feat: comprehensive code review fixes — security, performance, quality

Backend security: - Reject Gitea webhooks when webhook_secret is empty (was silently skipping) - Add slowapi rate limiting on login (5/min) and setup (3/min) endpoints - Add CORS middleware with configurable origins - Mask telegram_webhook_secret in settings API response - Protect system-owned command template configs from regular user modification - Increase minimum password length to 8 characters Backend performance: - Batch queries in _resolve_command_context (3 queries instead of 3N) - Concurrent album fetching with asyncio.gather in immich commands - Singleton Jinja2 SandboxedEnvironment (reuse instead of per-render creation) - TTLCache for rate limits (bounded memory, auto-eviction) - Optional aiohttp session reuse in send_reply/send_media_group Backend code quality: - Extract dispatch_helpers.py (shared link_data loading + event filtering) - Extract database/seeds.py from main.py (490 lines → dedicated module) - Split immich_handler.py (415 lines) into commands/immich/ subpackage - Replace bare except blocks with logged warnings - Add per-provider config validation (Pydantic models) - Truncate command input to 512 chars - Expose usage_* and desc_* slots in capabilities and variables API Frontend security: - CSS.escape() for user-controlled querySelector in highlight.ts - Client-side password min 8 chars validation on setup and password change Frontend code quality: - Replace any types with proper interfaces across top files - Decompose targets/+page.svelte into TargetForm + ReceiverSection - Fix $derived.by usage, $state mutation patterns - Add console.warn to empty catch blocks Frontend UX: - Auth redirect via goto() with "Redirecting..." state - Platform-aware Ctrl/Cmd K keyboard hint - Remove stat-card hover transform Frontend accessibility: - Modal: role=dialog, aria-modal, focus trap, restore focus - EntitySelect/IconGridSelect: listbox/option roles, aria-selected/disabled
2026-03-23 01:59:51 +03:00
parent 31584c5d31
commit e0bae394ee
78 changed files with 2855 additions and 1658 deletions
@@ -1,6 +1,5 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
-	import { slide } from 'svelte/transition';
 	import { page } from '$app/state';
 	import { api } from '$lib/api';
 	import { t, getLocale } from '$lib/i18n';
@@ -8,23 +7,22 @@
 	import PageHeader from '$lib/components/PageHeader.svelte';
 	import Card from '$lib/components/Card.svelte';
 	import Loading from '$lib/components/Loading.svelte';
-	import IconPicker from '$lib/components/IconPicker.svelte';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import EmptyState from '$lib/components/EmptyState.svelte';
 	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
-	import Hint from '$lib/components/Hint.svelte';
 	import IconButton from '$lib/components/IconButton.svelte';
 	import CrossLink from '$lib/components/CrossLink.svelte';
-	import IconGridSelect from '$lib/components/IconGridSelect.svelte';
-	import EntitySelect from '$lib/components/EntitySelect.svelte';
 	import { chatActionItems } from '$lib/grid-items';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
 	import { highlightFromUrl } from '$lib/highlight';
 	import type { NotificationTarget, TargetReceiver, TelegramChat } from '$lib/types';

+	import TargetForm from './TargetForm.svelte';
+	import ReceiverSection from './ReceiverSection.svelte';
+
 	// ── Helpers ──

-	function getBotName(target: any): string | null {
+	function getBotName(target: NotificationTarget): string | null {
 		if (target.type === 'telegram' && target.config?.bot_id) {
 			const bot = telegramBots.find(b => b.id === target.config.bot_id);
 			return bot?.name || null;
@@ -40,14 +38,14 @@
 		return null;
 	}

-	function getBotHref(target: any): string {
+	function getBotHref(target: NotificationTarget): string {
 		if (target.type === 'telegram') return '/bots?tab=telegram';
 		if (target.type === 'email') return '/bots?tab=email';
 		if (target.type === 'matrix') return '/bots?tab=matrix';
 		return '/bots?tab=telegram';
 	}

-	function getBotEntityId(target: any): number | null {
+	function getBotEntityId(target: NotificationTarget): number | null {
 		if (target.type === 'telegram') return target.config?.bot_id || null;
 		if (target.type === 'email') return target.config?.email_bot_id || null;
 		if (target.type === 'matrix') return target.config?.matrix_bot_id || null;
@@ -57,7 +55,7 @@
 	function receiverLabel(target: NotificationTarget, recv: TargetReceiver): string {
 		const c = recv.config || {};
 		if (target.type === 'telegram') {
-			return (recv as any).chat_name || c.chat_id || recv.receiver_key || '?';
+			return recv.chat_name || c.chat_id || recv.receiver_key || '?';
 		}
 		if (target.type === 'email') return c.email || recv.receiver_key || '?';
 		if (target.type === 'webhook') return c.url || recv.receiver_key || '?';
@@ -173,7 +171,10 @@

 	async function loadReceiverBotChats(botId: number) {
 		if (!botId) return;
-		try { receiverBotChats[botId] = await api(`/telegram-bots/${botId}/chats`); } catch {}
+		try {
+			const data = await api<TelegramChat[]>(`/telegram-bots/${botId}/chats`);
+			receiverBotChats = { ...receiverBotChats, [botId]: data };
+		} catch (e) { console.warn('Failed to load bot chats:', e); }
 	}

 	// ── Target CRUD ──
@@ -223,7 +224,7 @@
 			if (formType === 'telegram') {
 				let botToken = form.bot_token;
 				if (form.bot_id && !botToken) {
-					const tokenRes = await api(`/telegram-bots/${form.bot_id}/token`);
+					const tokenRes = await api<{ token: string }>(`/telegram-bots/${form.bot_id}/token`);
 					botToken = tokenRes.token;
 				}
 				config = {
@@ -265,7 +266,7 @@

 	async function test(id: number) {
 		try {
-			const res = await api(`/targets/${id}/test?locale=${getLocale()}`, { method: 'POST' });
+			const res = await api<{ success: boolean; error?: string }>(`/targets/${id}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.targetTestSent'));
 			else snackError(`Failed: ${res.error}`);
 		} catch (err: any) { snackError(err.message); }
@@ -317,7 +318,7 @@
 				const target = allTargets.find(t => t.id === addingReceiverForTarget);
 				const botId = target?.config?.bot_id || target?.config?.telegram_bot_id;
 				if (botId && receiverBotChats[botId]) {
-					const chat = receiverBotChats[botId].find((c: any) => String(c.chat_id) === String(config.chat_id));
+					const chat = receiverBotChats[botId].find((c: TelegramChat) => String(c.chat_id) === String(config.chat_id));
 					if (chat) {
 						config.chat_name = chat.title || chat.username || '';
 						if (chat.language_code) config.language_code = chat.language_code;
@@ -369,7 +370,7 @@
 	async function testReceiver(targetId: number, receiverId: number) {
 		receiverTesting = { ...receiverTesting, [receiverId]: true };
 		try {
-			const res = await api(`/targets/${targetId}/receivers/${receiverId}/test?locale=${getLocale()}`, { method: 'POST' });
+			const res = await api<{ success: boolean; error?: string }>(`/targets/${targetId}/receivers/${receiverId}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.targetTestSent'));
 			else snackError(`Failed: ${res.error}`);
 		} catch (err: any) { snackError(err.message); }
@@ -391,108 +392,25 @@
 {/if}

 {#if showForm}
-	<div in:slide={{ duration: 200 }}>
-	<Card class="mb-6">
-		{#if error}<div class="bg-[var(--color-error-bg)] text-[var(--color-error-fg)] text-sm rounded-md p-3 mb-4">{error}</div>{/if}
-		<form onsubmit={save} class="space-y-4">
-			{#if !activeType}
-			<div>
-				<label class="block text-sm font-medium mb-1">{t('targets.type')}</label>
-				<IconGridSelect items={typeGridItems} bind:value={formType} columns={4} />
-			</div>
-			{/if}
-			<div>
-				<label for="tgt-name" class="block text-sm font-medium mb-1">{t('targets.name')}</label>
-				<div class="flex gap-2">
-					<IconPicker value={form.icon} onselect={(v: string) => form.icon = v} />
-					<input id="tgt-name" bind:value={form.name} required placeholder={t('targets.namePlaceholder')} class="flex-1 px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-				</div>
-			</div>
-			{#if formType === 'telegram'}
-				<div>
-					<label class="block text-sm font-medium mb-1">{t('telegramBot.selectBot')}</label>
-					<EntitySelect items={telegramBotItems} bind:value={form.bot_id} placeholder={t('telegramBot.selectBot')} />
-					{#if telegramBots.length === 0}
-						<p class="text-xs text-[var(--color-muted-foreground)] mt-1">{t('telegramBot.noBots')} <a href="/bots?tab=telegram" class="underline">→</a></p>
-					{/if}
-				</div>
-
-				<div class="border border-[var(--color-border)] rounded-md p-3">
-					<button type="button" onclick={() => showTelegramSettings = !showTelegramSettings}
-						class="text-sm font-medium cursor-pointer w-full text-left flex items-center justify-between">
-						{t('targets.telegramSettings')}
-						<span class="text-xs transition-transform duration-200" class:rotate-180={showTelegramSettings}>▼</span>
-					</button>
-					{#if showTelegramSettings}
-					<div in:slide={{ duration: 150 }} class="grid grid-cols-2 gap-3 mt-3">
-						<div>
-							<label for="tgt-maxmedia" class="block text-xs mb-1">{t('targets.maxMedia')}<Hint text={t('hints.maxMedia')} /></label>
-							<input id="tgt-maxmedia" type="number" bind:value={form.max_media_to_send} min="0" max="50" class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-						</div>
-						<div>
-							<label for="tgt-groupsize" class="block text-xs mb-1">{t('targets.maxGroupSize')}<Hint text={t('hints.groupSize')} /></label>
-							<input id="tgt-groupsize" type="number" bind:value={form.max_media_per_group} min="2" max="10" class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-						</div>
-						<div>
-							<label for="tgt-delay" class="block text-xs mb-1">{t('targets.chunkDelay')}<Hint text={t('hints.chunkDelay')} /></label>
-							<input id="tgt-delay" type="number" bind:value={form.media_delay} min="0" max="60000" step="100" class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-						</div>
-						<div>
-							<label for="tgt-maxsize" class="block text-xs mb-1">{t('targets.maxAssetSize')}<Hint text={t('hints.maxAssetSize')} /></label>
-							<input id="tgt-maxsize" type="number" bind:value={form.max_asset_size} min="1" max="50" class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-						</div>
-						<div class="col-span-2">
-							<label class="block text-xs mb-1">{t('targets.chatAction')}</label>
-							<IconGridSelect items={chatActionItems()} bind:value={form.chat_action} columns={4} compact />
-						</div>
-						<label class="flex items-center gap-2 text-sm col-span-2"><input type="checkbox" bind:checked={form.disable_url_preview} /> {t('targets.disableUrlPreview')}</label>
-						<label class="flex items-center gap-2 text-sm col-span-2"><input type="checkbox" bind:checked={form.send_large_photos_as_documents} /> {t('targets.sendLargeAsDocuments')}</label>
-					</div>
-					{/if}
-				</div>
-			{:else if formType === 'discord' || formType === 'slack'}
-				<div>
-					<label for="tgt-user" class="block text-sm font-medium mb-1">{t('targets.overrideUsername')}</label>
-					<input id="tgt-user" bind:value={form.username} placeholder="Notify Bridge"
-						class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-				</div>
-			{:else if formType === 'ntfy'}
-				<div>
-					<label for="tgt-ntfy-server" class="block text-sm font-medium mb-1">{t('targets.ntfyServer')}</label>
-					<input id="tgt-ntfy-server" bind:value={form.server_url} required placeholder="https://ntfy.sh"
-						class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-				</div>
-				<div>
-					<label for="tgt-ntfy-token" class="block text-sm font-medium mb-1">{t('targets.ntfyToken')}</label>
-					<input id="tgt-ntfy-token" bind:value={form.auth_token} placeholder={t('targets.ntfyTokenPlaceholder')}
-						class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-				</div>
-			{:else if formType === 'email'}
-				<div>
-					<label class="block text-sm font-medium mb-1">{t('targets.selectEmailBot')}</label>
-					<EntitySelect items={emailBotItems} bind:value={form.email_bot_id} placeholder={t('targets.selectEmailBot')} />
-					{#if emailBots.length === 0}
-						<p class="text-xs text-[var(--color-muted-foreground)] mt-1">{t('emailBot.noBots')} <a href="/bots?tab=email" class="underline">→</a></p>
-					{/if}
-				</div>
-			{:else if formType === 'matrix'}
-				<div>
-					<label class="block text-sm font-medium mb-1">{t('targets.selectMatrixBot')}</label>
-					<EntitySelect items={matrixBotItems} bind:value={form.matrix_bot_id} placeholder={t('targets.selectMatrixBot')} />
-					{#if matrixBots.length === 0}
-						<p class="text-xs text-[var(--color-muted-foreground)] mt-1">{t('matrixBot.noBots')} <a href="/bots?tab=matrix" class="underline">→</a></p>
-					{/if}
-				</div>
-			{/if}
-
-			{#if formType === 'telegram'}
-				<label class="flex items-center gap-2 text-sm"><input type="checkbox" bind:checked={form.ai_captions} /> {t('targets.aiCaptions')}<Hint text={t('hints.aiCaptions')} /></label>
-			{/if}
-
-			<button type="submit" disabled={submitting} class="px-4 py-2 bg-[var(--color-primary)] text-[var(--color-primary-foreground)] rounded-md text-sm font-medium hover:opacity-90 disabled:opacity-50">{submitting ? t('common.loading') : (editing ? t('common.save') : t('targets.create'))}</button>
-		</form>
-	</Card>
-	</div>
+	<TargetForm
+		bind:form
+		bind:formType
+		{activeType}
+		{typeGridItems}
+		{telegramBotItems}
+		{emailBotItems}
+		{matrixBotItems}
+		chatActionItems={chatActionItems()}
+		telegramBotCount={telegramBots.length}
+		emailBotCount={emailBots.length}
+		matrixBotCount={matrixBots.length}
+		{editing}
+		{submitting}
+		{error}
+		bind:showTelegramSettings
+		onsave={save}
+		ontoggleTelegramSettings={() => showTelegramSettings = !showTelegramSettings}
+	/>
 {/if}

 {#if !showForm && allTargets.length > 0}
@@ -522,7 +440,7 @@
 							<p class="font-medium">{target.name}</p>
 							{#if !activeType}<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{target.type}</span>{/if}
 							{#if (target.receivers || []).length > 0}<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{(target.receivers || []).length} receiver(s)</span>{/if}
-							{#if getBotName(target)}<CrossLink href={getBotHref(target)} icon="mdiRobot" label={getBotName(target)} entityId={getBotEntityId(target)} />{/if}
+							{#if getBotName(target)}<CrossLink href={getBotHref(target)} icon="mdiRobot" label={getBotName(target) ?? ''} entityId={getBotEntityId(target)} />{/if}
 						</div>
 					</div>
 					<div class="flex items-center gap-1">
@@ -533,113 +451,25 @@
 				</div>

 				<!-- Receivers list -->
-				<div class="mt-3 pt-3 border-t border-[var(--color-border)]">
-					<div class="flex items-center justify-between mb-2">
-						<p class="text-xs font-medium text-[var(--color-muted-foreground)] uppercase tracking-wide">{t('targets.receivers')}</p>
-					</div>
-
-					{#if (target.receivers || []).length === 0 && addingReceiverForTarget !== target.id}
-						<p class="text-xs text-[var(--color-muted-foreground)] italic mb-2">{t('targets.noReceivers')}</p>
-					{/if}
-
-					{#each target.receivers || [] as recv (recv.id)}
-						<div class="flex items-center justify-between py-1.5 px-2 rounded-md hover:bg-[var(--color-muted)]" class:opacity-50={!recv.enabled}>
-							<div class="flex items-center gap-2 min-w-0">
-								<MdiIcon name={TYPE_ICONS[target.type] || 'mdiTarget'} size={14} />
-								<span class="text-sm truncate">{receiverLabel(target, recv)}</span>
-								{#if (recv as any).language_code || recv.config?.language_code}
-									<span class="text-xs px-1 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{((recv as any).language_code || recv.config.language_code).toUpperCase()}</span>
-								{/if}
-							</div>
-							<div class="flex items-center gap-1">
-								<IconButton icon="mdiSend" title={t('targets.test')}
-									onclick={() => testReceiver(target.id, recv.id)}
-									disabled={receiverTesting[recv.id]} size={16} />
-								<IconButton
-									icon={recv.enabled ? 'mdiToggleSwitch' : 'mdiToggleSwitchOff'}
-									title={recv.enabled ? t('targets.receiverDisabled') : t('targets.receiverEnabled')}
-									onclick={() => toggleReceiver(target.id, recv)}
-									size={16}
-								/>
-								<IconButton
-									icon="mdiDelete"
-									title={t('common.delete')}
-									onclick={() => confirmDeleteReceiver = { targetId: target.id, receiver: recv }}
-									variant="danger"
-									size={16}
-								/>
-							</div>
-						</div>
-					{/each}
-
-					<!-- Inline add-receiver form -->
-					{#if addingReceiverForTarget === target.id}
-						<div in:slide={{ duration: 150 }} class="mt-2 p-2 rounded-md border border-[var(--color-border)] bg-[var(--color-background)]">
-							{#if target.type === 'telegram'}
-								{@const botId = target.config?.bot_id}
-								{@const existingKeys = new Set((target.receivers || []).map((r: TargetReceiver) => r.receiver_key))}
-								{@const chatItems = (receiverBotChats[botId] || []).map((c: any) => ({
-									value: c.chat_id,
-									label: c.title || c.username || c.chat_id,
-									icon: c.type === 'private' ? 'mdiAccount' : c.type === 'channel' ? 'mdiBullhorn' : 'mdiAccountGroup',
-									desc: `${c.type}${c.language_code ? ' · ' + c.language_code.toUpperCase() : ''} · ${c.chat_id}`,
-									disabled: existingKeys.has(c.chat_id),
-									disabledHint: existingKeys.has(c.chat_id) ? t('targets.alreadyAdded') : undefined,
-								}))}
-								{#if chatItems.length > 0}
-									<EntitySelect items={chatItems} bind:value={receiverForm.chat_id} placeholder={t('telegramBot.selectChat')} />
-								{:else}
-									<input bind:value={receiverForm.chat_id} placeholder="Chat ID"
-										class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-								{/if}
-								{#if botId}
-									<button type="button" onclick={() => loadReceiverBotChats(botId)}
-										class="text-xs text-[var(--color-primary)] hover:underline mt-2 flex items-center gap-1">
-										<MdiIcon name="mdiSync" size={14} />
-										{t('telegramBot.discoverChats')}
-									</button>
-								{/if}
-							{:else if target.type === 'email'}
-								<input bind:value={receiverForm.email} type="email" placeholder="recipient@example.com"
-									class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-							{:else if target.type === 'webhook'}
-								<input bind:value={receiverForm.url} placeholder="https://..."
-									class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)] mb-2" />
-								<input bind:value={receiverForm.headers} placeholder={'{"Authorization": "Bearer ..."}'}
-									class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]"
-									style={receiverHeadersError ? 'border-color: var(--color-error-fg)' : ''} />
-								{#if receiverHeadersError}<p class="text-xs text-[var(--color-error-fg)] mt-1">{receiverHeadersError}</p>{/if}
-							{:else if target.type === 'discord' || target.type === 'slack'}
-								<input bind:value={receiverForm.webhook_url}
-									placeholder={target.type === 'discord' ? 'https://discord.com/api/webhooks/...' : 'https://hooks.slack.com/services/...'}
-									class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-							{:else if target.type === 'ntfy'}
-								<input bind:value={receiverForm.topic} placeholder="my-notifications"
-									class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-							{:else if target.type === 'matrix'}
-								<input bind:value={receiverForm.room_id} placeholder="!abc123:matrix.org"
-									class="w-full px-2 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)] font-mono" />
-							{/if}
-
-							<div class="flex gap-2 mt-2">
-								<button type="button" onclick={() => saveReceiver(target.id)} disabled={receiverSubmitting}
-									class="px-3 py-1 bg-[var(--color-primary)] text-[var(--color-primary-foreground)] rounded-md text-xs font-medium hover:opacity-90 disabled:opacity-50">
-									{receiverSubmitting ? t('common.loading') : t('common.save')}
-								</button>
-								<button type="button" onclick={() => addingReceiverForTarget = null}
-									class="px-3 py-1 border border-[var(--color-border)] rounded-md text-xs hover:bg-[var(--color-muted)]">
-									{t('targets.cancel')}
-								</button>
-							</div>
-						</div>
-					{:else}
-						<button type="button" onclick={() => openReceiverForm(target.id, target.type)}
-							class="mt-1 flex items-center gap-1 text-xs text-[var(--color-primary)] hover:underline cursor-pointer">
-							<MdiIcon name="mdiPlus" size={14} />
-							{t('targets.addReceiver')}
-						</button>
-					{/if}
-				</div>
+				<ReceiverSection
+					{target}
+					typeIcons={TYPE_ICONS}
+					{addingReceiverForTarget}
+					bind:receiverForm
+					{receiverSubmitting}
+					{receiverHeadersError}
+					{receiverBotChats}
+					{receiverTesting}
+					{receiverLabel}
+					onopenReceiverForm={openReceiverForm}
+					onsaveReceiver={saveReceiver}
+					oncancelReceiver={() => addingReceiverForTarget = null}
+					ontoggleReceiver={toggleReceiver}
+					onremoveReceiver={(targetId, recv) => confirmDeleteReceiver = { targetId, receiver: recv }}
+					ontestReceiver={testReceiver}
+					onloadBotChats={loadReceiverBotChats}
+					onchangeReceiverForm={(f) => receiverForm = f}
+				/>
 			</Card>
 		{/each}
 	</div>