Replace the file-extension check with a regex whitelist of known client
routes. Only whitelisted paths serve index.html for React Router — all
other paths return a real 404.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a /api catch-all that returns 404 JSON for unmatched API routes.
In the SPA fallback, only serve index.html for navigation requests
(no file extension) — requests for non-existent static files now
get a real 404 instead of index.html with 200.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add helmet middleware for security headers (CSP, X-Content-Type-Options,
X-Frame-Options, HSTS, Referrer-Policy) and disable X-Powered-By. Add a
global API rate limiter (100 req/min/IP) using express-rate-limit. Replace
the hand-rolled in-memory login rate limiter (~25 lines) with a dedicated
express-rate-limit instance (5 attempts/min/IP) on the login route.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
P0 fixes:
- Fix OrderDetail product change overwriting product_id due to React
state batching (single setItems call now updates both fields)
- Validate all :id route params via parseId helper; return 400 for
invalid IDs instead of passing raw strings to SQLite
- Product/customer delete now checks for references first, returns
409 Conflict instead of letting FK constraint produce 500
P1 fixes:
- Disallow quantity_on_hand in product PUT so all stock changes go
through PATCH /stock (preserves audit trail)
- Add global Express error handler and unhandledRejection listener
P2 fixes:
- Validate report date params (YYYY-MM-DD format) and stock-history
limit (positive integer, capped at 1000)
- Add jsonSafe() helper to api.js for safe 204 handling
- OrderNew setSubmitting now runs in finally block
- Login shows specific message for 429 rate limit, generic message
for other auth failures
P3 fixes:
- Replace brittle try/catch ALTER TABLE with schema_version migration
table and versioned migrations
- Fix OrderDetail useEffect missing dependency (useCallback + [load])
Also: expanded README with full production deployment instructions
(PM2, nginx, backups)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- New stock_adjustments table logs every stock change (restock, order
create/update/delete) with reason and reference
- Orders now track payment_method and amount_paid with validation
- New /api/reports endpoint with 5 aggregation queries and date filtering
- Reports page with date range presets and sales, customer, revenue,
status, and inventory sections
- Payment fields added to OrderNew and OrderDetail pages with balance due
- Girl Scouts trefoil logo added to header
- Vite dev server exposed on network for mobile access
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use timing-safe comparisons for HMAC verification and password checks
- Add login rate limiting (5 attempts/minute per IP)
- Lock down CORS to Vite dev origin only (not needed in production)
- Derive signing key from APP_PASSWORD instead of using it directly
- Replace hand-rolled cookie parsing with cookie-parser middleware
- Wrap all order mutations in SQLite transactions
- Fix TOCTOU race on stock with atomic UPDATE...WHERE quantity >= ?
- Fix APP_SECERT typo in .env (gitignored, local fix only)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
