major: kestrel is now a tak server (#6)

## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6

server/api/me/avatar.delete.js

@@ -6,7 +6,14 @@ import { requireAuth } from '../../utils/authHelpers.js'
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   if (!user.avatar_path) return { ok: true }
-  const path = join(getAvatarsDir(), user.avatar_path)
+
+  // Validate avatar path to prevent path traversal attacks
+  const filename = user.avatar_path
+  if (!filename || !/^[a-f0-9-]+\.(?:jpg|jpeg|png)$/i.test(filename)) {
+    throw createError({ statusCode: 400, message: 'Invalid avatar path' })
+  }
+
+  const path = join(getAvatarsDir(), filename)
   await unlink(path).catch(() => {})
   const { run } = await getDb()
   await run('UPDATE users SET avatar_path = NULL WHERE id = ?', [user.id])

server/api/me/avatar.get.js

@@ -8,8 +8,15 @@ const MIME = Object.freeze({ jpg: 'image/jpeg', jpeg: 'image/jpeg', png: 'image/
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   if (!user.avatar_path) throw createError({ statusCode: 404, message: 'No avatar' })
-  const path = join(getAvatarsDir(), user.avatar_path)
-  const ext = user.avatar_path.split('.').pop()?.toLowerCase()
+
+  // Validate avatar path to prevent path traversal attacks
+  const filename = user.avatar_path
+  if (!filename || !/^[a-f0-9-]+\.(?:jpg|jpeg|png)$/i.test(filename)) {
+    throw createError({ statusCode: 400, message: 'Invalid avatar path' })
+  }
+
+  const path = join(getAvatarsDir(), filename)
+  const ext = filename.split('.').pop()?.toLowerCase()
   const mime = MIME[ext] ?? 'application/octet-stream'
   try {
     const buf = await readFile(path)

server/api/me/avatar.put.js

@@ -8,6 +8,24 @@ const MAX_SIZE = 2 * 1024 * 1024
 const ALLOWED_TYPES = Object.freeze(['image/jpeg', 'image/png'])
 const EXT_BY_MIME = Object.freeze({ 'image/jpeg': 'jpg', 'image/png': 'png' })
 
+/**
+ * Validate image content using magic bytes to prevent MIME type spoofing.
+ * @param {Buffer} buffer - File data buffer
+ * @returns {string|null} Detected MIME type or null if invalid
+ */
+function validateImageContent(buffer) {
+  if (!buffer || buffer.length < 8) return null
+  // JPEG: FF D8 FF
+  if (buffer[0] === 0xFF && buffer[1] === 0xD8 && buffer[2] === 0xFF) {
+    return 'image/jpeg'
+  }
+  // PNG: 89 50 4E 47 0D 0A 1A 0A
+  if (buffer[0] === 0x89 && buffer[1] === 0x50 && buffer[2] === 0x4E && buffer[3] === 0x47) {
+    return 'image/png'
+  }
+  return null
+}
+
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   const form = await readMultipartFormData(event)
@@ -16,7 +34,14 @@ export default defineEventHandler(async (event) => {
   if (file.data.length > MAX_SIZE) throw createError({ statusCode: 400, message: 'File too large' })
   const mime = file.type ?? ''
   if (!ALLOWED_TYPES.includes(mime)) throw createError({ statusCode: 400, message: 'Invalid type; use JPEG or PNG' })
-  const ext = EXT_BY_MIME[mime] ?? 'jpg'
+
+  // Validate file content matches declared MIME type
+  const actualMime = validateImageContent(file.data)
+  if (!actualMime || actualMime !== mime) {
+    throw createError({ statusCode: 400, message: 'File content does not match declared type' })
+  }
+
+  const ext = EXT_BY_MIME[actualMime] ?? 'jpg'
   const filename = `${user.id}.${ext}`
   const dir = getAvatarsDir()
   const path = join(dir, filename)

server/api/me/cot-password.put.js

@@ -0,0 +1,26 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { hashPassword } from '../../utils/password.js'
+
+export default defineEventHandler(async (event) => {
+  const currentUser = requireAuth(event)
+  const body = await readBody(event).catch(() => ({}))
+  const password = body?.password
+
+  if (typeof password !== 'string' || password.length < 1) {
+    throw createError({ statusCode: 400, message: 'Password is required' })
+  }
+
+  const { get, run } = await getDb()
+  const user = await get(
+    'SELECT id, auth_provider FROM users WHERE id = ?',
+    [currentUser.id],
+  )
+  if (!user) {
+    throw createError({ statusCode: 404, message: 'User not found' })
+  }
+
+  const hash = hashPassword(password)
+  await run('UPDATE users SET cot_password_hash = ? WHERE id = ?', [hash, currentUser.id])
+  return { ok: true }
+})