major: kestrel is now a tak server (#6)

## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6

server/api/auth/config.get.js

@@ -1,3 +1,3 @@
-import { getAuthConfig } from '../../utils/authConfig.js'
+import { getAuthConfig } from '../../utils/oidc.js'
 
 export default defineEventHandler(() => getAuthConfig())

server/api/auth/login.post.js

@@ -1,7 +1,7 @@
 import { setCookie } from 'h3'
 import { getDb } from '../../utils/db.js'
 import { verifyPassword } from '../../utils/password.js'
-import { getSessionMaxAgeDays } from '../../utils/session.js'
+import { getSessionMaxAgeDays } from '../../utils/constants.js'
 
 export default defineEventHandler(async (event) => {
   const body = await readBody(event)
@@ -15,6 +15,10 @@ export default defineEventHandler(async (event) => {
   if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {
     throw createError({ statusCode: 401, message: 'Invalid credentials' })
   }
+
+  // Invalidate all existing sessions for this user to prevent session fixation
+  await run('DELETE FROM sessions WHERE user_id = ?', [user.id])
+
   const sessionDays = getSessionMaxAgeDays()
   const sid = crypto.randomUUID()
   const now = new Date()

server/api/auth/oidc/authorize.get.js

@@ -1,5 +1,5 @@
-import { getAuthConfig } from '../../../utils/authConfig.js'
 import {
+  getAuthConfig,
   getOidcConfig,
   getOidcRedirectUri,
   createOidcParams,

server/api/auth/oidc/callback.get.js

@@ -6,7 +6,7 @@ import {
   exchangeCode,
 } from '../../../utils/oidc.js'
 import { getDb } from '../../../utils/db.js'
-import { getSessionMaxAgeDays } from '../../../utils/session.js'
+import { getSessionMaxAgeDays } from '../../../utils/constants.js'
 
 const DEFAULT_ROLE = process.env.OIDC_DEFAULT_ROLE || 'member'
 
@@ -74,6 +74,9 @@ export default defineEventHandler(async (event) => {
     user = await get('SELECT id, identifier, role FROM users WHERE id = ?', [id])
   }
 
+  // Invalidate all existing sessions for this user to prevent session fixation
+  await run('DELETE FROM sessions WHERE user_id = ?', [user.id])
+
   const sessionDays = getSessionMaxAgeDays()
   const sid = crypto.randomUUID()
   const now = new Date()

server/api/cameras.get.js

@@ -1,12 +1,19 @@
 import { getDb } from '../utils/db.js'
 import { requireAuth } from '../utils/authHelpers.js'
 import { getActiveSessions } from '../utils/liveSessions.js'
+import { getActiveEntities } from '../utils/cotStore.js'
 import { rowToDevice, sanitizeDeviceForResponse } from '../utils/deviceUtils.js'
 
 export default defineEventHandler(async (event) => {
   requireAuth(event)
-  const [db, sessions] = await Promise.all([getDb(), getActiveSessions()])
+  const config = useRuntimeConfig()
+  const ttlMs = Number(config.cotTtlMs ?? 90_000) || 90_000
+  const [db, sessions, cotEntities] = await Promise.all([
+    getDb(),
+    getActiveSessions(),
+    getActiveEntities(ttlMs),
+  ])
   const rows = await db.all('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices ORDER BY id')
   const devices = rows.map(rowToDevice).filter(Boolean).map(sanitizeDeviceForResponse)
-  return { devices, liveSessions: sessions }
+  return { devices, liveSessions: sessions, cotEntities }
 })

server/api/cot/config.get.js

@@ -0,0 +1,8 @@
+import { getCotSslPaths, getCotPort } from '../../utils/cotSsl.js'
+
+/** Public CoT server config for QR code / client setup (port and whether TLS is used). */
+export default defineEventHandler(() => {
+  const config = useRuntimeConfig()
+  const paths = getCotSslPaths(config)
+  return { port: getCotPort(), ssl: Boolean(paths) }
+})

server/api/cot/server-package.get.js

@@ -0,0 +1,60 @@
+import { existsSync } from 'node:fs'
+import JSZip from 'jszip'
+import { getCotSslPaths, getCotPort, TRUSTSTORE_PASSWORD, COT_TLS_REQUIRED_MESSAGE, buildP12FromCertPath } from '../../utils/cotSsl.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+/**
+ * Build config.pref XML for iTAK: server connection + CA cert for trust (credentials entered in app).
+ * connectString format: host:port:ssl or host:port:tcp
+ */
+function buildConfigPref(hostname, port, ssl) {
+  const connectString = `${hostname}:${port}:${ssl ? 'ssl' : 'tcp'}`
+  return `<?xml version='1.0' encoding='UTF-8' standalone='yes' ?>
+<preference-set id="com.atakmap.app_preferences">
+  <entry key="connectionEntry">1</entry>
+  <entry key="description">KestrelOS</entry>
+  <entry key="enabled">true</entry>
+  <entry key="connectString">${escapeXml(connectString)}</entry>
+  <entry key="caCertPath">cert/caCert.p12</entry>
+  <entry key="caCertPassword">${escapeXml(TRUSTSTORE_PASSWORD)}</entry>
+  <entry key="cacheCredentials">true</entry>
+</preference-set>
+`
+}
+
+function escapeXml(s) {
+  return String(s)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+}
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event)
+  const config = useRuntimeConfig()
+  const paths = getCotSslPaths(config)
+  if (!paths || !existsSync(paths.certPath)) {
+    setResponseStatus(event, 404)
+    return { error: `CoT server is not using TLS. Server package ${COT_TLS_REQUIRED_MESSAGE} Use the QR code and add the server with SSL disabled (plain TCP) instead.` }
+  }
+
+  const hostname = getRequestURL(event).hostname
+  const port = getCotPort()
+
+  try {
+    const p12 = buildP12FromCertPath(paths.certPath, TRUSTSTORE_PASSWORD)
+    const zip = new JSZip()
+    zip.file('config.pref', buildConfigPref(hostname, port, true))
+    zip.folder('cert').file('caCert.p12', p12)
+
+    const blob = await zip.generateAsync({ type: 'nodebuffer' })
+    setHeader(event, 'Content-Type', 'application/zip')
+    setHeader(event, 'Content-Disposition', 'attachment; filename="kestrelos-itak-server-package.zip"')
+    return blob
+  }
+  catch (err) {
+    setResponseStatus(event, 500)
+    return { error: 'Failed to build server package.', detail: err?.message }
+  }
+})

server/api/cot/truststore.get.js

@@ -0,0 +1,24 @@
+import { existsSync } from 'node:fs'
+import { getCotSslPaths, TRUSTSTORE_PASSWORD, COT_TLS_REQUIRED_MESSAGE, buildP12FromCertPath } from '../../utils/cotSsl.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+export default defineEventHandler((event) => {
+  requireAuth(event)
+  const config = useRuntimeConfig()
+  const paths = getCotSslPaths(config)
+  if (!paths || !existsSync(paths.certPath)) {
+    setResponseStatus(event, 404)
+    return { error: `CoT server is not using TLS or cert not found. Trust store ${COT_TLS_REQUIRED_MESSAGE}` }
+  }
+
+  try {
+    const p12 = buildP12FromCertPath(paths.certPath, TRUSTSTORE_PASSWORD)
+    setHeader(event, 'Content-Type', 'application/x-pkcs12')
+    setHeader(event, 'Content-Disposition', 'attachment; filename="kestrelos-cot-truststore.p12"')
+    return p12
+  }
+  catch (err) {
+    setResponseStatus(event, 500)
+    return { error: 'Failed to build trust store.', detail: err?.message }
+  }
+})

server/api/devices.post.js

@@ -1,4 +1,4 @@
-import { getDb } from '../utils/db.js'
+import { getDb, withTransaction } from '../utils/db.js'
 import { requireAuth } from '../utils/authHelpers.js'
 import { validateDeviceBody, rowToDevice, sanitizeDeviceForResponse } from '../utils/deviceUtils.js'
 
@@ -7,13 +7,15 @@ export default defineEventHandler(async (event) => {
   const body = await readBody(event).catch(() => ({}))
   const { name, device_type, vendor, lat, lng, stream_url, source_type, config } = validateDeviceBody(body)
   const id = crypto.randomUUID()
-  const { run, get } = await getDb()
-  await run(
-    'INSERT INTO devices (id, name, device_type, vendor, lat, lng, stream_url, source_type, config) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-    [id, name, device_type, vendor, lat, lng, stream_url, source_type, config],
-  )
-  const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
-  const device = rowToDevice(row)
-  if (!device) throw createError({ statusCode: 500, message: 'Device not found after insert' })
-  return sanitizeDeviceForResponse(device)
+  const db = await getDb()
+  return withTransaction(db, async ({ run, get }) => {
+    await run(
+      'INSERT INTO devices (id, name, device_type, vendor, lat, lng, stream_url, source_type, config) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+      [id, name, device_type, vendor, lat, lng, stream_url, source_type, config],
+    )
+    const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
+    const device = rowToDevice(row)
+    if (!device) throw createError({ statusCode: 500, message: 'Device not found after insert' })
+    return sanitizeDeviceForResponse(device)
+  })
 })

server/api/devices/[id].patch.js

@@ -1,55 +1,49 @@
 import { getDb } from '../../utils/db.js'
 import { requireAuth } from '../../utils/authHelpers.js'
 import { rowToDevice, sanitizeDeviceForResponse, DEVICE_TYPES, SOURCE_TYPES } from '../../utils/deviceUtils.js'
+import { buildUpdateQuery } from '../../utils/queryBuilder.js'
 
 export default defineEventHandler(async (event) => {
   requireAuth(event, { role: 'adminOrLeader' })
   const id = event.context.params?.id
   if (!id) throw createError({ statusCode: 400, message: 'id required' })
   const body = (await readBody(event).catch(() => ({}))) || {}
-  const updates = []
-  const params = []
+  const updates = {}
   if (typeof body.name === 'string') {
-    updates.push('name = ?')
-    params.push(body.name.trim())
+    updates.name = body.name.trim()
   }
   if (DEVICE_TYPES.includes(body.device_type)) {
-    updates.push('device_type = ?')
-    params.push(body.device_type)
+    updates.device_type = body.device_type
   }
   if (body.vendor !== undefined) {
-    updates.push('vendor = ?')
-    params.push(typeof body.vendor === 'string' && body.vendor.trim() ? body.vendor.trim() : null)
+    updates.vendor = typeof body.vendor === 'string' && body.vendor.trim() ? body.vendor.trim() : null
   }
   if (Number.isFinite(body.lat)) {
-    updates.push('lat = ?')
-    params.push(body.lat)
+    updates.lat = body.lat
   }
   if (Number.isFinite(body.lng)) {
-    updates.push('lng = ?')
-    params.push(body.lng)
+    updates.lng = body.lng
   }
   if (typeof body.stream_url === 'string') {
-    updates.push('stream_url = ?')
-    params.push(body.stream_url.trim())
+    updates.stream_url = body.stream_url.trim()
   }
   if (SOURCE_TYPES.includes(body.source_type)) {
-    updates.push('source_type = ?')
-    params.push(body.source_type)
+    updates.source_type = body.source_type
   }
   if (body.config !== undefined) {
-    updates.push('config = ?')
-    params.push(typeof body.config === 'string' ? body.config : (body.config != null ? JSON.stringify(body.config) : null))
+    updates.config = typeof body.config === 'string' ? body.config : (body.config != null ? JSON.stringify(body.config) : null)
   }
   const { run, get } = await getDb()
-  if (updates.length === 0) {
+  if (Object.keys(updates).length === 0) {
     const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
     if (!row) throw createError({ statusCode: 404, message: 'Device not found' })
     const device = rowToDevice(row)
     return device ? sanitizeDeviceForResponse(device) : row
   }
-  params.push(id)
-  await run(`UPDATE devices SET ${updates.join(', ')} WHERE id = ?`, params)
+  const { query, params } = buildUpdateQuery('devices', null, updates)
+  if (query) {
+    await run(query, [...params, id])
+  }
   const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
   if (!row) throw createError({ statusCode: 404, message: 'Device not found' })
   const device = rowToDevice(row)

server/api/live/[id].delete.js

@@ -1,35 +1,38 @@
 import { requireAuth } from '../../utils/authHelpers.js'
 import { getLiveSession, deleteLiveSession } from '../../utils/liveSessions.js'
 import { closeRouter, getProducer, getTransport } from '../../utils/mediasoup.js'
+import { acquire } from '../../utils/asyncLock.js'
 
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   const id = event.context.params?.id
   if (!id) throw createError({ statusCode: 400, message: 'id required' })
 
-  const session = getLiveSession(id)
-  if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
-  if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
+  return await acquire(`session-delete-${id}`, async () => {
+    const session = getLiveSession(id)
+    if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
+    if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
 
-  // Clean up producer if it exists
-  if (session.producerId) {
-    const producer = getProducer(session.producerId)
-    if (producer) {
-      producer.close()
+    // Clean up producer if it exists
+    if (session.producerId) {
+      const producer = getProducer(session.producerId)
+      if (producer) {
+        producer.close()
+      }
     }
-  }
 
-  // Clean up transport if it exists
-  if (session.transportId) {
-    const transport = getTransport(session.transportId)
-    if (transport) {
-      transport.close()
+    // Clean up transport if it exists
+    if (session.transportId) {
+      const transport = getTransport(session.transportId)
+      if (transport) {
+        transport.close()
+      }
     }
-  }
 
-  // Clean up router
-  await closeRouter(id)
+    // Clean up router
+    await closeRouter(id)
 
-  deleteLiveSession(id)
-  return { ok: true }
+    await deleteLiveSession(id)
+    return { ok: true }
+  })
 })

server/api/live/[id].patch.js

@@ -1,31 +1,57 @@
 import { requireAuth } from '../../utils/authHelpers.js'
 import { getLiveSession, updateLiveSession } from '../../utils/liveSessions.js'
+import { acquire } from '../../utils/asyncLock.js'
 
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   const id = event.context.params?.id
   if (!id) throw createError({ statusCode: 400, message: 'id required' })
 
-  const session = getLiveSession(id)
-  if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
-  if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
-
   const body = await readBody(event).catch(() => ({}))
   const lat = Number(body?.lat)
   const lng = Number(body?.lng)
   const updates = {}
   if (Number.isFinite(lat)) updates.lat = lat
   if (Number.isFinite(lng)) updates.lng = lng
-  if (Object.keys(updates).length) {
-    updateLiveSession(id, updates)
+  if (Object.keys(updates).length === 0) {
+    // No updates, just return current session
+    const session = getLiveSession(id)
+    if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
+    if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
+    return {
+      id: session.id,
+      label: session.label,
+      lat: session.lat,
+      lng: session.lng,
+      updatedAt: session.updatedAt,
+    }
   }
 
-  const updated = getLiveSession(id)
-  return {
-    id: updated.id,
-    label: updated.label,
-    lat: updated.lat,
-    lng: updated.lng,
-    updatedAt: updated.updatedAt,
-  }
+  // Use lock to atomically check and update session
+  return await acquire(`session-patch-${id}`, async () => {
+    const session = getLiveSession(id)
+    if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
+    if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
+
+    try {
+      const updated = await updateLiveSession(id, updates)
+      // Re-verify after update (updateLiveSession throws if session not found)
+      if (!updated || updated.userId !== user.id) {
+        throw createError({ statusCode: 404, message: 'Live session not found' })
+      }
+      return {
+        id: updated.id,
+        label: updated.label,
+        lat: updated.lat,
+        lng: updated.lng,
+        updatedAt: updated.updatedAt,
+      }
+    }
+    catch (err) {
+      if (err.message === 'Session not found') {
+        throw createError({ statusCode: 404, message: 'Live session not found' })
+      }
+      throw err
+    }
+  })
 })

server/api/live/start.post.js

@@ -1,40 +1,44 @@
 import { requireAuth } from '../../utils/authHelpers.js'
 import {
-  createSession,
+  getOrCreateSession,
   getActiveSessionByUserId,
   deleteLiveSession,
 } from '../../utils/liveSessions.js'
 import { closeRouter, getProducer, getTransport } from '../../utils/mediasoup.js'
+import { acquire } from '../../utils/asyncLock.js'
 
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event, { role: 'adminOrLeader' })
   const body = await readBody(event).catch(() => ({}))
-  const label = typeof body?.label === 'string' ? body.label.trim() : ''
+  const label = typeof body?.label === 'string' ? body.label.trim().slice(0, 100) : ''
 
-  // Replace any existing live session for this user (one session per user)
-  const existing = getActiveSessionByUserId(user.id)
-  if (existing) {
-    if (existing.producerId) {
-      const producer = getProducer(existing.producerId)
-      if (producer) producer.close()
+  // Atomically get or create session, replacing existing if needed
+  return await acquire(`session-start-${user.id}`, async () => {
+    const existing = await getActiveSessionByUserId(user.id)
+    if (existing) {
+      // Clean up existing session resources
+      if (existing.producerId) {
+        const producer = getProducer(existing.producerId)
+        if (producer) producer.close()
+      }
+      if (existing.transportId) {
+        const transport = getTransport(existing.transportId)
+        if (transport) transport.close()
+      }
+      if (existing.routerId) {
+        await closeRouter(existing.id).catch((err) => {
+          console.error('[live.start] Error closing previous router:', err)
+        })
+      }
+      await deleteLiveSession(existing.id)
+      console.log('[live.start] Replaced previous session:', existing.id)
     }
-    if (existing.transportId) {
-      const transport = getTransport(existing.transportId)
-      if (transport) transport.close()
-    }
-    if (existing.routerId) {
-      await closeRouter(existing.id).catch((err) => {
-        console.error('[live.start] Error closing previous router:', err)
-      })
-    }
-    deleteLiveSession(existing.id)
-    console.log('[live.start] Replaced previous session:', existing.id)
-  }
 
-  const session = createSession(user.id, label || `Live: ${user.identifier || 'User'}`)
-  console.log('[live.start] Session created:', { id: session.id, userId: user.id, label: session.label })
-  return {
-    id: session.id,
-    label: session.label,
-  }
+    const session = await getOrCreateSession(user.id, label || `Live: ${user.identifier || 'User'}`)
+    console.log('[live.start] Session ready:', { id: session.id, userId: user.id, label: session.label })
+    return {
+      id: session.id,
+      label: session.label,
+    }
+  })
 })

server/api/live/webrtc/connect-transport.post.js

@@ -3,7 +3,7 @@ import { getLiveSession } from '../../../utils/liveSessions.js'
 import { getTransport } from '../../../utils/mediasoup.js'
 
 export default defineEventHandler(async (event) => {
-  requireAuth(event) // Verify authentication
+  const user = requireAuth(event) // Verify authentication
   const body = await readBody(event).catch(() => ({}))
   const { sessionId, transportId, dtlsParameters } = body
 
@@ -15,8 +15,12 @@ export default defineEventHandler(async (event) => {
   if (!session) {
     throw createError({ statusCode: 404, message: 'Session not found' })
   }
-  // Note: Both publisher and viewers can connect their own transports
-  // The transportId ensures they can only connect transports they created
+
+  // Verify user has permission to connect transport for this session
+  // Only session owner or admin/leader can connect transports
+  if (session.userId !== user.id && user.role !== 'admin' && user.role !== 'leader') {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
 
   const transport = getTransport(transportId)
   if (!transport) {

server/api/live/webrtc/create-consumer.post.js

@@ -3,7 +3,7 @@ import { getLiveSession } from '../../../utils/liveSessions.js'
 import { getRouter, getTransport, getProducer, createConsumer } from '../../../utils/mediasoup.js'
 
 export default defineEventHandler(async (event) => {
-  requireAuth(event) // Verify authentication
+  const user = requireAuth(event) // Verify authentication
   const body = await readBody(event).catch(() => ({}))
   const { sessionId, transportId, rtpCapabilities } = body
 
@@ -15,6 +15,12 @@ export default defineEventHandler(async (event) => {
   if (!session) {
     throw createError({ statusCode: 404, message: `Session not found: ${sessionId}` })
   }
+
+  // Authorization check: only session owner or admin/leader can consume
+  if (session.userId !== user.id && user.role !== 'admin' && user.role !== 'leader') {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+
   if (!session.producerId) {
     throw createError({ statusCode: 404, message: 'No producer available for this session' })
   }

server/api/live/webrtc/create-producer.post.js

@@ -1,6 +1,7 @@
 import { requireAuth } from '../../../utils/authHelpers.js'
 import { getLiveSession, updateLiveSession } from '../../../utils/liveSessions.js'
 import { getTransport, producers } from '../../../utils/mediasoup.js'
+import { acquire } from '../../../utils/asyncLock.js'
 
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
@@ -11,33 +12,48 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, message: 'sessionId, transportId, kind, and rtpParameters required' })
   }
 
-  const session = getLiveSession(sessionId)
-  if (!session) {
-    throw createError({ statusCode: 404, message: 'Session not found' })
-  }
-  if (session.userId !== user.id) {
-    throw createError({ statusCode: 403, message: 'Forbidden' })
-  }
+  return await acquire(`create-producer-${sessionId}`, async () => {
+    const session = getLiveSession(sessionId)
+    if (!session) {
+      throw createError({ statusCode: 404, message: 'Session not found' })
+    }
+    if (session.userId !== user.id) {
+      throw createError({ statusCode: 403, message: 'Forbidden' })
+    }
 
-  const transport = getTransport(transportId)
-  if (!transport) {
-    throw createError({ statusCode: 404, message: 'Transport not found' })
-  }
+    const transport = getTransport(transportId)
+    if (!transport) {
+      throw createError({ statusCode: 404, message: 'Transport not found' })
+    }
 
-  const producer = await transport.produce({ kind, rtpParameters })
-  producers.set(producer.id, producer)
-  producer.on('close', () => {
-    producers.delete(producer.id)
-    const s = getLiveSession(sessionId)
-    if (s && s.producerId === producer.id) {
-      updateLiveSession(sessionId, { producerId: null })
+    const producer = await transport.produce({ kind, rtpParameters })
+    producers.set(producer.id, producer)
+    producer.on('close', async () => {
+      producers.delete(producer.id)
+      const s = getLiveSession(sessionId)
+      if (s && s.producerId === producer.id) {
+        try {
+          await updateLiveSession(sessionId, { producerId: null })
+        }
+        catch {
+          // Ignore errors during cleanup
+        }
+      }
+    })
+
+    try {
+      await updateLiveSession(sessionId, { producerId: producer.id })
+    }
+    catch (err) {
+      if (err.message === 'Session not found') {
+        throw createError({ statusCode: 404, message: 'Session not found' })
+      }
+      throw err
+    }
+
+    return {
+      id: producer.id,
+      kind: producer.kind,
     }
   })
-
-  updateLiveSession(sessionId, { producerId: producer.id })
-
-  return {
-    id: producer.id,
-    kind: producer.kind,
-  }
 })

server/api/live/webrtc/create-transport.post.js

@@ -2,6 +2,7 @@ import { getRequestURL } from 'h3'
 import { requireAuth } from '../../../utils/authHelpers.js'
 import { getLiveSession, updateLiveSession } from '../../../utils/liveSessions.js'
 import { getRouter, createTransport } from '../../../utils/mediasoup.js'
+import { acquire } from '../../../utils/asyncLock.js'
 
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
@@ -12,28 +13,38 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, message: 'sessionId required' })
   }
 
-  const session = getLiveSession(sessionId)
-  if (!session) {
-    throw createError({ statusCode: 404, message: 'Session not found' })
-  }
+  return await acquire(`create-transport-${sessionId}`, async () => {
+    const session = getLiveSession(sessionId)
+    if (!session) {
+      throw createError({ statusCode: 404, message: 'Session not found' })
+    }
 
-  // Only publisher (session owner) can create producer transport
-  // Viewers can create consumer transports
-  if (isProducer && session.userId !== user.id) {
-    throw createError({ statusCode: 403, message: 'Forbidden' })
-  }
+    // Only publisher (session owner) can create producer transport
+    // Viewers can create consumer transports
+    if (isProducer && session.userId !== user.id) {
+      throw createError({ statusCode: 403, message: 'Forbidden' })
+    }
 
-  const url = getRequestURL(event)
-  const requestHost = url.hostname
-  const router = await getRouter(sessionId)
-  const { transport, params } = await createTransport(router, requestHost)
+    const url = getRequestURL(event)
+    const requestHost = url.hostname
+    const router = await getRouter(sessionId)
+    const { transport, params } = await createTransport(router, requestHost)
 
-  if (isProducer) {
-    updateLiveSession(sessionId, {
-      transportId: transport.id,
-      routerId: router.id,
-    })
-  }
+    if (isProducer) {
+      try {
+        await updateLiveSession(sessionId, {
+          transportId: transport.id,
+          routerId: router.id,
+        })
+      }
+      catch (err) {
+        if (err.message === 'Session not found') {
+          throw createError({ statusCode: 404, message: 'Session not found' })
+        }
+        throw err
+      }
+    }
 
-  return params
+    return params
+  })
 })

server/api/live/webrtc/router-rtp-capabilities.get.js

@@ -3,7 +3,7 @@ import { getLiveSession } from '../../../utils/liveSessions.js'
 import { getRouter } from '../../../utils/mediasoup.js'
 
 export default defineEventHandler(async (event) => {
-  requireAuth(event)
+  const user = requireAuth(event)
   const sessionId = getQuery(event).sessionId
 
   if (!sessionId) {
@@ -15,6 +15,11 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 404, message: 'Session not found' })
   }
 
+  // Only session owner or admin/leader can access
+  if (session.userId !== user.id && user.role !== 'admin' && user.role !== 'leader') {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+
   const router = await getRouter(sessionId)
   return router.rtpCapabilities
 })

server/api/me/avatar.delete.js

@@ -6,7 +6,14 @@ import { requireAuth } from '../../utils/authHelpers.js'
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   if (!user.avatar_path) return { ok: true }
-  const path = join(getAvatarsDir(), user.avatar_path)
+
+  // Validate avatar path to prevent path traversal attacks
+  const filename = user.avatar_path
+  if (!filename || !/^[a-f0-9-]+\.(?:jpg|jpeg|png)$/i.test(filename)) {
+    throw createError({ statusCode: 400, message: 'Invalid avatar path' })
+  }
+
+  const path = join(getAvatarsDir(), filename)
   await unlink(path).catch(() => {})
   const { run } = await getDb()
   await run('UPDATE users SET avatar_path = NULL WHERE id = ?', [user.id])

server/api/me/avatar.get.js

@@ -8,8 +8,15 @@ const MIME = Object.freeze({ jpg: 'image/jpeg', jpeg: 'image/jpeg', png: 'image/
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   if (!user.avatar_path) throw createError({ statusCode: 404, message: 'No avatar' })
-  const path = join(getAvatarsDir(), user.avatar_path)
-  const ext = user.avatar_path.split('.').pop()?.toLowerCase()
+
+  // Validate avatar path to prevent path traversal attacks
+  const filename = user.avatar_path
+  if (!filename || !/^[a-f0-9-]+\.(?:jpg|jpeg|png)$/i.test(filename)) {
+    throw createError({ statusCode: 400, message: 'Invalid avatar path' })
+  }
+
+  const path = join(getAvatarsDir(), filename)
+  const ext = filename.split('.').pop()?.toLowerCase()
   const mime = MIME[ext] ?? 'application/octet-stream'
   try {
     const buf = await readFile(path)

server/api/me/avatar.put.js

@@ -8,6 +8,24 @@ const MAX_SIZE = 2 * 1024 * 1024
 const ALLOWED_TYPES = Object.freeze(['image/jpeg', 'image/png'])
 const EXT_BY_MIME = Object.freeze({ 'image/jpeg': 'jpg', 'image/png': 'png' })
 
+/**
+ * Validate image content using magic bytes to prevent MIME type spoofing.
+ * @param {Buffer} buffer - File data buffer
+ * @returns {string|null} Detected MIME type or null if invalid
+ */
+function validateImageContent(buffer) {
+  if (!buffer || buffer.length < 8) return null
+  // JPEG: FF D8 FF
+  if (buffer[0] === 0xFF && buffer[1] === 0xD8 && buffer[2] === 0xFF) {
+    return 'image/jpeg'
+  }
+  // PNG: 89 50 4E 47 0D 0A 1A 0A
+  if (buffer[0] === 0x89 && buffer[1] === 0x50 && buffer[2] === 0x4E && buffer[3] === 0x47) {
+    return 'image/png'
+  }
+  return null
+}
+
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   const form = await readMultipartFormData(event)
@@ -16,7 +34,14 @@ export default defineEventHandler(async (event) => {
   if (file.data.length > MAX_SIZE) throw createError({ statusCode: 400, message: 'File too large' })
   const mime = file.type ?? ''
   if (!ALLOWED_TYPES.includes(mime)) throw createError({ statusCode: 400, message: 'Invalid type; use JPEG or PNG' })
-  const ext = EXT_BY_MIME[mime] ?? 'jpg'
+
+  // Validate file content matches declared MIME type
+  const actualMime = validateImageContent(file.data)
+  if (!actualMime || actualMime !== mime) {
+    throw createError({ statusCode: 400, message: 'File content does not match declared type' })
+  }
+
+  const ext = EXT_BY_MIME[actualMime] ?? 'jpg'
   const filename = `${user.id}.${ext}`
   const dir = getAvatarsDir()
   const path = join(dir, filename)

server/api/me/cot-password.put.js

@@ -0,0 +1,26 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { hashPassword } from '../../utils/password.js'
+
+export default defineEventHandler(async (event) => {
+  const currentUser = requireAuth(event)
+  const body = await readBody(event).catch(() => ({}))
+  const password = body?.password
+
+  if (typeof password !== 'string' || password.length < 1) {
+    throw createError({ statusCode: 400, message: 'Password is required' })
+  }
+
+  const { get, run } = await getDb()
+  const user = await get(
+    'SELECT id, auth_provider FROM users WHERE id = ?',
+    [currentUser.id],
+  )
+  if (!user) {
+    throw createError({ statusCode: 404, message: 'User not found' })
+  }
+
+  const hash = hashPassword(password)
+  await run('UPDATE users SET cot_password_hash = ? WHERE id = ?', [hash, currentUser.id])
+  return { ok: true }
+})

server/api/pois.post.js

@@ -1,6 +1,6 @@
 import { getDb } from '../utils/db.js'
 import { requireAuth } from '../utils/authHelpers.js'
-import { POI_ICON_TYPES } from '../utils/poiConstants.js'
+import { POI_ICON_TYPES } from '../utils/validation.js'
 
 export default defineEventHandler(async (event) => {
   requireAuth(event, { role: 'adminOrLeader' })

server/api/pois/[id].patch.js

@@ -1,39 +1,37 @@
 import { getDb } from '../../utils/db.js'
 import { requireAuth } from '../../utils/authHelpers.js'
-import { POI_ICON_TYPES } from '../../utils/poiConstants.js'
+import { POI_ICON_TYPES } from '../../utils/validation.js'
+import { buildUpdateQuery } from '../../utils/queryBuilder.js'
 
 export default defineEventHandler(async (event) => {
   requireAuth(event, { role: 'adminOrLeader' })
   const id = event.context.params?.id
   if (!id) throw createError({ statusCode: 400, message: 'id required' })
   const body = (await readBody(event)) || {}
-  const updates = []
-  const params = []
+  const updates = {}
   if (typeof body.label === 'string') {
-    updates.push('label = ?')
-    params.push(body.label.trim())
+    updates.label = body.label.trim()
   }
   if (POI_ICON_TYPES.includes(body.iconType)) {
-    updates.push('icon_type = ?')
-    params.push(body.iconType)
+    updates.icon_type = body.iconType
   }
   if (Number.isFinite(body.lat)) {
-    updates.push('lat = ?')
-    params.push(body.lat)
+    updates.lat = body.lat
   }
   if (Number.isFinite(body.lng)) {
-    updates.push('lng = ?')
-    params.push(body.lng)
+    updates.lng = body.lng
   }
-  if (updates.length === 0) {
+  if (Object.keys(updates).length === 0) {
     const { get } = await getDb()
     const row = await get('SELECT id, lat, lng, label, icon_type FROM pois WHERE id = ?', [id])
     if (!row) throw createError({ statusCode: 404, message: 'POI not found' })
     return row
   }
-  params.push(id)
   const { run, get } = await getDb()
-  await run(`UPDATE pois SET ${updates.join(', ')} WHERE id = ?`, params)
+  const { query, params } = buildUpdateQuery('pois', null, updates)
+  if (query) {
+    await run(query, [...params, id])
+  }
   const row = await get('SELECT id, lat, lng, label, icon_type FROM pois WHERE id = ?', [id])
   if (!row) throw createError({ statusCode: 404, message: 'POI not found' })
   return row

server/api/users.post.js

@@ -1,4 +1,4 @@
-import { getDb } from '../utils/db.js'
+import { getDb, withTransaction } from '../utils/db.js'
 import { requireAuth } from '../utils/authHelpers.js'
 import { hashPassword } from '../utils/password.js'
 
@@ -21,18 +21,20 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
   }
 
-  const { run, get } = await getDb()
-  const existing = await get('SELECT id FROM users WHERE identifier = ?', [identifier])
-  if (existing) {
-    throw createError({ statusCode: 409, message: 'Identifier already in use' })
-  }
+  const db = await getDb()
+  return withTransaction(db, async ({ run, get }) => {
+    const existing = await get('SELECT id FROM users WHERE identifier = ?', [identifier])
+    if (existing) {
+      throw createError({ statusCode: 409, message: 'Identifier already in use' })
+    }
 
-  const id = crypto.randomUUID()
-  const now = new Date().toISOString()
-  await run(
-    'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
-    [id, identifier, hashPassword(password), role, now, 'local', null, null],
-  )
-  const user = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
-  return user
+    const id = crypto.randomUUID()
+    const now = new Date().toISOString()
+    await run(
+      'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
+      [id, identifier, hashPassword(password), role, now, 'local', null, null],
+    )
+    const user = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
+    return user
+  })
 })

server/api/users/[id].patch.js

@@ -1,6 +1,7 @@
-import { getDb } from '../../utils/db.js'
+import { getDb, withTransaction } from '../../utils/db.js'
 import { requireAuth } from '../../utils/authHelpers.js'
 import { hashPassword } from '../../utils/password.js'
+import { buildUpdateQuery } from '../../utils/queryBuilder.js'
 
 const ROLES = ['admin', 'leader', 'member']
 
@@ -9,52 +10,52 @@ export default defineEventHandler(async (event) => {
   const id = event.context.params?.id
   if (!id) throw createError({ statusCode: 400, message: 'id required' })
   const body = await readBody(event)
-  const { run, get } = await getDb()
+  const db = await getDb()
 
-  const user = await get('SELECT id, identifier, role, auth_provider, password_hash FROM users WHERE id = ?', [id])
-  if (!user) throw createError({ statusCode: 404, message: 'User not found' })
+  return withTransaction(db, async ({ run, get }) => {
+    const user = await get('SELECT id, identifier, role, auth_provider, password_hash FROM users WHERE id = ?', [id])
+    if (!user) throw createError({ statusCode: 404, message: 'User not found' })
 
-  const updates = []
-  const params = []
+    const updates = {}
 
-  if (body?.role !== undefined) {
-    const role = body.role
-    if (!role || !ROLES.includes(role)) {
-      throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
-    }
-    updates.push('role = ?')
-    params.push(role)
-  }
-
-  if (user.auth_provider === 'local') {
-    if (body?.identifier !== undefined) {
-      const identifier = body.identifier?.trim()
-      if (!identifier || identifier.length < 1) {
-        throw createError({ statusCode: 400, message: 'identifier cannot be empty' })
+    if (body?.role !== undefined) {
+      const role = body.role
+      if (!role || !ROLES.includes(role)) {
+        throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
       }
-      const existing = await get('SELECT id FROM users WHERE identifier = ? AND id != ?', [identifier, id])
-      if (existing) {
-        throw createError({ statusCode: 409, message: 'Identifier already in use' })
-      }
-      updates.push('identifier = ?')
-      params.push(identifier)
+      updates.role = role
     }
-    if (body?.password !== undefined && body.password !== '') {
-      const password = body.password
-      if (typeof password !== 'string' || password.length < 1) {
-        throw createError({ statusCode: 400, message: 'password cannot be empty' })
+
+    if (user.auth_provider === 'local') {
+      if (body?.identifier !== undefined) {
+        const identifier = body.identifier?.trim()
+        if (!identifier || identifier.length < 1) {
+          throw createError({ statusCode: 400, message: 'identifier cannot be empty' })
+        }
+        const existing = await get('SELECT id FROM users WHERE identifier = ? AND id != ?', [identifier, id])
+        if (existing) {
+          throw createError({ statusCode: 409, message: 'Identifier already in use' })
+        }
+        updates.identifier = identifier
+      }
+      if (body?.password !== undefined && body.password !== '') {
+        const password = body.password
+        if (typeof password !== 'string' || password.length < 1) {
+          throw createError({ statusCode: 400, message: 'password cannot be empty' })
+        }
+        updates.password_hash = hashPassword(password)
       }
-      updates.push('password_hash = ?')
-      params.push(hashPassword(password))
     }
-  }
 
-  if (updates.length === 0) {
-    return { id: user.id, identifier: user.identifier, role: user.role, auth_provider: user.auth_provider ?? 'local' }
-  }
+    if (Object.keys(updates).length === 0) {
+      return { id: user.id, identifier: user.identifier, role: user.role, auth_provider: user.auth_provider ?? 'local' }
+    }
 
-  params.push(id)
-  await run(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`, params)
-  const updated = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
-  return updated
+    const { query, params } = buildUpdateQuery('users', null, updates)
+    if (query) {
+      await run(query, [...params, id])
+    }
+    const updated = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
+    return updated
+  })
 })