFAULT false ); ALTER TABLE pages ADD COLUMN is_public BOOLEAN DEFAULT false; ``` ## Files Changed - **Backend**: 6 files (new `routes/invitations.js`, updated auth/pages routes, db schema) - **Frontend**: 5 files (AdminDashboard invitation UI, Register token handling, PageEditor public toggle, API methods) - **Docs**: 4 new files (`REVERSE_PROXY.md`, `IMPLEMENTATION_SUMMARY.md`, `TESTING_CHECKLIST.md`)  <details> <summary>Original prompt</summary> > I want to add the below features and improvements > > Allow User management through the UI, invite users via SMTP or a Webhook, Change Roles, Etc. > > Allow to set Pages to be Public (Should be only viewed by Logged in Users by default > > Add Documentation for running behind Nginx Reverse Proxy Manager, Nginx Reverse Proxy, Trafaek, and Caddy. > > Make all the buttons uniformly rounded and pretty. The specific ones that I noticed were the Dashboard, and New Page buttons on the sidebar, the Markdown, Rich Text, Create Page, and Cancel buttons on the editor, and the Edit and Delete buttons on the wiki pages. </details>  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

SluberskiHomeLab (Migrated from github.com) reviewed

2025-11-04 15:26:33 -06:00