From 799972ab7429e49845cfc5d26e5f1f6d3bc42428 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dalibor=20Markovi=C4=87?= Date: Fri, 12 Jun 2026 23:19:07 +0200 Subject: [PATCH] =?UTF-8?q?docs(readme):=20a=C5=BEuriran=20spisak=20funkci?= =?UTF-8?q?ja=20(srpski=20i=20engleski)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dodato/ispravljeno u oba README-a: - TOTP: tajna šifrovana u bazi (AES-256-GCM) umesto netačne tvrdnje o rezervnim kodovima (nisu implementirani — premešteni u Planirano) - RBAC: naglašeno sprovođenje provere na nivou ruta i u handlerima - Backup: dodato vraćanje baze iz kopije (bezbedno, bez prekida rada) - Dodato: strukturisano logovanje (slog) i automatski testovi --- Readme.md | 9 ++++++--- Readme_sr.md | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/Readme.md b/Readme.md index 0fd0404..8718d7e 100644 --- a/Readme.md +++ b/Readme.md @@ -29,7 +29,7 @@ The goal is simple: everything the repair shop needs to track is located in one - Database migration system - User interface — sidebar navigation, theme system (dark/light), dashboard with statistics - User login — server-side sessions, account locking -- Two-factor authentication (TOTP) — activation with a QR code, backup codes +- Two-factor authentication (TOTP) — activation with a QR code; secret encrypted at rest (AES-256-GCM, key kept outside the database) - Brute-force protection — IP locking after 5 failed attempts within 15 minutes - CSRF protection — double-submit cookie pattern, automatic token injection into all forms - Security HTTP headers (CSP, X-Frame-Options, Referrer-Policy, nosniff...) @@ -45,16 +45,19 @@ The goal is simple: everything the repair shop needs to track is located in one - Settings — company name, address, Tax ID (PIB), logo; theme toggle - Background images — login page and app, with blur, transparency and glass effect - Personal theme and background — each user can set their own theme and background image -- Permission matrix (RBAC) — admin panel for setting permissions by role +- Permission matrix (RBAC) — admin panel for permissions by role; enforced at the route level (both mutations and views) and in handlers - Flash messages — one-time feedback after an action -- Automatic SQLite backup — with configurable number of retained copies +- Automatic SQLite backup — with configurable number of retained copies; restore from a copy (safe, with no downtime) - Charts — monthly revenue on reports (Chart.js) +- Structured logging — `log/slog` (JSON in production, text in development); separate auth log in fail2ban format +- Automated tests — unit and integration over a SQLite database (crypto, RBAC, login flows, form validators, reports) ### Planned - Fiscalization and VAT calculation (specification in Project.md) - PostgreSQL support (for multi-user environments) - WebAuthn / Passkey login (database schema is already prepared) +- Backup (one-time) codes for 2FA - Notifications (email / WhatsApp) — deferred to a later phase - Barcode scanning via camera — deferred to a later phase diff --git a/Readme_sr.md b/Readme_sr.md index 4b841e2..7fbc13f 100644 --- a/Readme_sr.md +++ b/Readme_sr.md @@ -29,7 +29,7 @@ Cilj je jednostavan: sve što servis treba da prati nalazi se na jednom mestu, b - Sistem migracija baze podataka - Korisnički interfejs — sidebar navigacija, sistem tema (tamna/svetla), dashboard sa statistikama - Prijava korisnika — sesije na serveru, zaključavanje naloga -- Dvofaktorska autentifikacija (TOTP) — aktivacija sa QR kodom, rezervni kodovi +- Dvofaktorska autentifikacija (TOTP) — aktivacija sa QR kodom; tajna šifrovana u bazi (AES-256-GCM, ključ van baze) - Bruteforce zaštita — IP zaključavanje nakon 5 neuspelih pokušaja u 15 minuta - CSRF zaštita — double-submit cookie pattern, automatska injekcija tokena u sve forme - Bezbednosni HTTP headeri (CSP, X-Frame-Options, Referrer-Policy, nosniff...) @@ -45,16 +45,19 @@ Cilj je jednostavan: sve što servis treba da prati nalazi se na jednom mestu, b - Podešavanja — naziv, adresa, PIB, logo firme; promena teme - Pozadinske slike — login stranica i aplikacija, sa zamućenjem, providnošću i glass efektom - Lična tema i pozadina — svaki korisnik može svoju temu i pozadinsku sliku -- Matrica dozvola (RBAC) — admin panel za podešavanje dozvola po ulogama +- Matrica dozvola (RBAC) — admin panel za dozvole po ulogama; provera se sprovodi na nivou ruta (i mutirajućih i pregleda) i u handlerima - Flash poruke — jednokratne povratne informacije nakon akcije -- Automatski backup SQLite baze — sa podešavanjem broja čuvanih kopija +- Automatski backup SQLite baze — sa podešavanjem broja čuvanih kopija; vraćanje baze iz kopije (bezbedno, bez prekida rada) - Grafikoni — mesečni prihod na izveštajima (Chart.js) +- Strukturisano logovanje — `log/slog` (JSON u produkciji, tekst u razvoju); zaseban auth log u fail2ban formatu +- Automatski testovi — jedinični i integracioni nad SQLite bazom (kripto, RBAC, tokovi prijave, validatori forme, izveštaji) ### Planirano - Fiskalizacija i PDV obračun (specifikacija u Project.md) - Podrška za PostgreSQL (za višekorisničko okruženje) - WebAuthn / Passkey prijava (šema baze je pripremljena) +- Rezervni (jednokratni) kodovi za 2FA - Obaveštenja (e-pošta / WhatsApp) — odloženo za kasniju fazu - Skeniranje barkodova putem kamere — odloženo za kasniju fazu