Add helmet middleware for security headers (CSP, X-Content-Type-Options,
X-Frame-Options, HSTS, Referrer-Policy) and disable X-Powered-By. Add a
global API rate limiter (100 req/min/IP) using express-rate-limit. Replace
the hand-rolled in-memory login rate limiter (~25 lines) with a dedicated
express-rate-limit instance (5 attempts/min/IP) on the login route.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
P0 fixes:
- Fix OrderDetail product change overwriting product_id due to React
state batching (single setItems call now updates both fields)
- Validate all :id route params via parseId helper; return 400 for
invalid IDs instead of passing raw strings to SQLite
- Product/customer delete now checks for references first, returns
409 Conflict instead of letting FK constraint produce 500
P1 fixes:
- Disallow quantity_on_hand in product PUT so all stock changes go
through PATCH /stock (preserves audit trail)
- Add global Express error handler and unhandledRejection listener
P2 fixes:
- Validate report date params (YYYY-MM-DD format) and stock-history
limit (positive integer, capped at 1000)
- Add jsonSafe() helper to api.js for safe 204 handling
- OrderNew setSubmitting now runs in finally block
- Login shows specific message for 429 rate limit, generic message
for other auth failures
P3 fixes:
- Replace brittle try/catch ALTER TABLE with schema_version migration
table and versioned migrations
- Fix OrderDetail useEffect missing dependency (useCallback + [load])
Also: expanded README with full production deployment instructions
(PM2, nginx, backups)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- New stock_adjustments table logs every stock change (restock, order
create/update/delete) with reason and reference
- Orders now track payment_method and amount_paid with validation
- New /api/reports endpoint with 5 aggregation queries and date filtering
- Reports page with date range presets and sales, customer, revenue,
status, and inventory sections
- Payment fields added to OrderNew and OrderDetail pages with balance due
- Girl Scouts trefoil logo added to header
- Vite dev server exposed on network for mobile access
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When "Walk-in" is selected on the new order form, an optional name input
now appears. If filled, a new customer is created and linked to the order;
if left blank, the order remains a nameless walk-in as before.
Adds a new Restock page that lists all products with their current stock
and lets the user enter quantities to add in bulk, using the existing
PATCH /products/:id/stock endpoint.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use timing-safe comparisons for HMAC verification and password checks
- Add login rate limiting (5 attempts/minute per IP)
- Lock down CORS to Vite dev origin only (not needed in production)
- Derive signing key from APP_PASSWORD instead of using it directly
- Replace hand-rolled cookie parsing with cookie-parser middleware
- Wrap all order mutations in SQLite transactions
- Fix TOCTOU race on stock with atomic UPDATE...WHERE quantity >= ?
- Fix APP_SECERT typo in .env (gitignored, local fix only)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
