adamp
39b2ce73da
- Use timing-safe comparisons for HMAC verification and password checks - Add login rate limiting (5 attempts/minute per IP) - Lock down CORS to Vite dev origin only (not needed in production) - Derive signing key from APP_PASSWORD instead of using it directly - Replace hand-rolled cookie parsing with cookie-parser middleware - Wrap all order mutations in SQLite transactions - Fix TOCTOU race on stock with atomic UPDATE...WHERE quantity >= ? - Fix APP_SECERT typo in .env (gitignored, local fix only) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Girl Scout Cookie Tracker
A self-hosted web app for tracking cookie inventory and customers for a single troop. Works on desktop and mobile.
Features
- Inventory: Add cookie products (name, price, quantity, low-stock threshold). Adjust stock (restock or deduct). Low-stock highlighting.
- Customers: Store name, phone, email, address, notes. Search by name, email, or phone.
- Orders: Create orders with customer (or walk-in), line items (product + quantity), status (pending, paid, delivered). Inventory is deducted automatically. Edit or delete orders (stock is restored on delete).
- Dashboard: Summary counts, low-stock list, recent orders.
Requirements
- Node.js 18+
- npm
Setup
-
Clone or download this repo.
-
Install dependencies:
npm install cd client && npm install && cd .. -
Optional: copy
.env.exampleto.envand set:PORT— API port (default 3002)DATABASE_PATH— path to SQLite file (default./data/cookies.db)- Authentication (optional): Set
APP_PASSWORDto require a password to log in. SetAPP_SECRETto a long random string (used to sign session cookies). IfAPP_PASSWORDis not set, the app runs without login; if set, users must enter the password to access the app. Use "Log out" in the nav to sign out.
Development
Run the API server and the Vite dev server together:
npm run dev
- API: http://localhost:3002
- Frontend: http://localhost:5173 (proxies
/apito the server)
Use the frontend URL in your browser. The database file is created automatically on first request.
Production build and run
-
Build the client:
npm run build -
Run the server in production mode (serves the built client and API):
npm startOr set
NODE_ENV=productionand runnode server/index.js. The app will serve static files fromclient/distand handle the SPA fallback. -
Open http://localhost:3002 (or your
PORT).
Deployment (self-hosted)
- Run the app behind a reverse proxy (e.g. nginx) if you want HTTPS or a different port.
- Set
DATABASE_PATHto a persistent volume path so the SQLite file survives restarts. - Set
APP_PASSWORDandAPP_SECRETin production so only people with the password can access the app. Session cookies are httpOnly and (in production) Secure when served over HTTPS. - Back up the SQLite file regularly (e.g. cron job copying
data/cookies.db).
Project structure
server/— Express API and SQLite (products, customers, orders, dashboard).client/— Vite + React SPA (Dashboard, Inventory, Customers, Orders, New order, Order detail).data/— Created at runtime; containscookies.dbby default.