Merge branch 'main' of ssh://git.np-dms.work:2222/np-dms/lcbp3.np-dms.work

.qsync/meta/meta.conf

@@ -1,4 +1,4 @@
 [/dms]
-max_log = 494130
+max_log = 496206
 number = 3
 finish = 1

.qsync/meta/qmeta1

@@ -1,3 +1,50 @@
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@napi-rs
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@pkgjs
+parseargs/:1759204685:0
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@pkgjs/parseargs
+.editorconfig:1759204685:299
+LICENSE:1759204685:11357
+internal/:1759204685:0
+index.js:1759204685:12936
+examples/:1759204685:0
+utils.js:1759204685:6251
+package.json:1759204685:881
+CHANGELOG.md:1759204685:6968
+README.md:1759204685:13642
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@pkgjs/parseargs/examples
+is-default-value.js:1759204685:765
+limit-long-syntax.js:1759204685:1071
+negate.js:1759204685:1314
+no-repeated-options.js:1759204685:897
+simple-hard-coded.js:1759204685:540
+ordered-options.mjs:1759204685:1396
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@pkgjs/parseargs/internal
+errors.js:1759204685:1431
+primordials.js:1759204685:11947
+util.js:1759204685:235
+validators.js:1759204685:2243
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@rtsao
+scc/:1759204688:0
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@rtsao/scc
+LICENSE:1759204688:1066
+index.js.flow:1759204688:116
+index.js:1759204688:1137
+package.json:1759204688:120
+README.md:1759204688:1100
+index.d.ts:1759204688:72
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@rushstack
+eslint-patch/:1759204689:0
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@rushstack/eslint-patch
+LICENSE:1759204687:1120
+lib/:1759204690:0
+.eslintrc.js:1759204688:805
+custom-config-package-names.js:1759204688:46
+eslint-bulk-suppressions.js:1759204689:43
+modern-module-resolution.js:1759204689:43
+CHANGELOG.json:1759204689:11790
+package.json:1759204689:1040
+CHANGELOG.md:1759204689:4977
+README.md:1759204689:11812
 /share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/@rushstack/eslint-patch/lib
 _patch-base.js:1759204687:13396
 eslint-bulk-suppressions/:1759204690:0
@@ -2008,6 +2055,42 @@ index.js:1759204688:4971
 package.json:1759204688:903
 README.md:1759204688:11117
 index.d.ts:1759204689:63
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/jsonwebtoken
+LICENSE:1759223641:1121
+lib/:1759223641:0
+decode.js:1759223641:767
+index.js:1759223641:276
+sign.js:1759223641:9350
+verify.js:1759223641:8612
+package.json:1759223641:1507
+README.md:1759223641:17709
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/jsonwebtoken/lib
+asymmetricKeyDetailsSupported.js:1759223641:99
+JsonWebTokenError.js:1759223641:428
+NotBeforeError.js:1759223641:362
+psSupported.js:1759223641:107
+rsaPssKeyDetailsSupported.js:1759223641:99
+timespan.js:1759223641:412
+TokenExpiredError.js:1759223641:395
+validateAsymmetricKey.js:1759223641:2238
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/buffer-equal-constant-time
+package.json:1759223641:484
+.npmignore:1759223641:26
+README.md:1759223641:1101
+index.js:1759223641:1045
+test.js:1759223641:1013
+.travis.yml:1759223641:45
+LICENSE.txt:1759223641:1518
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/lodash.once
+package.json:1759223641:737
+README.md:1759223641:439
+LICENSE:1759223641:1951
+index.js:1759223641:7094
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/lodash.includes
+package.json:1759223641:749
+README.md:1759223641:467
+LICENSE:1759223641:1951
+index.js:1759223641:18716
 /share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/wrap-ansi
 node_modules/:1759204682:0
 license:1759204684:1117
@@ -5883,6 +5966,16 @@ react-dom-test-utils.production.min.js:1759204690:12616
 react-dom.development.js:1759204690:1029622
 react-dom.production.min.js:1759204690:131685
 react-dom.profiling.min.js:1759204690:141112
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/jwa
+LICENSE:1759223641:1068
+index.js:1759223641:6801
+package.json:1759223641:749
+README.md:1759223641:5371
+/share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/lodash.isinteger
+package.json:1759223641:752
+README.md:1759223641:474
+LICENSE:1759223641:1951
+index.js:1759223641:6036
 /share/CACHEDEV1_DATA/Container/dms/frontend/node_modules/eslint-import-resolver-node
 node_modules/:1759204682:0
 LICENSE:1759204687:1078

n8n-postgres/postmaster.pid

@@ -1,6 +1,6 @@
 1
 /var/lib/postgresql/data
-1759223930
+1759295885
 5432
 /var/run/postgresql
 *

npm/data/nginx/proxy_host/3.conf

@@ -65,16 +65,28 @@ client_max_body_size 200m;
 client_body_timeout  60s;
 send_timeout         60s;
 
+# ===== Proxy headers พื้นฐาน (ให้ backend รู้ proto จริง) =====
+proxy_set_header X-Forwarded-Proto $scheme;
+
 # ===== WebSocket/SSE header ระดับ Host =====
+# หมายเหตุ: ถ้า $connection_upgrade ยังไม่ถูกนิยามในระบบคุณ
+# ให้เปลี่ยนบรรทัดที่สองเป็น:  proxy_set_header Connection "upgrade";
 proxy_set_header Upgrade    $http_upgrade;
 proxy_set_header Connection $connection_upgrade;
 
+# ===== สำคัญสำหรับคุกกี้ HttpOnly =====
+# อย่าตัด Set-Cookie ของ backend ทิ้ง
+proxy_pass_header Set-Cookie;
+
 # ===== Security headers ระดับ Host =====
 add_header X-Content-Type-Options nosniff always;
 add_header X-Frame-Options SAMEORIGIN always;
 add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
 # เปิด HSTS เมื่อมั่นใจว่าทุก subdomain ใช้ HTTPS เท่านั้น
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+# (ถ้ามีซับโดเมนที่ยังไม่ HTTPS ให้เอา includeSubDomains ออกชั่วคราว)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
 
   location /health {
     proxy_set_header Host  $host;
@@ -154,12 +166,13 @@ add_header Cache-Control "public, max-age=31536000, immutable";
   }
 
   location /api/ {
-    proxy_set_header Host $host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto https;
+    # === upstream headers พื้นฐาน ===
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;     # แก้จาก "https" → ใช้ $scheme ให้ถูกตามจริง
 
-# WebSocket/SSE เผื่อใช้
+# WebSocket/SSE
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 
@@ -167,14 +180,24 @@ proxy_read_timeout 300s;
 proxy_send_timeout 300s;
 proxy_redirect off;
 
+# >>> สำคัญสำหรับคุกกี้ <<<
+proxy_pass_header Set-Cookie;      # ให้ Nginx ส่ง Set-Cookie กลับ client (ห้ามตัดทิ้ง)
+
 # ---- CORS allowlist ----
 set $cors_allow_origin "";
 if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") {
   set $cors_allow_origin $http_origin;
 }
-add_header Access-Control-Allow-Origin $cors_allow_origin always;
+
 add_header Vary "Origin" always;
 add_header Access-Control-Allow-Credentials "true" always;
+
+# ถ้าต้องการ allow เฉพาะที่ match เท่านั้น ให้คง pattern เดิมไว้
+add_header Access-Control-Allow-Origin $cors_allow_origin always;
+
+# เผย header ที่จำเป็นต่อการดาวน์โหลด/ดูไฟล์
+add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always;
+
 add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
 add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always;
 
@@ -249,3 +272,4 @@ if ($request_method = OPTIONS) {
   # Custom
   include /data/nginx/custom/server_proxy[.]conf;
 }
+