feat: Phase 3 - Admin settings system with encryption
Implement system-wide configuration management with encrypted storage for sensitive data:
Database:
- Migration 006: system_settings table with encryption support
- Migration 007: is_system_admin flag for users table
Services:
- settings.service.js: Configuration management with AES-256-GCM encryption
- getSetting, setSetting, deleteSetting
- Category-based organization
- Auto-encrypt/decrypt sensitive values
- Email configuration testing
Routes:
- settings.routes.js: 8 admin-only endpoints (CRUD settings, categories, test email)
Middleware:
- requireSystemAdmin: Verify system admin privileges (via SYSTEM_ADMIN_EMAILS env var or is_system_admin flag)
Default Settings:
- Email: SMTP configuration (host, port, credentials)
- Security: Email verification, password rules, lockout settings
- General: App name, support email, file size limits
Encryption:
- AES-256-GCM authenticated encryption
- Prevents tampering
- Per-setting encryption flag
- Secure key management via SETTINGS_ENCRYPTION_KEY env var
Environment:
- .env.example: Template for all required configuration
- Added SETTINGS_ENCRYPTION_KEY and SYSTEM_ADMIN_EMAILS
Production-ready admin configuration panel.
🤖 Generated with Claude Code
04c7230046