AIGCS

Security

Security features and configuration

Authentication

Registration

  • First registered user gets the admin role
  • Subsequent registration controlled by REGISTRATION_OPEN env var
  • Registration requires email, username, and password

Login Flow

1. User submits email/username + password
2. Server verifies with Argon2id hash
3. If TOTP enabled → return tempToken, require TOTP code
4. If TOTP disabled → return access + refresh tokens

JWT Tokens

TokenLifetimeUsage
Access Token15 minutesAPI authentication (Authorization: Bearer)
Refresh Token7 daysGet new access token via POST /auth/refresh

Two-Factor Authentication (TOTP)

AIGCS supports Time-based One-Time Password (TOTP) 2FA.

Setup

  1. Go to Profile → Two-Factor Authentication
  2. Click Enable (requires re-entering password)
  3. Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.)
  4. Enter a code from the app to verify
  5. Save the 8 backup codes (each can be used once)

Login with TOTP

POST /api/auth/login
→ 200 with tempToken (TOTP required)

POST /api/auth/totp/verify
Body: { tempToken, code }
→ 200 with access + refresh tokens

Recovery

If you lose access to your authenticator app, use one of the 8 backup codes.

API Tokens

API tokens provide machine access without browser login.

aigcs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ScopePermissions
readRead-only access to public APIs
read_writeRead and write to widget/comments APIs
adminFull admin API access

Tokens are stored as SHA-256 hashes.

CSRF Protection

All mutating requests to /api/admin/* require the header:

X-Requested-With: XMLHttpRequest

The admin panel automatically adds this header to all fetch requests.

CORS Configuration

Configured in Settings → CORS Allowed Origins and ALLOWED_ORIGINS env var.

SettingBehavior
Empty listOnly site's registered domain allowed
*All origins allowed
Comma-separated URLsSpecific origins only

Widget requests also validate Origin against the site's domain.

Rate Limiting

LimitDefaultScope
Admin API100 req / 60sPer IP
Widget Reactions50 req / hourPer visitor
Verification Codes5 req / dayPer email

Configure via RATE_LIMIT_MAX and RATE_LIMIT_WINDOW env vars.

CAPTCHA

Configure in Settings → CAPTCHA. Supported providers:

ProviderTypeNotes
Cloudflare TurnstileFree, invisibleRecommended
Google reCAPTCHAFreev2/v3
GeeTestCommercialv4
hCaptchaFree/paidPrivacy-focused
AltchaSelf-hostedLocal HMAC verification
CAP.soCommercial

SSRF Protection

safeFetch protects against Server-Side Request Forgery:

  • Blocks private IPs: 10.x, 172.16-31.x, 192.168.x, localhost, 127.x.x.x
  • Limits redirects: max 5 redirects
  • Limits response size: max 10MB
  • Used for: avatar proxy, page content fetching

Encryption

DataAlgorithm
API KeysAES-256-GCM
SMTP PasswordsAES-256-GCM
TOTP SecretsAES-256-GCM

Encryption key derived from ENCRYPTION_KEY (falls back to JWT_SECRET).

Password Hashing

AlgorithmStatus
Argon2idPrimary (resistant to GPU/ASIC attacks)
bcryptLegacy support (auto-upgraded on login)

XSS Prevention

  • Server-side: DOMPurify sanitization with allowlisted tags
  • Client-side: Widget uses textContent for all content insertion
  • Allowed tags: p, br, strong, em, b, i, a, ul, ol, li, blockquote, pre, code, h1-h6

HSTS

Strict-Transport-Security: max-age=31536000; includeSubDomains

Enabled by default in the server middleware.

On this page