major: kestrel is now a tak server (#6)

## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6

server/api/auth/config.get.js

@@ -1,3 +1,3 @@
-import { getAuthConfig } from '../../utils/authConfig.js'
+import { getAuthConfig } from '../../utils/oidc.js'
 
 export default defineEventHandler(() => getAuthConfig())

server/api/auth/login.post.js

@@ -1,7 +1,7 @@
 import { setCookie } from 'h3'
 import { getDb } from '../../utils/db.js'
 import { verifyPassword } from '../../utils/password.js'
-import { getSessionMaxAgeDays } from '../../utils/session.js'
+import { getSessionMaxAgeDays } from '../../utils/constants.js'
 
 export default defineEventHandler(async (event) => {
   const body = await readBody(event)
@@ -15,6 +15,10 @@ export default defineEventHandler(async (event) => {
   if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {
     throw createError({ statusCode: 401, message: 'Invalid credentials' })
   }
+
+  // Invalidate all existing sessions for this user to prevent session fixation
+  await run('DELETE FROM sessions WHERE user_id = ?', [user.id])
+
   const sessionDays = getSessionMaxAgeDays()
   const sid = crypto.randomUUID()
   const now = new Date()

server/api/auth/oidc/authorize.get.js

@@ -1,5 +1,5 @@
-import { getAuthConfig } from '../../../utils/authConfig.js'
 import {
+  getAuthConfig,
   getOidcConfig,
   getOidcRedirectUri,
   createOidcParams,

server/api/auth/oidc/callback.get.js

@@ -6,7 +6,7 @@ import {
   exchangeCode,
 } from '../../../utils/oidc.js'
 import { getDb } from '../../../utils/db.js'
-import { getSessionMaxAgeDays } from '../../../utils/session.js'
+import { getSessionMaxAgeDays } from '../../../utils/constants.js'
 
 const DEFAULT_ROLE = process.env.OIDC_DEFAULT_ROLE || 'member'
 
@@ -74,6 +74,9 @@ export default defineEventHandler(async (event) => {
     user = await get('SELECT id, identifier, role FROM users WHERE id = ?', [id])
   }
 
+  // Invalidate all existing sessions for this user to prevent session fixation
+  await run('DELETE FROM sessions WHERE user_id = ?', [user.id])
+
   const sessionDays = getSessionMaxAgeDays()
   const sid = crypto.randomUUID()
   const now = new Date()