feat: enhance deployment process and update dependencies

- Updated the deployment script to build the web application before deploying.
- Upgraded Wrangler dependency from 4.61.1 to 4.69.0.

feat: add import item limit and request body size limit

- Introduced a new limit for the maximum total items allowed in a single import (5000).
- Set a hard body size limit for JSON API endpoints (25 MB).

feat: validate KDF parameters during registration and password change

- Added validation for KDF parameters to ensure compliance with Bitwarden's minimum requirements.
- Enhanced error handling for invalid KDF parameters during user registration and password change.

feat: clean up R2 files on user deletion

- Implemented cleanup of R2 files associated with user attachments and sends before deleting user metadata.

feat: verify folder ownership when creating or updating ciphers

- Added checks to ensure that users cannot reference folders owned by other users when creating or updating ciphers.

fix: handle corrupted cipher data gracefully

- Improved error handling when retrieving ciphers from the database to avoid crashes due to corrupted data.

feat: increment send access count atomically

- Added a method to atomically increment the access count for sends and return whether the update was successful.

fix: enforce request body size limits

- Implemented checks to reject oversized request bodies for non-file upload paths.

fix: update error handling for database initialization

- Enhanced error logging for database initialization failures while providing a generic message to clients.

feat: enhance security with Content Security Policy

- Added a Content Security Policy to the web application to improve security against XSS attacks.

fix: remove plaintext TOTP secret from localStorage

- Updated the TOTP enabling process to remove the plaintext secret from localStorage after it is stored on the server.

fix: ensure only PBKDF2 hash is sent for public send access

- Modified the public send access payload to ensure only the PBKDF2 hash is sent, never the plaintext password.

webapp/index.html

@@ -3,6 +3,7 @@
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://icons.bitwarden.net; connect-src 'self'; font-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self';" />
     <link rel="icon" type="image/png" href="/favicon.ico" />
     <link rel="apple-touch-icon" href="/apple-touch-icon.png" />
     <title>NodeWarden</title>

webapp/src/components/SettingsPage.tsx

@@ -56,7 +56,8 @@ export default function SettingsPage(props: SettingsPageProps) {
 
   async function enableTotp(): Promise<void> {
     await props.onEnableTotp(secret, token);
-    localStorage.setItem(totpSecretStorageKey, secret);
+    // Secret is now stored on the server; remove plaintext copy from localStorage.
+    localStorage.removeItem(totpSecretStorageKey);
     setTotpLocked(true);
   }
 

webapp/src/lib/api.ts

@@ -993,9 +993,8 @@ async function buildPublicSendAccessPayload(password?: string, keyPart?: string
   const payload: Record<string, unknown> = {};
   const plainPassword = String(password || '').trim();
   if (!plainPassword) return payload;
-  payload.password = plainPassword;
 
-  // Official clients send a PBKDF2 hash bound to send key material.
+  // Only send the PBKDF2 hash bound to the send key material — never send plaintext password.
   if (keyPart) {
     try {
       const sendKeyMaterial = base64UrlToBytes(keyPart);
@@ -1004,7 +1003,7 @@ async function buildPublicSendAccessPayload(password?: string, keyPart?: string
       payload.password_hash_b64 = passwordHashB64;
       payload.passwordHashB64 = passwordHashB64;
     } catch {
-      // Fallback to plain password for legacy compatibility.
+      // Key material invalid; cannot compute hash — server will reject as unauthorized.
     }
   }
   return payload;