tags 17 | return text 18 | .split('\n') 19 | .map(line => line.trim()) 20 | .filter(line => line.length > 0) 21 | .join('
'); 22 | } 23 | 24 | /** 25 | * Format welcome message for email templates 26 | * @param {string} message - The welcome message 27 | * @returns {string} - Formatted message for HTML emails 28 | */ 29 | function formatWelcomeMessage(message) { 30 | if (!message || message.trim() === '') { 31 | return ''; 32 | } 33 | 34 | return nl2br(message); 35 | } 36 | 37 | module.exports = { 38 | nl2br, 39 | formatWelcomeMessage 40 | }; -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 paul 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /backend/src/utils/requestIp.js: -------------------------------------------------------------------------------- 1 | /** 2 | * Resolve the originating client IP address, accounting for reverse proxies. 3 | * Returns the first entry from X-Forwarded-For when available, otherwise falls back 4 | * to Express/Node connection properties. 5 | * @param {import('express').Request} req 6 | * @returns {string} 7 | */ 8 | function getClientIp(req) { 9 | if (!req) { 10 | return ''; 11 | } 12 | 13 | const forwardedFor = req.headers['x-forwarded-for']; 14 | 15 | if (typeof forwardedFor === 'string' && forwardedFor.length > 0) { 16 | const [firstIp] = forwardedFor.split(',').map(part => part.trim()).filter(Boolean); 17 | if (firstIp) { 18 | return firstIp; 19 | } 20 | } else if (Array.isArray(forwardedFor) && forwardedFor.length > 0) { 21 | const [firstIp] = forwardedFor; 22 | if (firstIp) { 23 | return firstIp.trim(); 24 | } 25 | } 26 | 27 | return ( 28 | req.ip || 29 | req.connection?.remoteAddress || 30 | req.socket?.remoteAddress || 31 | req.connection?.socket?.remoteAddress || 32 | '' 33 | ); 34 | } 35 | 36 | module.exports = { getClientIp }; 37 | -------------------------------------------------------------------------------- /frontend/vite.config.ts: -------------------------------------------------------------------------------- 1 | ///
33 |
44 | );
45 | };
--------------------------------------------------------------------------------
/frontend/src/services/categories.service.ts:
--------------------------------------------------------------------------------
1 | import { api } from '../config/api';
2 |
3 | export interface PhotoCategory {
4 | id: number;
5 | name: string;
6 | slug: string;
7 | is_global: boolean;
8 | event_id: number | null;
9 | created_at: string;
10 | }
11 |
12 | export interface CreateCategoryData {
13 | name: string;
14 | slug?: string;
15 | is_global?: boolean;
16 | event_id?: number;
17 | }
18 |
19 | export const categoriesService = {
20 | // Get all global categories
21 | async getGlobalCategories(): Promise
34 |
37 |
38 |
43 | Frontend: v{FRONTEND_VERSION}
39 | {versionInfo && (
40 | Backend: v{versionInfo.backend}
41 | )}
42 |
24 |
41 | );
42 | };
--------------------------------------------------------------------------------
/frontend/src/components/common/ReCaptcha.tsx:
--------------------------------------------------------------------------------
1 | import React, { useEffect, useState } from 'react';
2 | import ReCAPTCHA from 'react-google-recaptcha';
3 | import { useQuery } from '@tanstack/react-query';
4 | import { getApiBaseUrl } from '../../utils/url';
5 |
6 | interface ReCaptchaProps {
7 | onChange: (token: string | null) => void;
8 | onExpired?: () => void;
9 | size?: 'normal' | 'compact';
10 | }
11 |
12 | export const ReCaptcha: React.FC
25 |
40 |
26 |
39 |
27 |
32 |
38 | 29 | Maintenance mode is currently enabled. Public access to galleries is restricted. 30 |
31 |
43 |
52 | );
53 | };
54 |
55 | export default ReCaptcha;
--------------------------------------------------------------------------------
/frontend/src/utils/cleanupGalleryAuth.ts:
--------------------------------------------------------------------------------
1 | // Cleanup function to remove old gallery authentication data
2 | export const cleanupOldGalleryAuth = () => {
3 | // Remove old global gallery authentication
4 | localStorage.removeItem('gallery_event');
5 | localStorage.removeItem('gallery_token'); // Remove old global token format
6 |
7 | // Remove any corrupted or old gallery tokens from localStorage
8 | const keysToRemove: string[] = [];
9 | for (let i = 0; i < localStorage.length; i++) {
10 | const key = localStorage.key(i);
11 | if (key && (key.startsWith('gallery_token') || key.startsWith('gallery_event'))) {
12 | keysToRemove.push(key);
13 | }
14 | }
15 |
16 | keysToRemove.forEach(key => {
17 | localStorage.removeItem(key);
18 | });
19 |
20 | // Remove old gallery token from cookies if it exists
21 | document.cookie = 'gallery_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
22 |
23 | // Also clear session storage
24 | sessionStorage.removeItem('gallery_event');
25 | sessionStorage.removeItem('gallery_token');
26 | sessionStorage.removeItem('gallery_active_slug');
27 |
28 | // Remove slug-specific session storage entries as well
29 | try {
30 | const sessionKeysToRemove: string[] = [];
31 | for (let i = 0; i < sessionStorage.length; i += 1) {
32 | const key = sessionStorage.key(i);
33 | if (key && (key.startsWith('gallery_event_') || key.startsWith('gallery_token_'))) {
34 | sessionKeysToRemove.push(key);
35 | }
36 | }
37 |
38 | sessionKeysToRemove.forEach((key) => sessionStorage.removeItem(key));
39 | } catch {
40 | // Session storage may be unavailable; ignore cleanup failures
41 | }
42 | };
43 |
--------------------------------------------------------------------------------
/backend/init-production.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # init-production.sh - Production initialization script
3 |
4 | set -e
5 |
6 | echo "🚀 Initializing PicPeak Production Environment..."
7 |
8 | # Wait for services to be ready
9 | echo "⏳ Waiting for database to be fully ready..."
10 | sleep 3
11 |
12 | # Fix permissions if running as root (shouldn't happen with proper Dockerfile)
13 | if [ "$(id -u)" = "0" ]; then
14 | echo "🔧 Fixing file permissions..."
15 | chown -R nodejs:nodejs /app/storage /app/data /app/logs 2>/dev/null || true
16 | fi
17 |
18 | # Create required directories
19 | echo "📁 Creating required directories..."
20 | mkdir -p /app/storage/events/active \
21 | /app/storage/events/archived \
22 | /app/storage/thumbnails \
23 | /app/storage/uploads/logos \
24 | /app/storage/uploads/favicons \
25 | /app/data \
26 | /app/logs
27 |
28 | # Run migrations with safe runner
29 | echo "🗄️ Running database migrations (safe mode)..."
30 | NODE_ENV=production npm run migrate:safe
31 |
32 | # Create admin user if environment variables are set
33 | if [ -n "$ADMIN_EMAIL" ] && [ -n "$ADMIN_PASSWORD" ]; then
34 | echo "👤 Creating admin user..."
35 | node scripts/create-admin.js \
36 | --email "$ADMIN_EMAIL" \
37 | --username "${ADMIN_USERNAME:-admin}" \
38 | --password "$ADMIN_PASSWORD" || echo "Admin user might already exist"
39 | fi
40 |
41 | # Initialize email configuration if variables are set
42 | if [ -n "$SMTP_HOST" ]; then
43 | echo "📧 Email configuration detected via environment variables"
44 | fi
45 |
46 | echo "✅ Production initialization complete!"
47 | echo "🌐 Starting application server..."
48 |
49 | # Start the application
50 | exec node server.js
--------------------------------------------------------------------------------
/docs/nginx-fix.md:
--------------------------------------------------------------------------------
1 | # Nginx Configuration Fix for Photo Authentication
2 |
3 | If photos and thumbnails are not loading in gallery view but work in admin, it's likely that the Authorization header is being stripped by nginx or another reverse proxy.
4 |
5 | ## Common Issue
6 |
7 | The `Authorization` header is often not passed through by default in nginx proxy configurations.
8 |
9 | ## Fix
10 |
11 | Add these lines to your nginx configuration for the PicPeak location block:
12 |
13 | ```nginx
14 | location / {
15 | proxy_pass http://localhost:3001;
16 |
17 | # Important: Pass the Authorization header
18 | proxy_pass_header Authorization;
19 | proxy_set_header Authorization $http_authorization;
20 |
21 | # Other standard proxy headers
22 | proxy_set_header Host $host;
23 | proxy_set_header X-Real-IP $remote_addr;
24 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
25 | proxy_set_header X-Forwarded-Proto $scheme;
26 | }
27 | ```
28 |
29 | ## Alternative Fix Using Traefik
30 |
31 | If using Traefik, ensure headers are passed:
32 |
33 | ```yaml
34 | services:
35 | picpeak:
36 | labels:
37 | - "traefik.http.middlewares.picpeak-headers.headers.customrequestheaders.Authorization="
38 | ```
39 |
40 | ## Testing
41 |
42 | 1. Check if Authorization header is reaching the backend:
43 | ```bash
44 | curl -H "Authorization: Bearer YOUR_TOKEN" https://picpeak.yourdomain.com/thumbnails/test.jpg -v
45 | ```
46 |
47 | 2. Check nginx logs to see if the header is present:
48 | ```bash
49 | tail -f /var/log/nginx/access.log
50 | ```
51 |
52 | ## Docker Compose Fix
53 |
54 | If using docker-compose with nginx proxy, add:
55 |
56 | ```yaml
57 | environment:
58 | - NGINX_PROXY_PASS_HEADER=Authorization
59 | ```
--------------------------------------------------------------------------------
/frontend/Dockerfile.prod:
--------------------------------------------------------------------------------
1 | # Build stage with dynamic API URL
2 | FROM node:20-alpine AS builder
3 |
4 | # Accept build args for API URL
5 | ARG VITE_API_URL=/api
6 |
7 | # Set working directory
8 | WORKDIR /app
9 |
10 | # Copy package files
11 | COPY package*.json ./
12 |
13 | # Install dependencies
14 | RUN npm ci --legacy-peer-deps
15 |
16 | # Copy source files
17 | COPY . .
18 |
19 | # Set environment variable for build
20 | ENV VITE_API_URL=$VITE_API_URL
21 |
22 | # Build the application
23 | RUN npm run build
24 |
25 | # Production stage
26 | FROM nginx:alpine
27 |
28 | # Upgrade all packages to fix security vulnerabilities (BusyBox CVEs)
29 | RUN apk upgrade --no-cache
30 |
31 | # Install runtime dependencies
32 | RUN apk add --no-cache curl
33 |
34 | # Remove default nginx config
35 | RUN rm -rf /etc/nginx/conf.d/*
36 |
37 | # Copy custom nginx config
38 | COPY nginx.conf /etc/nginx/conf.d/default.conf
39 |
40 | # Copy built application from builder stage
41 | COPY --from=builder /app/dist /usr/share/nginx/html
42 |
43 | # Create a script to inject runtime config
44 | RUN cat > /usr/share/nginx/html/config.js << 'EOF'
45 | window.__RUNTIME_CONFIG__ = {
46 | API_URL: '/api'
47 | };
48 | EOF
49 |
50 | # Set permissions
51 | RUN chown -R nginx:nginx /usr/share/nginx/html && \
52 | chown -R nginx:nginx /var/cache/nginx && \
53 | chown -R nginx:nginx /var/log/nginx && \
54 | touch /var/run/nginx.pid && \
55 | chown -R nginx:nginx /var/run/nginx.pid
56 |
57 | # Expose port
58 | EXPOSE 80
59 |
60 | # Health check
61 | HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
62 | CMD curl -f http://localhost/health || exit 1
63 |
64 | # Switch to non-root user
65 | USER nginx
66 |
67 | # Start nginx
68 | CMD ["nginx", "-g", "daemon off;"]
--------------------------------------------------------------------------------
/.github/pull_request_template.md:
--------------------------------------------------------------------------------
1 | ## Description
2 |
3 | Please include a summary of the changes and which issue is fixed. Include relevant motivation and context.
4 |
5 | Fixes # (issue)
6 |
7 | ## Type of change
8 |
9 | Please delete options that are not relevant.
10 |
11 | - [ ] Bug fix (non-breaking change which fixes an issue)
12 | - [ ] New feature (non-breaking change which adds functionality)
13 | - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
14 | - [ ] Documentation update
15 | - [ ] Performance improvement
16 | - [ ] Code refactoring
17 |
18 | ## How Has This Been Tested?
19 |
20 | Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.
21 |
22 | - [ ] Unit tests pass (`npm test`)
23 | - [ ] Manual testing completed
24 | - [ ] Tested on Docker deployment
25 | - [ ] Tested on production-like environment
26 |
27 | **Test Configuration**:
28 | * PicPeak Version:
29 | * Node.js Version:
30 | * Database: PostgreSQL / SQLite
31 | * Browser:
32 |
33 | ## Checklist:
34 |
35 | - [ ] My code follows the style guidelines of this project
36 | - [ ] I have performed a self-review of my code
37 | - [ ] I have commented my code, particularly in hard-to-understand areas
38 | - [ ] I have made corresponding changes to the documentation
39 | - [ ] My changes generate no new warnings
40 | - [ ] I have added tests that prove my fix is effective or that my feature works
41 | - [ ] New and existing unit tests pass locally with my changes
42 | - [ ] Any dependent changes have been merged and published
43 | - [ ] I have updated the CHANGELOG.md file
44 |
45 | ## Screenshots (if appropriate):
46 |
47 | ## Additional Notes:
48 |
49 | Add any additional notes, concerns, or discussion points here.
--------------------------------------------------------------------------------
/backend/.env.example:
--------------------------------------------------------------------------------
1 | # Backend Environment Variables Example
2 | # Copy this file to .env and update with your values
3 |
4 | # Application
5 | NODE_ENV=production
6 | PORT=3001
7 |
8 | # Security
9 | # Generate with: openssl rand -base64 32
10 | JWT_SECRET=your-very-secure-jwt-secret-at-least-32-characters-long-example123456
11 |
12 | # URLs (adjust for your domain)
13 | ADMIN_URL=https://photos.example.com
14 | FRONTEND_URL=https://photos.example.com
15 | BACKEND_URL=https://photos.example.com # Or https://api.photos.example.com if separate
16 |
17 | # Database Configuration
18 | DATABASE_CLIENT=pg
19 | DB_HOST=localhost
20 | DB_PORT=5432
21 | DB_USER=picpeak
22 | DB_PASSWORD=your-secure-database-password-change-this
23 | DB_NAME=picpeak
24 |
25 | # Email Configuration (Examples for common providers)
26 | # Gmail example:
27 | # SMTP_HOST=smtp.gmail.com
28 | # SMTP_PORT=587
29 | # SMTP_SECURE=false
30 | # SMTP_USER=your-email@gmail.com
31 | # SMTP_PASS=your-app-specific-password
32 |
33 | # SendGrid example:
34 | SMTP_HOST=smtp.sendgrid.net
35 | SMTP_PORT=587
36 | SMTP_SECURE=false
37 | SMTP_USER=apikey
38 | SMTP_PASS=your-sendgrid-api-key
39 | EMAIL_FROM=noreply@example.com
40 |
41 | # Storage Paths
42 | # Docker deployment:
43 | STORAGE_PATH=/app/storage
44 | EVENTS_PATH=/app/storage/events
45 | ARCHIVE_PATH=/app/storage/events/archived
46 |
47 | # Local development:
48 | # STORAGE_PATH=./storage
49 | # EVENTS_PATH=./storage/events
50 | # ARCHIVE_PATH=./storage/events/archived
51 |
52 | # Analytics Backend Configuration (OPTIONAL)
53 | # Used for server-side tracking only
54 | # Primary configuration should be done through Admin UI > Settings > Analytics
55 | # UMAMI_URL=https://analytics.example.com
56 | # UMAMI_WEBSITE_ID=b4d3c2a1-5678-90ab-cdef-1234567890ab
57 |
58 | # Logging
59 | LOG_LEVEL=info
--------------------------------------------------------------------------------
/backend/src/services/recaptcha.js:
--------------------------------------------------------------------------------
1 | const axios = require('axios');
2 | const { db } = require('../database/db');
3 |
4 | async function verifyRecaptcha(token) {
5 | // Check if reCAPTCHA is enabled
6 | const settings = await db('app_settings')
7 | .whereIn('setting_key', ['security_enable_recaptcha', 'security_recaptcha_secret_key'])
8 | .select('setting_key', 'setting_value');
9 |
10 | const settingsMap = {};
11 | settings.forEach(setting => {
12 | try {
13 | settingsMap[setting.setting_key] = JSON.parse(setting.setting_value);
14 | } catch (e) {
15 | settingsMap[setting.setting_key] = setting.setting_value;
16 | }
17 | });
18 |
19 | const isEnabled = settingsMap.security_enable_recaptcha === true ||
20 | settingsMap.security_enable_recaptcha === 'true';
21 | const secretKey = settingsMap.security_recaptcha_secret_key;
22 |
23 | // If reCAPTCHA is not enabled, always return true
24 | if (!isEnabled) {
25 | return true;
26 | }
27 |
28 | // If enabled but no token provided, fail
29 | if (!token) {
30 | return false;
31 | }
32 |
33 | // If no secret key configured, log warning but pass
34 | if (!secretKey) {
35 | console.warn('reCAPTCHA enabled but no secret key configured');
36 | return true;
37 | }
38 |
39 | try {
40 | const response = await axios.post(
41 | 'https://www.google.com/recaptcha/api/siteverify',
42 | null,
43 | {
44 | params: {
45 | secret: secretKey,
46 | response: token
47 | }
48 | }
49 | );
50 |
51 | return response.data.success === true;
52 | } catch (error) {
53 | console.error('reCAPTCHA verification error:', error);
54 | return false;
55 | }
56 | }
57 |
58 | module.exports = { verifyRecaptcha };
--------------------------------------------------------------------------------
/backend/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM node:20-alpine AS builder
2 |
3 | # Add build arguments
4 | ARG CACHEBUST=1
5 | ARG BUILD_DATE
6 | ARG VCS_REF
7 | ARG VERSION
8 |
9 | # Add labels for GitHub Container Registry
10 | LABEL org.opencontainers.image.source="https://github.com/the-luap/picpeak"
11 | LABEL org.opencontainers.image.description="PicPeak Backend Service"
12 | LABEL org.opencontainers.image.licenses="MIT"
13 |
14 | # Upgrade npm to fix glob CVE-2025-64756 vulnerability
15 | RUN npm install -g npm@latest
16 |
17 | WORKDIR /app
18 |
19 | # Copy package files
20 | COPY package*.json ./
21 |
22 | # Install dependencies (--omit=dev replaces deprecated --only=production)
23 | RUN npm ci --omit=dev
24 |
25 | # Copy application files
26 | COPY . .
27 |
28 | # Production stage
29 | FROM node:20-alpine
30 |
31 | WORKDIR /app
32 |
33 | # Upgrade all packages to fix security vulnerabilities (BusyBox CVEs)
34 | RUN apk upgrade --no-cache
35 |
36 | # Upgrade npm to fix glob CVE-2025-64756 vulnerability
37 | RUN npm install -g npm@latest
38 |
39 | # Install dumb-init for proper signal handling and postgresql-client for database checks
40 | RUN apk add --no-cache dumb-init postgresql-client
41 |
42 | # Create non-root user
43 | RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
44 |
45 | # Copy from builder
46 | COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
47 | COPY --chown=nodejs:nodejs . .
48 |
49 | # Make wait script executable
50 | RUN chmod +x wait-for-db.sh
51 |
52 | # Create necessary directories
53 | RUN mkdir -p storage/events/active storage/events/archived storage/thumbnails data logs && \
54 | chown -R nodejs:nodejs storage data logs
55 |
56 | USER nodejs
57 |
58 | EXPOSE 3000
59 |
60 | ENTRYPOINT ["dumb-init", "--"]
61 | CMD ["./wait-for-db.sh", "node", "server.js"]
62 |
--------------------------------------------------------------------------------
/backend/src/utils/shareLinkUtils.js:
--------------------------------------------------------------------------------
1 | const SHARE_TOKEN_REGEX = /^[0-9a-fA-F]{32}$/;
2 |
3 | /**
4 | * Extracts the share token portion from a stored share link.
5 | * Supports full URLs, absolute paths, and legacy slug/token formats.
6 | * @param {string|null|undefined} shareLink
7 | * @returns {string|null}
8 | */
9 | function extractShareToken(shareLink) {
10 | if (!shareLink) {
11 | return null;
12 | }
13 |
14 | const trimmed = String(shareLink).trim();
15 | if (!trimmed) {
16 | return null;
17 | }
18 |
19 | // Remove protocol + host when a full URL is stored
20 | const path = trimmed.replace(/^https?:\/\/[^/]+/i, '');
21 | const segments = path.split('/').filter(Boolean);
22 | if (segments.length === 0) {
23 | return null;
24 | }
25 |
26 | const candidate = segments[segments.length - 1];
27 | return candidate || null;
28 | }
29 |
30 | /**
31 | * Returns true if the provided identifier looks like a generated share token.
32 | * @param {string|null|undefined} identifier
33 | * @returns {boolean}
34 | */
35 | function isPotentialShareToken(identifier) {
36 | if (!identifier) {
37 | return false;
38 | }
39 | return SHARE_TOKEN_REGEX.test(String(identifier).trim());
40 | }
41 |
42 | /**
43 | * Builds the gallery share path depending on whether short URLs are enabled.
44 | * @param {string} slug
45 | * @param {string} shareToken
46 | * @param {boolean} useShort
47 | * @returns {string}
48 | */
49 | function buildSharePath(slug, shareToken, useShort) {
50 | if (!shareToken) {
51 | throw new Error('shareToken is required to build share path');
52 | }
53 | if (useShort || !slug) {
54 | return `/gallery/${shareToken}`;
55 | }
56 | return `/gallery/${slug}/${shareToken}`;
57 | }
58 |
59 | module.exports = {
60 | extractShareToken,
61 | isPotentialShareToken,
62 | buildSharePath
63 | };
64 |
--------------------------------------------------------------------------------
/backend/migrations/core/042_backfill_event_upload_columns.js:
--------------------------------------------------------------------------------
1 | const logger = require('../../src/utils/logger');
2 |
3 | async function ensureColumn(knex, tableName, columnName, alterFn) {
4 | const exists = await knex.schema.hasColumn(tableName, columnName);
5 | if (!exists) {
6 | logger.info(`Adding column ${tableName}.${columnName}`);
7 | await knex.schema.table(tableName, alterFn);
8 | }
9 | }
10 |
11 | exports.up = async function(knex) {
12 | await ensureColumn(knex, 'events', 'host_name', (table) => {
13 | table.string('host_name');
14 | });
15 |
16 | await ensureColumn(knex, 'events', 'allow_user_uploads', (table) => {
17 | table.boolean('allow_user_uploads').defaultTo(false);
18 | });
19 |
20 | await ensureColumn(knex, 'events', 'upload_category_id', (table) => {
21 | table.integer('upload_category_id');
22 | });
23 |
24 | await ensureColumn(knex, 'events', 'allow_downloads', (table) => {
25 | table.boolean('allow_downloads').defaultTo(true);
26 | });
27 |
28 | await ensureColumn(knex, 'events', 'disable_right_click', (table) => {
29 | table.boolean('disable_right_click').defaultTo(false);
30 | });
31 |
32 | await ensureColumn(knex, 'events', 'watermark_downloads', (table) => {
33 | table.boolean('watermark_downloads').defaultTo(false);
34 | });
35 |
36 | await ensureColumn(knex, 'events', 'watermark_text', (table) => {
37 | table.text('watermark_text');
38 | });
39 |
40 | await ensureColumn(knex, 'events', 'hero_photo_id', (table) => {
41 | table.integer('hero_photo_id').references('id').inTable('photos').onDelete('SET NULL');
42 | });
43 |
44 | await ensureColumn(knex, 'photos', 'uploaded_by', (table) => {
45 | table.string('uploaded_by').defaultTo('admin');
46 | });
47 | };
48 |
49 | exports.down = async function() {
50 | // Non destructive migration; no rollback
51 | };
52 |
--------------------------------------------------------------------------------
/backend/src/middleware/secureStatic.js:
--------------------------------------------------------------------------------
1 | const path = require('path');
2 | const express = require('express');
3 | const { safePathJoin, isPathSafe } = require('../utils/fileSecurityUtils');
4 |
5 | /**
6 | * Create a secure static file serving middleware that prevents path traversal attacks
7 | * @param {string} basePath - The base directory to serve files from
8 | * @param {Object} options - Express static options
9 | * @returns {Function} - Express middleware
10 | */
11 | function secureStatic(basePath, options = {}) {
12 | const normalizedBase = path.resolve(basePath);
13 |
14 | return (req, res, next) => {
15 | // Get the requested file path - remove leading slash for validation
16 | const requestedPath = req.path.startsWith('/') ? req.path.substring(1) : req.path;
17 |
18 | // Validate the path doesn't contain dangerous patterns
19 | if (!isPathSafe(requestedPath)) {
20 | console.warn(`Potential path traversal attempt blocked: ${requestedPath}`);
21 | return res.status(403).json({ error: 'Access denied' });
22 | }
23 |
24 | try {
25 | // Validate the full path is within the base directory
26 | const fullPath = safePathJoin(normalizedBase, requestedPath);
27 |
28 | // If validation passes, use express.static
29 | const staticMiddleware = express.static(normalizedBase, {
30 | ...options,
31 | // Disable directory listing for security
32 | index: false,
33 | // Don't allow dotfiles
34 | dotfiles: 'deny'
35 | });
36 |
37 | return staticMiddleware(req, res, next);
38 | } catch (error) {
39 | // Path traversal detected
40 | console.error(`Path traversal blocked: ${requestedPath}`, error.message);
41 | return res.status(403).json({ error: 'Access denied' });
42 | }
43 | };
44 | }
45 |
46 | module.exports = secureStatic;
--------------------------------------------------------------------------------
/frontend/src/components/admin/PhotoUploadModal.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { X } from 'lucide-react';
3 | import { Button } from '../common';
4 | import { PhotoUpload } from './PhotoUpload';
5 | import { useTranslation } from 'react-i18next';
6 |
7 | interface PhotoUploadModalProps {
8 | isOpen: boolean;
9 | onClose: () => void;
10 | eventId: number;
11 | onUploadComplete?: () => void;
12 | }
13 |
14 | export const PhotoUploadModal: React.FC
33 |
56 | );
57 | };
58 |
59 | PhotoUploadModal.displayName = 'PhotoUploadModal';
60 |
--------------------------------------------------------------------------------
/backend/migrations/legacy/027_add_rate_limit_settings_duplicate.js:
--------------------------------------------------------------------------------
1 | exports.up = async function(knex) {
2 | // Add rate limit settings to app_settings
3 | const rateLimitSettings = [
4 | {
5 | setting_key: 'rate_limit_enabled',
6 | setting_value: JSON.stringify(true),
7 | setting_type: 'security'
8 | },
9 | {
10 | setting_key: 'rate_limit_window_minutes',
11 | setting_value: JSON.stringify(15),
12 | setting_type: 'security'
13 | },
14 | {
15 | setting_key: 'rate_limit_max_requests',
16 | setting_value: JSON.stringify(1000),
17 | setting_type: 'security'
18 | },
19 | {
20 | setting_key: 'rate_limit_auth_max_requests',
21 | setting_value: JSON.stringify(5),
22 | setting_type: 'security'
23 | },
24 | {
25 | setting_key: 'rate_limit_skip_authenticated',
26 | setting_value: JSON.stringify(true),
27 | setting_type: 'security'
28 | },
29 | {
30 | setting_key: 'rate_limit_public_endpoints_only',
31 | setting_value: JSON.stringify(false),
32 | setting_type: 'security'
33 | }
34 | ];
35 |
36 | // Insert settings if they don't exist
37 | for (const setting of rateLimitSettings) {
38 | const exists = await knex('app_settings')
39 | .where('setting_key', setting.setting_key)
40 | .first();
41 |
42 | if (!exists) {
43 | await knex('app_settings').insert({
44 | ...setting
45 | });
46 | }
47 | }
48 | };
49 |
50 | exports.down = async function(knex) {
51 | // Remove rate limit settings
52 | await knex('app_settings')
53 | .whereIn('setting_key', [
54 | 'rate_limit_enabled',
55 | 'rate_limit_window_minutes',
56 | 'rate_limit_max_requests',
57 | 'rate_limit_auth_max_requests',
58 | 'rate_limit_skip_authenticated',
59 | 'rate_limit_public_endpoints_only'
60 | ])
61 | .del();
62 | };
--------------------------------------------------------------------------------
/frontend/src/components/gallery/ExpirationBanner.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { AlertTriangle, Download } from 'lucide-react';
3 | import Countdown from 'react-countdown';
4 | import { parseISO } from 'date-fns';
5 | import { useTranslation } from 'react-i18next';
6 |
7 | interface ExpirationBannerProps {
8 | daysRemaining: number;
9 | expiresAt: string;
10 | }
11 |
12 | export const ExpirationBanner: React.FC
34 | {/* Fixed Header */}
35 |
55 |
36 |
46 |
47 | {/* Scrollable Content */}
48 | {t('upload.uploadMedia', t('events.uploadPhotos'))}
37 | 45 |
49 |
54 |
39 |
54 | );
55 | };
--------------------------------------------------------------------------------
/frontend/src/components/common/Loading.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Loader2 } from 'lucide-react';
3 | import { clsx } from 'clsx';
4 |
5 | interface LoadingProps {
6 | size?: 'sm' | 'md' | 'lg';
7 | text?: string;
8 | fullScreen?: boolean;
9 | className?: string;
10 | }
11 |
12 | export const Loading: React.FC
40 |
53 |
41 |
52 |
42 |
47 |
48 |
51 |
26 |
31 | );
32 |
33 | if (fullScreen) {
34 | return (
35 | {text}
29 | )} 30 |
36 | {content}
37 |
38 | );
39 | }
40 |
41 | return content;
42 | };
43 |
44 | interface LoadingSkeletonProps {
45 | className?: string;
46 | count?: number;
47 | type?: 'text' | 'card' | 'image';
48 | }
49 |
50 | export const LoadingSkeleton: React.FC
24 |
55 | );
56 | };
--------------------------------------------------------------------------------
/frontend/src/components/common/Button.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { clsx } from 'clsx';
3 | import { Loader2 } from 'lucide-react';
4 |
5 | interface ButtonProps extends React.ButtonHTMLAttributes
25 |
43 |
44 |
26 |
34 | {onCancel && (
35 |
41 | )}
42 |
28 |
33 | {t('download.downloading')}
29 | {fileName && ( 30 |{fileName}
31 | )} 32 |
45 |
49 |
50 |
51 | {progress > 0 && (
52 | {Math.round(progress)}{t('download.percentComplete')}
53 | )} 54 |
64 | Failed to load
65 |
66 | );
67 | }
68 |
69 | return (
70 |
76 | );
77 | };
78 |
--------------------------------------------------------------------------------
/backend/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "picpeak-backend",
3 | "version": "1.1.15",
4 | "description": "Backend for PicPeak event photo sharing platform",
5 | "main": "server.js",
6 | "scripts": {
7 | "start": "node server.js",
8 | "dev": "nodemon server.js",
9 | "migrate": "node migrations/run-migrations.js",
10 | "migrate:safe": "node migrations/run-migrations-safe.js",
11 | "test": "jest",
12 | "lint": "eslint src/"
13 | },
14 | "dependencies": {
15 | "@aws-sdk/client-s3": "^3.850.0",
16 | "@aws-sdk/lib-storage": "^3.850.0",
17 | "@aws-sdk/s3-request-presigner": "^3.850.0",
18 | "@ffmpeg-installer/ffmpeg": "^1.1.0",
19 | "adm-zip": "^0.5.16",
20 | "archiver": "^5.3.1",
21 | "axios": "^1.12.2",
22 | "bcrypt": "6.0.0",
23 | "chokidar": "4.0.3",
24 | "cookie-parser": "^1.4.7",
25 | "cors": "^2.8.5",
26 | "dotenv": "^16.0.3",
27 | "express": "^4.18.2",
28 | "express-rate-limit": "^6.7.0",
29 | "express-validator": "^7.0.1",
30 | "fluent-ffmpeg": "^2.1.3",
31 | "form-data": "^4.0.4",
32 | "handlebars": "^4.7.8",
33 | "helmet": "^7.0.0",
34 | "i18next": "25.3.2",
35 | "i18next-browser-languagedetector": "^8.2.0",
36 | "i18next-http-backend": "^3.0.2",
37 | "joi": "^17.9.1",
38 | "js-yaml": "^4.1.1",
39 | "jsonwebtoken": "^9.0.0",
40 | "knex": "^2.4.2",
41 | "mime-types": "^3.0.1",
42 | "multer": "^2.0.2",
43 | "node-cron": "^3.0.2",
44 | "nodemailer": "^7.0.10",
45 | "pg": "^8.16.3",
46 | "react-i18next": "^15.6.0",
47 | "sanitize-html": "^2.17.0",
48 | "sharp": "0.34.3",
49 | "sqlite3": "^5.1.6",
50 | "uuid": "^11.1.0",
51 | "winston": "^3.8.2",
52 | "zxcvbn": "^4.4.2"
53 | },
54 | "devDependencies": {
55 | "eslint": "^8.40.0",
56 | "jest": "^29.5.0",
57 | "mock-fs": "^5.5.0",
58 | "nodemon": "^3.1.10",
59 | "supertest": "^6.3.3"
60 | },
61 | "overrides": {
62 | "prebuild-install": {
63 | "tar-fs": "2.1.4"
64 | },
65 | "glob": "^11.1.0",
66 | "body-parser": "^2.2.1",
67 | "js-yaml": "^4.1.1"
68 | }
69 | }
70 |
--------------------------------------------------------------------------------
/backend/src/services/emailService.js:
--------------------------------------------------------------------------------
1 | const nodemailer = require('nodemailer');
2 | const { db } = require('../database/db');
3 | const { emailTemplates } = require('./emailTemplates');
4 | const logger = require('../utils/logger');
5 |
6 | // Create transporter
7 | const transporter = nodemailer.createTransport({
8 | host: process.env.SMTP_HOST,
9 | port: process.env.SMTP_PORT,
10 | secure: process.env.SMTP_SECURE === 'true',
11 | auth: {
12 | user: process.env.SMTP_USER,
13 | pass: process.env.SMTP_PASS
14 | }
15 | });
16 |
17 | async function sendEmail(to, type, data) {
18 | try {
19 | const template = emailTemplates[type](data);
20 |
21 | const info = await transporter.sendMail({
22 | from: process.env.EMAIL_FROM,
23 | to: to,
24 | subject: template.subject,
25 | html: template.html,
26 | text: template.text
27 | });
28 |
29 | logger.info(`Email sent: ${info.messageId}`);
30 | return info;
31 | } catch (error) {
32 | logger.error('Error sending email:', error);
33 | throw error;
34 | }
35 | }
36 |
37 | // Process email queue
38 | async function processEmailQueue() {
39 | const pendingEmails = await db('email_queue')
40 | .where('status', 'pending')
41 | .where('retry_count', '<', 3)
42 | .limit(10);
43 |
44 | for (const email of pendingEmails) {
45 | try {
46 | const emailData = JSON.parse(email.email_data);
47 | await sendEmail(email.recipient_email, email.email_type, emailData);
48 |
49 | await db('email_queue').where('id', email.id).update({
50 | status: 'sent',
51 | sent_at: new Date()
52 | });
53 | } catch (error) {
54 | await db('email_queue').where('id', email.id).update({
55 | retry_count: email.retry_count + 1,
56 | error_message: error.message
57 | });
58 | }
59 | }
60 | }
61 |
62 | // Start email queue processor
63 | // DISABLED: Using emailProcessor.js instead to prevent duplicate connections
64 | // setInterval(processEmailQueue, 60000); // Process every minute
65 |
66 | module.exports = { sendEmail, processEmailQueue };
67 |
--------------------------------------------------------------------------------
/frontend/Dockerfile:
--------------------------------------------------------------------------------
1 | # Build stage
2 | FROM node:20-alpine AS builder
3 |
4 | # Add build arguments
5 | ARG CACHEBUST=1
6 | ARG BUILD_DATE
7 | ARG VCS_REF
8 | ARG VERSION
9 |
10 | # Add labels for GitHub Container Registry
11 | LABEL org.opencontainers.image.source="https://github.com/the-luap/picpeak"
12 | LABEL org.opencontainers.image.description="PicPeak Frontend Application"
13 | LABEL org.opencontainers.image.licenses="MIT"
14 |
15 | # Upgrade npm to fix glob CVE-2025-64756 vulnerability
16 | RUN npm install -g npm@latest
17 |
18 | # Set working directory
19 | WORKDIR /app
20 |
21 | # Copy package files
22 | COPY package*.json ./
23 |
24 | # Install dependencies
25 | RUN npm ci --legacy-peer-deps
26 |
27 | # Copy source files
28 | COPY . .
29 |
30 | # Build the application
31 | RUN npm run build
32 |
33 | # Production stage (use Alpine with patched libpng)
34 | FROM nginx:1.27-alpine3.21
35 |
36 | # Upgrade all packages to fix security vulnerabilities (BusyBox CVEs)
37 | RUN apk upgrade --no-cache
38 | # Ensure libpng includes CVE fixes (pull patched version from edge)
39 | RUN apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main 'libpng>=1.6.51-r0'
40 |
41 | # Install runtime dependencies
42 | RUN apk add --no-cache curl
43 |
44 | # Remove default nginx config
45 | RUN rm -rf /etc/nginx/conf.d/*
46 |
47 | # Copy custom nginx config
48 | COPY nginx.conf /etc/nginx/conf.d/default.conf
49 |
50 | # Copy built application from builder stage
51 | COPY --from=builder /app/dist /usr/share/nginx/html
52 |
53 | # Set permissions (nginx user already exists in nginx:alpine)
54 | RUN chown -R nginx:nginx /usr/share/nginx/html && \
55 | chown -R nginx:nginx /var/cache/nginx && \
56 | chown -R nginx:nginx /var/log/nginx && \
57 | touch /var/run/nginx.pid && \
58 | chown -R nginx:nginx /var/run/nginx.pid
59 |
60 | # Expose port
61 | EXPOSE 80
62 |
63 | # Health check
64 | HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
65 | CMD curl -f http://localhost/health || exit 1
66 |
67 | # Switch to non-root user
68 | USER nginx
69 |
70 | # Start nginx
71 | CMD ["nginx", "-g", "daemon off;"]
72 |
--------------------------------------------------------------------------------
/backend/scripts/show-admin-credentials.js:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env node
2 |
3 | /**
4 | * Show or reset admin credentials
5 | */
6 |
7 | const bcrypt = require('bcrypt');
8 | const { db } = require('../src/database/db');
9 | const { generateReadablePassword } = require('../src/utils/passwordGenerator');
10 |
11 | async function showAdminCredentials(resetPassword = false) {
12 | try {
13 | // Get admin user
14 | const admin = await db('admin_users')
15 | .where('username', 'admin')
16 | .first();
17 |
18 | if (!admin) {
19 | console.error('❌ No admin user found in database');
20 | process.exit(1);
21 | }
22 |
23 | console.log('\n========================================');
24 | console.log('PicPeak Admin Credentials');
25 | console.log('========================================');
26 | console.log(`Username: ${admin.username}`);
27 | console.log(`Email: ${admin.email}`);
28 |
29 | if (resetPassword) {
30 | // Generate new password
31 | const newPassword = generateReadablePassword();
32 | const passwordHash = await bcrypt.hash(newPassword, 12);
33 |
34 | // Update password
35 | await db('admin_users')
36 | .where('id', admin.id)
37 | .update({
38 | password_hash: passwordHash,
39 | updated_at: new Date()
40 | });
41 |
42 | // Password logging removed for security - check logs or database if needed
43 | console.log('Password: [NEWLY RESET - stored in database]');
44 | console.log('\n⚠️ IMPORTANT: New password has been set in database!');
45 | } else {
46 | console.log('Password: [hidden - use --reset flag to generate new password]');
47 | }
48 |
49 | console.log('\nLogin URL: http://localhost:3001/admin');
50 | console.log('========================================\n');
51 |
52 | } catch (error) {
53 | console.error('Error:', error.message);
54 | process.exit(1);
55 | } finally {
56 | await db.destroy();
57 | }
58 | }
59 |
60 | // Check for reset flag
61 | const resetPassword = process.argv.includes('--reset');
62 |
63 | if (resetPassword) {
64 | console.log('🔄 Resetting admin password...');
65 | }
66 |
67 | showAdminCredentials(resetPassword);
--------------------------------------------------------------------------------
/frontend/src/components/admin/WelcomeMessageEditor.tsx:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { HelpCircle } from 'lucide-react';
3 |
4 | interface WelcomeMessageEditorProps {
5 | value: string;
6 | onChange: (value: string) => void;
7 | placeholder?: string;
8 | rows?: number;
9 | }
10 |
11 | export const WelcomeMessageEditor: React.FCtags for preview 22 | const getPreviewHtml = () => { 23 | return value 24 | .split('\n') 25 | .map(line => line.trim()) 26 | .filter(line => line.length > 0) 27 | .join('
'); 28 | }; 29 | 30 | return ( 31 |
32 |
61 | );
62 | };
63 |
64 | WelcomeMessageEditor.displayName = 'WelcomeMessageEditor';
65 |
--------------------------------------------------------------------------------
/backend/src/services/workerManager.js:
--------------------------------------------------------------------------------
1 | /**
2 | * Worker Manager - Background service for PicPeak
3 | *
4 | * This service runs as a separate process to handle:
5 | * - File watching for new photos
6 | * - Expiration checking for events
7 | * - Other background tasks
8 | */
9 |
10 | const path = require('path');
11 | const logger = require('../utils/logger');
12 |
13 | // Load environment variables
14 | require('dotenv').config({ path: path.join(__dirname, '../../.env') });
15 |
16 | // Import services
17 | const { startFileWatcher } = require('./fileWatcher');
18 | const { startExpirationChecker } = require('./expirationChecker');
19 |
20 | let isShuttingDown = false;
21 |
22 | async function startWorkers() {
23 | logger.info('Starting PicPeak background workers...');
24 |
25 | try {
26 | // Start file watcher for automatic photo processing
27 | startFileWatcher();
28 | logger.info('File watcher started successfully');
29 |
30 | // Start expiration checker for event lifecycle management
31 | startExpirationChecker();
32 | logger.info('Expiration checker started successfully');
33 |
34 | logger.info('All background workers started successfully');
35 | } catch (error) {
36 | logger.error('Failed to start background workers:', error);
37 | process.exit(1);
38 | }
39 | }
40 |
41 | function handleShutdown(signal) {
42 | if (isShuttingDown) {
43 | logger.info('Shutdown already in progress...');
44 | return;
45 | }
46 |
47 | isShuttingDown = true;
48 | logger.info(`Received ${signal}. Shutting down gracefully...`);
49 |
50 | // Give time for cleanup
51 | setTimeout(() => {
52 | logger.info('Worker manager shutdown complete');
53 | process.exit(0);
54 | }, 1000);
55 | }
56 |
57 | // Handle shutdown signals
58 | process.on('SIGTERM', () => handleShutdown('SIGTERM'));
59 | process.on('SIGINT', () => handleShutdown('SIGINT'));
60 |
61 | // Handle uncaught errors
62 | process.on('uncaughtException', (error) => {
63 | logger.error('Uncaught exception in worker manager:', error);
64 | process.exit(1);
65 | });
66 |
67 | process.on('unhandledRejection', (reason, promise) => {
68 | logger.error('Unhandled rejection in worker manager:', reason);
69 | });
70 |
71 | // Start workers
72 | startWorkers();
73 |
--------------------------------------------------------------------------------
/frontend/src/components/admin/AdminAuthenticatedImage.tsx:
--------------------------------------------------------------------------------
1 | import React, { useState, useEffect } from 'react';
2 | import { api } from '../../config/api';
3 |
4 | interface AdminAuthenticatedImageProps extends React.ImgHTMLAttributes
33 |
40 |
44 |
45 |
41 |
42 |
43 |
46 | Tip: Press Enter to create a new line. Each line will appear as a separate paragraph in emails.
47 |
48 |
49 | {value && (
50 |
51 |
59 | )}
60 | Preview:
52 |
53 |
57 |
58 |
73 | Failed to load
74 |
75 | );
76 | }
77 |
78 | return
30 | {label && (
31 |
37 | )}
38 |
77 | );
78 | }
79 | );
80 |
81 | Input.displayName = 'Input';
--------------------------------------------------------------------------------
/frontend/src/services/email.service.ts:
--------------------------------------------------------------------------------
1 | import { api } from '../config/api';
2 |
3 | export interface EmailConfig {
4 | smtp_host: string;
5 | smtp_port: number;
6 | smtp_secure: boolean;
7 | smtp_user: string;
8 | smtp_pass: string;
9 | from_email: string;
10 | from_name: string;
11 | tls_reject_unauthorized: boolean;
12 | }
13 |
14 | export interface EmailTemplate {
15 | id: number;
16 | template_key: string;
17 | subject: string; // For backward compatibility
18 | body_html: string; // For backward compatibility
19 | body_text?: string; // For backward compatibility
20 | subject_en: string;
21 | subject_de: string;
22 | body_html_en: string;
23 | body_html_de: string;
24 | body_text_en?: string;
25 | body_text_de?: string;
26 | variables: string[];
27 | updated_at: string;
28 | }
29 |
30 | export interface EmailPreview {
31 | subject: string;
32 | body_html: string;
33 | body_text: string;
34 | }
35 |
36 | export const emailService = {
37 | // Get email configuration
38 | async getConfig(): Promise
39 | {leftIcon && (
40 |
66 | {error && (
67 |
41 | {leftIcon}
42 |
43 | )}
44 |
60 | {rightIcon && (
61 |
62 | {rightIcon}
63 |
64 | )}
65 | 68 | {error} 69 |
70 | )} 71 | {helperText && !error && ( 72 |73 | {helperText} 74 |
75 | )} 76 |
33 | {children}
34 |
35 | );
36 | };
37 |
38 | interface CardHeaderProps extends React.HTMLAttributes
59 |
67 | );
68 | };
69 |
70 | interface CardContentProps extends React.HTMLAttributes
60 |
65 | {action && {title}
61 | {subtitle && ( 62 |{subtitle}
63 | )} 64 |{action}
}
66 |
81 | {children}
82 |
83 | );
84 | };
85 |
86 | interface CardFooterProps extends React.HTMLAttributes
103 | {children}
104 |
105 | );
106 | };
--------------------------------------------------------------------------------
/frontend/tailwind.config.js:
--------------------------------------------------------------------------------
1 | /** @type {import('tailwindcss').Config} */
2 | export default {
3 | content: [
4 | "./index.html",
5 | "./src/**/*.{js,ts,jsx,tsx}",
6 | ],
7 | theme: {
8 | extend: {
9 | colors: {
10 | primary: {
11 | 50: '#f0fdf4',
12 | 100: '#dcfce7',
13 | 200: '#bbf7d0',
14 | 300: '#86efac',
15 | 400: '#4ade80',
16 | 500: '#22c55e',
17 | 600: '#5C8762', // Main brand color from scrappbook.de
18 | 700: '#4a6f4f',
19 | 800: '#3f5d42',
20 | 900: '#365238',
21 | },
22 | sand: {
23 | 50: '#fdfcfb',
24 | 100: '#f7f5f2',
25 | 200: '#f0ebe5',
26 | 300: '#e6ddd4',
27 | 400: '#d4c2b0',
28 | 500: '#c2a68c',
29 | 600: '#b18b68',
30 | },
31 | neutral: {
32 | 50: '#fafafa',
33 | 100: '#f5f5f5',
34 | 200: '#e5e5e5',
35 | 300: '#d4d4d4',
36 | 400: '#a3a3a3',
37 | 500: '#737373',
38 | 600: '#525252',
39 | 700: '#404040',
40 | 800: '#262626',
41 | 900: '#171717',
42 | }
43 | },
44 | fontFamily: {
45 | sans: ['Inter', 'Noto Sans', 'system-ui', '-apple-system', 'sans-serif'],
46 | },
47 | animation: {
48 | 'fade-in': 'fadeIn 0.5s ease-in-out',
49 | 'slide-up': 'slideUp 0.3s ease-out',
50 | 'scale-in': 'scaleIn 0.2s ease-out',
51 | 'shimmer': 'shimmer 2s cubic-bezier(0.4, 0, 0.6, 1) infinite',
52 | },
53 | keyframes: {
54 | fadeIn: {
55 | '0%': { opacity: '0' },
56 | '100%': { opacity: '1' },
57 | },
58 | slideUp: {
59 | '0%': { transform: 'translateY(10px)', opacity: '0' },
60 | '100%': { transform: 'translateY(0)', opacity: '1' },
61 | },
62 | scaleIn: {
63 | '0%': { transform: 'scale(0.95)', opacity: '0' },
64 | '100%': { transform: 'scale(1)', opacity: '1' },
65 | },
66 | shimmer: {
67 | '0%': { backgroundPosition: '-200% 0' },
68 | '100%': { backgroundPosition: '200% 0' },
69 | },
70 | },
71 | spacing: {
72 | '18': '4.5rem',
73 | '88': '22rem',
74 | },
75 | borderRadius: {
76 | 'xl': '1rem',
77 | '2xl': '1.25rem',
78 | },
79 | boxShadow: {
80 | 'soft': '0 2px 8px rgba(0, 0, 0, 0.04)',
81 | 'medium': '0 4px 16px rgba(0, 0, 0, 0.08)',
82 | 'large': '0 8px 32px rgba(0, 0, 0, 0.12)',
83 | },
84 | },
85 | },
86 | plugins: [],
87 | }
88 |
89 |
--------------------------------------------------------------------------------
/backend/wait-for-db.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # wait-for-db.sh - Wait for PostgreSQL to be ready before starting the application
3 |
4 | set -e
5 |
6 | host="${DB_HOST:-postgres}"
7 | port="${DB_PORT:-5432}"
8 | user="${DB_USER:-picpeak}"
9 | target_db="${DB_NAME:-picpeak}"
10 | default_db="${DB_CHECK_DB:-postgres}"
11 |
12 | sanitize_identifier() {
13 | printf '%s' "$1" | sed "s/'/''/g"
14 | }
15 |
16 | echo "Waiting for PostgreSQL at $host:$port..."
17 |
18 | # Wait for PostgreSQL server to accept connections (using the default database)
19 | until PGPASSWORD="$DB_PASSWORD" psql -h "$host" -p "$port" -U "$user" -d "$default_db" -c '\q' >/dev/null 2>&1; do
20 | >&2 echo "PostgreSQL is unavailable - sleeping"
21 | sleep 2
22 | done
23 |
24 | >&2 echo "PostgreSQL is up - verifying target database \"$target_db\""
25 |
26 | # Ensure the target database exists (helps when volumes are reused or DB_NAME is customised)
27 | db_exists=$(PGPASSWORD="$DB_PASSWORD" psql -h "$host" -p "$port" -U "$user" -d "$default_db" -tAc "SELECT 1 FROM pg_database WHERE datname = '$(sanitize_identifier "$target_db")'" 2>/dev/null || echo 0)
28 |
29 | if [ "$db_exists" != "1" ]; then
30 | >&2 echo "Database \"$target_db\" not found. Attempting to create..."
31 | if ! PGPASSWORD="$DB_PASSWORD" psql -h "$host" -p "$port" -U "$user" -d "$default_db" -c "CREATE DATABASE \"$target_db\";" >/dev/null 2>&1; then
32 | >&2 echo "Failed to create database \"$target_db\". Please ensure it exists and is accessible."
33 | exit 1
34 | fi
35 | >&2 echo "Database \"$target_db\" created successfully."
36 | fi
37 |
38 | # Wait until the target database itself is ready to accept connections
39 | until PGPASSWORD="$DB_PASSWORD" psql -h "$host" -p "$port" -U "$user" -d "$target_db" -c '\q' >/dev/null 2>&1; do
40 | >&2 echo "Waiting for database \"$target_db\" to accept connections..."
41 | sleep 2
42 | done
43 |
44 | >&2 echo "Target database \"$target_db\" is ready."
45 |
46 | # Ensure storage directories exist with proper permissions (Issue #67 fix)
47 | # When host directories are bind-mounted, the container's built-in directories are overridden
48 | # This ensures the required directory structure exists before the application starts
49 | echo "Ensuring storage directories exist..."
50 | STORAGE_BASE="${STORAGE_PATH:-/app/storage}"
51 | mkdir -p "$STORAGE_BASE/events/active" "$STORAGE_BASE/events/archived" "$STORAGE_BASE/thumbnails" 2>/dev/null || true
52 |
53 | # Run migrations (use safe runner in production)
54 | echo "Running database migrations..."
55 | if [ "$NODE_ENV" = "production" ]; then
56 | npm run migrate:safe
57 | else
58 | npm run migrate
59 | fi
60 |
61 | # Execute the main command
62 | exec "$@"
63 |
--------------------------------------------------------------------------------
/.env.example:
--------------------------------------------------------------------------------
1 | # PicPeak Environment Configuration
2 | # Copy this file to .env and update with your values
3 |
4 | # Environment
5 | NODE_ENV=production
6 |
7 | # JWT Secret (generate with: openssl rand -base64 64)
8 | JWT_SECRET=your_very_long_random_jwt_secret_here
9 |
10 | # Database Configuration (PostgreSQL)
11 | DATABASE_CLIENT=pg
12 | DB_USER=picpeak
13 | # IMPORTANT: Avoid $ character in passwords - Docker Compose interprets it as variable substitution
14 | # If you must use $, escape it as $$ (e.g., Pass$$word instead of Pass$word)
15 | DB_PASSWORD=your_secure_postgres_password_here
16 | DB_NAME=picpeak_prod
17 |
18 | # Redis Configuration
19 | # IMPORTANT: Same warning applies - avoid $ or escape as $$
20 | REDIS_PASSWORD=your_secure_redis_password_here
21 |
22 | # Admin Account (initial setup)
23 | ADMIN_USERNAME=admin
24 | ADMIN_EMAIL=admin@yourdomain.com
25 |
26 | # Email Configuration
27 | # For Gmail: use app-specific password
28 | # For SendGrid: SMTP_USER=apikey, SMTP_PASS=your-api-key
29 | SMTP_HOST=smtp.gmail.com
30 | SMTP_PORT=587
31 | SMTP_SECURE=false
32 | SMTP_USER=your-email@gmail.com
33 | SMTP_PASS=your-app-specific-password
34 | EMAIL_FROM=noreply@yourdomain.com
35 |
36 | # Application URLs
37 | # Use full origin with scheme, no trailing slash.
38 | # Admin UI is served by the frontend at /admin.
39 | FRONTEND_URL=https://yourdomain.com
40 | ADMIN_URL=https://yourdomain.com
41 |
42 | # Frontend API base
43 | # For pre-built images and production behind a reverse proxy, keep '/api'.
44 | # If you rebuild the frontend yourself, you may set a full URL at build time.
45 | VITE_API_URL=/api
46 |
47 | # Port Configuration (optional)
48 | # BACKEND_PORT=3001
49 | # FRONTEND_PORT=3000
50 | # DB_PORT=5432
51 | # REDIS_PORT=6379
52 |
53 | # Timezone
54 | TZ=UTC
55 |
56 | # Runtime user mapping for Docker (optional)
57 | # Set these to your host user's UID/GID to avoid permission issues on bind mounts.
58 | # Run `id -u` and `id -g` on host to get values. Defaults to 1001.
59 | PUID=1001
60 | PGID=1001
61 |
62 | # Analytics (Optional - Umami)
63 | VITE_UMAMI_URL=
64 | VITE_UMAMI_WEBSITE_ID=
65 | VITE_UMAMI_SHARE_URL=
66 |
67 | # Storage variables (host paths)
68 | # These control where data is stored on the host. Defaults are local folders.
69 | APP_STORAGE=./storage
70 | APP_DATA=./data
71 | LOGS=./logs
72 |
73 | # Note on FRONTEND_API_URL (documentation only):
74 | # When using pre-built frontend images, runtime env vars cannot override the built JS.
75 | # Do NOT rely on FRONTEND_API_URL in Compose. Instead, keep VITE_API_URL=/api and
76 | # let the frontend Nginx proxy /api to the backend. Only if you rebuild the frontend
77 | # should you change VITE_API_URL at build time.
78 |
--------------------------------------------------------------------------------
/frontend/src/hooks/useLocalizedDate.ts:
--------------------------------------------------------------------------------
1 | import { useTranslation } from 'react-i18next';
2 | import { format as dateFnsFormat, formatDistanceToNow as dateFnsFormatDistanceToNow } from 'date-fns';
3 | import { de, enUS } from 'date-fns/locale';
4 | import { useQuery } from '@tanstack/react-query';
5 | import { publicSettingsService } from '../services/publicSettings.service';
6 |
7 | // Convert old date format strings to new date-fns format
8 | const convertDateFormat = (format: string): string => {
9 | return format
10 | .replace(/DD/g, 'dd') // Days: DD -> dd
11 | .replace(/YYYY/g, 'yyyy') // Years: YYYY -> yyyy
12 | .replace(/YY/g, 'yy'); // Short years: YY -> yy
13 | };
14 |
15 | export const useLocalizedDate = () => {
16 | const { i18n } = useTranslation();
17 |
18 | // Fetch public settings to get the date format
19 | const { data: settings } = useQuery({
20 | queryKey: ['public-settings'],
21 | queryFn: () => publicSettingsService.getPublicSettings(),
22 | staleTime: 5 * 60 * 1000, // Cache for 5 minutes
23 | retry: 1, // Only retry once to avoid blocking the UI
24 | });
25 |
26 | const getLocale = () => {
27 | return i18n.language === 'de' ? de : enUS;
28 | };
29 |
30 | const format = (date: Date | string, formatStr?: string) => {
31 | const dateObj = typeof date === 'string' ? new Date(date) : date;
32 | // Use admin-configured date format if available and no format string provided
33 | let dateFormat = formatStr;
34 | if (!dateFormat && settings?.general_date_format) {
35 | // Handle both string and object formats
36 | dateFormat = typeof settings.general_date_format === 'string'
37 | ? settings.general_date_format
38 | : settings.general_date_format.format || 'PPP';
39 | }
40 | dateFormat = dateFormat || 'PPP';
41 |
42 | // Convert old format to new format
43 | dateFormat = convertDateFormat(dateFormat);
44 |
45 | return dateFnsFormat(dateObj, dateFormat, { locale: getLocale() });
46 | };
47 |
48 | const formatDistanceToNow = (date: Date | string, options?: { addSuffix?: boolean }) => {
49 | const dateObj = typeof date === 'string' ? new Date(date) : date;
50 | return dateFnsFormatDistanceToNow(dateObj, { ...options, locale: getLocale() });
51 | };
52 |
53 | return {
54 | format,
55 | formatDistanceToNow,
56 | locale: getLocale(),
57 | dateFormat: settings?.general_date_format
58 | ? convertDateFormat(
59 | typeof settings.general_date_format === 'string'
60 | ? settings.general_date_format
61 | : settings.general_date_format.format || 'PPP'
62 | )
63 | : 'PPP'
64 | };
65 | };
--------------------------------------------------------------------------------
/backend/src/routes/adminCMS.js:
--------------------------------------------------------------------------------
1 | const express = require('express');
2 | const { body, validationResult } = require('express-validator');
3 | const { db, logActivity } = require('../database/db');
4 | const { adminAuth } = require('../middleware/auth-enhanced-v2');
5 | const router = express.Router();
6 |
7 | // Get all CMS pages
8 | router.get('/pages', adminAuth, async (req, res) => {
9 | try {
10 | const pages = await db('cms_pages').select('*').orderBy('slug', 'asc');
11 | res.json(pages);
12 | } catch (error) {
13 | console.error('Error fetching CMS pages:', error);
14 | res.status(500).json({ error: 'Failed to fetch pages' });
15 | }
16 | });
17 |
18 | // Get a single CMS page
19 | router.get('/pages/:slug', adminAuth, async (req, res) => {
20 | try {
21 | const { slug } = req.params;
22 | const page = await db('cms_pages').where('slug', slug).first();
23 |
24 | if (!page) {
25 | return res.status(404).json({ error: 'Page not found' });
26 | }
27 |
28 | res.json(page);
29 | } catch (error) {
30 | console.error('Error fetching CMS page:', error);
31 | res.status(500).json({ error: 'Failed to fetch page' });
32 | }
33 | });
34 |
35 | // Update a CMS page
36 | router.put('/pages/:slug', adminAuth, [
37 | body('title_en').optional().isString(),
38 | body('title_de').optional().isString(),
39 | body('content_en').optional().isString(),
40 | body('content_de').optional().isString()
41 | ], async (req, res) => {
42 | try {
43 | const errors = validationResult(req);
44 | if (!errors.isEmpty()) {
45 | return res.status(400).json({ errors: errors.array() });
46 | }
47 |
48 | const { slug } = req.params;
49 | const { title_en, title_de, content_en, content_de } = req.body;
50 |
51 | const page = await db('cms_pages').where('slug', slug).first();
52 | if (!page) {
53 | return res.status(404).json({ error: 'Page not found' });
54 | }
55 |
56 | // Update the page
57 | await db('cms_pages')
58 | .where('slug', slug)
59 | .update({
60 | title_en,
61 | title_de,
62 | content_en,
63 | content_de,
64 | updated_at: new Date()
65 | });
66 |
67 | const updated = await db('cms_pages').where('slug', slug).first();
68 |
69 | // Log activity
70 | await logActivity('cms_page_updated',
71 | { page: slug },
72 | null,
73 | { type: 'admin', id: req.admin.id, name: req.admin.username }
74 | );
75 |
76 | res.json(updated);
77 | } catch (error) {
78 | console.error('Error updating CMS page:', error);
79 | res.status(500).json({ error: 'Failed to update page' });
80 | }
81 | });
82 |
83 | module.exports = router;
--------------------------------------------------------------------------------