alexei.dolgolyov/ledgrab
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity
Files
d3a6416a1d93b413621f8f359f3c19b0f0eeea3d
ledgrab/server/config/default_config.yaml
T
alexei.dolgolyov 123da1b5c4
Build Android APK / build-android (push) Failing after 1m45s
Details
Lint & Test / test (push) Successful in 4m54s
Details
fix: comprehensive security, stability, and code quality audit 
Security:
- Force API key auth for LAN (non-loopback) requests; remove shipped dev key
- Block path-traversal in backup restore; require auth on backup endpoints
- SSRF protection: DNS resolve + private/loopback/link-local IP rejection
- AES-256-GCM encryption for HA tokens and MQTT passwords with auto-migration
- WebSocket auth migrated from query-string to first-message protocol
- Asset upload: extension allowlist, server-side mime, Content-Disposition
- Update installer: SHA256 verification, tar/zip member validation
- Tightened CORS (explicit methods/headers, no credentials)
- ADB serial regex allowlist, webhook rate-limit key fix, log scrubbing

Android:
- Root-capture: ordered teardown, screenrecord respawn watchdog, child reaping
- USB permission blocking API via CompletableDeferred
- Python init crash guard with fatal-error screen
- Moved root grant + QR generation off Main thread
- Cached PyObject engine for per-frame bridge calls
- Ordered ScreenCapture resource cleanup, allowBackup=false

Python:
- Replaced all asyncio.get_event_loop() with get_running_loop/to_thread
- Split color_strip_sources.py (1683->5 files) and color_strip_stream.py
  (1324->7 files) into packages
- Extracted FrameLimiter utility, migrated 9 stream loops
- Provider base-class reuse, WLED state caching + URL normalization
- Narrowed broad except-pass in WS routes, threading fixes in BaseStore

Frontend:
- XSS fix: escapeHtml on dynamic option labels, reconcile-based list renders
- Typed DOM helpers, safe localStorage access, AbortController listener hygiene
- openAuthedWs helper for first-message WS auth protocol
- Migrated remaining plain <select>s to IconSelect/EntitySelect

Design:
- WCAG AA primary color on light theme (#2e7d32, 5.4:1 contrast)
- Android TV 10-foot breakpoint (tv.css)
- Consolidated z-index tokens, unified easing, card-running GPU hints
2026-04-16 04:56:04 +03:00

45 lines
1.3 KiB
YAML
Raw Blame History

server:
host: "0.0.0.0"
port: 8080
log_level: "INFO"
# CORS: restrict to localhost by default.
# For LAN access, add your machine's IP, e.g. "http://192.168.1.100:8080"
cors_origins:
- "http://localhost:8080"
auth:
# API keys — required for any non-loopback (LAN) request.
# When empty:
# - loopback (127.0.0.1, ::1, localhost) requests are allowed anonymously
# - LAN requests are REJECTED with 401 (security default)
# To enable LAN access, add one or more label: "api-key" entries below
# and send `Authorization: Bearer <api-key>` with each request.
# Generate secure keys: openssl rand -hex 32
api_keys: {}
# dev: "replace-with-openssl-rand-hex-32"
storage:
database_file: "data/ledgrab.db"
mqtt:
enabled: false
broker_host: "localhost"
broker_port: 1883
username: ""
password: ""
client_id: "ledgrab"
base_topic: "ledgrab"
logging:
format: "json" # json or text
file: "logs/ledgrab.log"
max_size_mb: 100
backup_count: 5
updates:
# When false (default), updates without a published sha256 checksum
# (sibling .sha256 asset OR 64-hex string in release body) are aborted
# before any installer/extractor runs. NEVER set true unless you
# control the release server end-to-end.
allow_unchecked: false
Reference in New Issue View Git Blame Copy Permalink