alexei.dolgolyov
10d30fc956
Comprehensive multi-area pass driven by a parallel 8-agent production
review. Frontend, backend, database, security, performance, operational,
plus a new self-monitoring feature.
## Critical fixes
- Planka webhook: reads bounded raw body (was NameError on every call)
- HA quiet hours: ha_state_changed/automation_triggered/service_called/
event_fired added to deferrable set (were silently dropped)
- DNS-rebinding SSRF: PinnedResolver wired into shared aiohttp session
- Telegram inbound webhook: secret now mandatory (401 without)
- Generic webhook: auth_mode="none" requires explicit
acknowledge_unauthenticated=true; per-IP rate limit 60/min
- svelte-check: 5 null-narrowing errors in EventDetailModal fixed
- Provider hardcoding: Immich-only block extracted to descriptor
featureDiscoveryHint
- command_sync: snapshot+expunge bot before exiting AsyncSession
## Bug fixes
- notifier asyncio.gather(return_exceptions=True) — one bad chat no longer
cancels peer sends
- NotificationDispatcher hoisted out of per-tracker loop
- Provider credential resolution unified across all 5 dispatch sites
- HA asyncio.shield now drains inner task on cancellation
- Provider construction switched from if/elif ladder to factory registry
- NUT first poll seeds silently (no spurious ups_on_battery)
- Quiet-hours gate: event-type-disabled now wins over deferral
- APScheduler drain job ID resolution upgraded to seconds
- HA on_status_change wired through to EventLog
- Webhook payload rollback failures now logged (not swallowed)
- Batched receivers/chats/bots in load_link_data (was per-target N+1)
- flag_modified on JSON column reassignments in deferred_dispatch
## Database
- UNIQUE indexes on service_provider.webhook_token,
telegram_bot.webhook_path_id, partial UNIQUE on telegram_bot.bot_id,
telegram_chat(bot_id, chat_id), notification_tracker_target unique link,
partial UNIQUE on bridge_self provider per user
- Composite ix_event_log_user_event_type_created index
- save_chat_from_webhook switched to ON CONFLICT DO UPDATE
- ondelete=CASCADE on user-id FKs (model annotation; app-side cascade
delete added for existing data)
- delete_notification_tracker converted from N+1 to bulk DELETE/UPDATE
- Module-level asyncio.Lock replaced with lazy _get_lock() pattern
- VACUUM INTO snapshot now PRAGMA integrity_check verified
## Performance
- Jinja2 template compilation LRU cached (lru_cache maxsize=512)
- Per-locale render cache in NotificationDispatcher (skips re-rendering
identical content for receivers sharing a locale)
- Tracker list cached per provider_id with 5s TTL + explicit invalidation
on tracker CRUD (relieves HA chat-bus rate query pressure)
- Nav-counts collapsed from 16 round-trips to single UNION ALL
- HA event_log: skip persisting empty assets_added/removed events
## Security hardening
- Mass-assignment guard on Action create/update; cron sub-minute reject
- Backup JSON depth/node-count cap (depth ≤ 10, nodes ≤ 100k)
- _sanitize_config extended to all JSON-typed fields on backup import
- Telegram _safe_get walks redirects manually with SSRF revalidation
- Bcrypt 72-byte password length cap with clear 422
- Webhook payload body redaction; sensitive substring set extended with
oauth/client_secret/webhook_secret/csrf in both header filter and
template extras filter
## Frontend
- 76 catch (err: any) sites converted to errMsg(err) helper
- globalProviderFilter: pure getter; reconciliation moved to one-time
$effect in +layout
- Provider-filter binding: removed paired $effects + _syncingFilter flag,
now one-way derived
- entity-cache: separate _refreshing flag for background re-fetches
- api.ts 401 handling: AuthRedirectError class + dedup _redirecting flag,
goto() instead of window.location.href
- a11y: aria-expanded on mobile More, role=switch + aria-checked on
Telegram bot toggles
## Tests & operations
- CI pytest gate added to .gitea/workflows/build.yml + release.yml
(wheel-built install to dodge editable-install slowness)
- /api/ready upgraded to deep healthcheck (db SELECT 1, scheduler.running,
HA supervisor presence) returning {ready, checks, errors, version}
- /api/metrics endpoint with prometheus_client (deferred_pending,
event_log_total, dispatch_duration, poll_failures, send_failures)
- New OPERATIONS.md covering deploy, healthchecks, metrics, backup/restore
procedures, log handling, common scenarios, upgrade flow
- New tests: test_bridge_self (11), test_gitea_parser (9),
test_planka_parser (6), test_immich_change_detector (6),
test_backup_roundtrip (1)
## New feature: bridge self-monitoring
- New bridge_self provider type — internal sink for bridge health events
- Three event types: bridge_self_poll_failures (consecutive tracker poll
failures), bridge_self_deferred_backlog (pending count crosses
threshold), bridge_self_target_failures (consecutive 5xx/network
failures per target)
- Per-user thresholds (defaults: 3 / 100 / 5) configurable via the
provider config form
- Auto-seeded on user create + /setup + boot backfill for existing users
- Anti-spam: counters reset after emission; backlog uses transition latch
- Self-loop guard: bridge_self failures don't count toward target-failure
thresholds (logged only) — wire to your own Telegram/Email/Matrix to
get notified when polls/dispatches/sends fail
- 6 default templates (3 events × 2 locales), tracking config columns
with backfill migration, frontend descriptor (excluded from "create
provider" wizard since auto-managed)
Operator-visible behavior changes (call out in release notes):
- NOTIFY_BRIDGE_TELEGRAM_WEBHOOK_SECRET now REQUIRED for webhook mode
- Existing webhook providers with auth_mode="none" need explicit opt-in
- Generic webhook endpoint rate-limited 60/min per source IP
- HA disconnect/reconnect writes ha_status_* EventLog rows
- Every user gets a bridge_self provider — wire it to a target to
receive failure alerts
Pre-existing test failures (test_ssrf, test_release_provider) on
Python 3.13 are unrelated; CI runs on 3.12.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
263 lines
8.4 KiB
TypeScript
263 lines
8.4 KiB
TypeScript
/**
|
|
* API client with JWT auth for the Notify Bridge backend.
|
|
*/
|
|
|
|
import { goto } from '$app/navigation';
|
|
|
|
const API_BASE = '/api';
|
|
|
|
/**
|
|
* Thrown when the API client decides to redirect the user to /login (after a
|
|
* terminal 401). Caller-side `try/catch` blocks can branch on
|
|
* `instanceof AuthRedirectError` to skip showing an "Unauthorized" snackbar
|
|
* — the redirect itself is the user-visible signal.
|
|
*/
|
|
export class AuthRedirectError extends Error {
|
|
constructor() {
|
|
super('Unauthorized — redirecting to login');
|
|
this.name = 'AuthRedirectError';
|
|
}
|
|
}
|
|
|
|
// Module-level dedupe — a burst of concurrent requests that all get 401 (e.g.
|
|
// the dashboard's parallel cache loads) should only schedule a single
|
|
// `goto('/login')` instead of stacking N navigations.
|
|
let _redirecting = false;
|
|
|
|
/** Centralised "send the user to /login" path used by both api() and fetchAuth(). */
|
|
function redirectToLogin(): void {
|
|
if (_redirecting) return;
|
|
_redirecting = true;
|
|
clearTokens();
|
|
if (typeof window !== 'undefined') {
|
|
// SvelteKit's goto() with replaceState avoids leaving the failed page
|
|
// in the back-stack (no "back-button to broken view" UX). We don't
|
|
// reset `_redirecting` — the page about to unmount makes it moot.
|
|
goto('/login', { replaceState: true });
|
|
}
|
|
}
|
|
|
|
/** Normalize a caught error to a user-safe message. */
|
|
export function errMsg(err: unknown, fallback = 'Unexpected error'): string {
|
|
if (err instanceof Error && err.message) return err.message;
|
|
if (typeof err === 'string' && err) return err;
|
|
return fallback;
|
|
}
|
|
|
|
/** Structured 409 blocked-by payload attached to ApiError.blockedBy. */
|
|
export interface BlockedByDetail {
|
|
message: string;
|
|
entity: string;
|
|
blocked_by: string[];
|
|
}
|
|
|
|
export class ApiError extends Error {
|
|
status: number;
|
|
blockedBy?: BlockedByDetail;
|
|
constructor(message: string, status: number, blockedBy?: BlockedByDetail) {
|
|
super(message);
|
|
this.name = 'ApiError';
|
|
this.status = status;
|
|
this.blockedBy = blockedBy;
|
|
}
|
|
}
|
|
|
|
/** Parse a server-issued datetime string as UTC (appends Z if no timezone info present). */
|
|
export function parseDate(dateStr: string): Date {
|
|
if (!dateStr) return new Date(NaN);
|
|
if (!/Z$|[+-]\d{2}:?\d{2}$/.test(dateStr)) return new Date(dateStr + 'Z');
|
|
return new Date(dateStr);
|
|
}
|
|
|
|
/** If the thrown error was a structured 409 from delete_protection, return its payload. */
|
|
export function getBlockedBy(err: unknown): BlockedByDetail | null {
|
|
if (err instanceof ApiError && err.blockedBy) return err.blockedBy;
|
|
return null;
|
|
}
|
|
|
|
function getToken(): string | null {
|
|
if (typeof window === 'undefined') return null;
|
|
return localStorage.getItem('access_token');
|
|
}
|
|
|
|
export function setTokens(access: string, refresh: string) {
|
|
localStorage.setItem('access_token', access);
|
|
localStorage.setItem('refresh_token', refresh);
|
|
}
|
|
|
|
export function clearTokens() {
|
|
localStorage.removeItem('access_token');
|
|
localStorage.removeItem('refresh_token');
|
|
}
|
|
|
|
export function isAuthenticated(): boolean {
|
|
return !!getToken();
|
|
}
|
|
|
|
let refreshPromise: Promise<boolean> | null = null;
|
|
|
|
async function refreshAccessToken(): Promise<boolean> {
|
|
if (refreshPromise) return refreshPromise;
|
|
refreshPromise = doRefreshAccessToken().finally(() => {
|
|
refreshPromise = null;
|
|
});
|
|
return refreshPromise;
|
|
}
|
|
|
|
async function doRefreshAccessToken(): Promise<boolean> {
|
|
if (typeof window === 'undefined') return false;
|
|
const refreshToken = localStorage.getItem('refresh_token');
|
|
if (!refreshToken) return false;
|
|
|
|
try {
|
|
const res = await fetch(`${API_BASE}/auth/refresh`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ refresh_token: refreshToken })
|
|
});
|
|
if (res.ok) {
|
|
const data = await res.json();
|
|
setTokens(data.access_token, data.refresh_token);
|
|
return true;
|
|
}
|
|
} catch (e) {
|
|
console.warn('Token refresh failed:', e);
|
|
}
|
|
return false;
|
|
}
|
|
|
|
const DEFAULT_TIMEOUT_MS = 30_000;
|
|
// Longer cap for fetchAuth — it's used for multipart uploads (backup restore)
|
|
// and binary downloads where a 30s limit can cut off a legit slow upload.
|
|
const DEFAULT_FETCHAUTH_TIMEOUT_MS = 120_000;
|
|
|
|
export async function api<T = any>(
|
|
path: string,
|
|
options: RequestInit & { timeoutMs?: number } = {}
|
|
): Promise<T> {
|
|
const token = getToken();
|
|
const headers: Record<string, string> = {
|
|
'Content-Type': 'application/json',
|
|
...(options.headers as Record<string, string>)
|
|
};
|
|
if (token) {
|
|
headers['Authorization'] = `Bearer ${token}`;
|
|
}
|
|
|
|
const { timeoutMs, ...fetchOptions } = options;
|
|
const controller = new AbortController();
|
|
const timeout = setTimeout(() => controller.abort(), timeoutMs ?? DEFAULT_TIMEOUT_MS);
|
|
const signal = options.signal ?? controller.signal;
|
|
|
|
try {
|
|
let res = await fetch(`${API_BASE}${path}`, { ...fetchOptions, headers, signal });
|
|
|
|
// Try token refresh on 401
|
|
if (res.status === 401 && token) {
|
|
const refreshed = await refreshAccessToken();
|
|
if (refreshed) {
|
|
headers['Authorization'] = `Bearer ${getToken()}`;
|
|
res = await fetch(`${API_BASE}${path}`, { ...fetchOptions, headers, signal });
|
|
}
|
|
}
|
|
|
|
if (res.status === 401 && token) {
|
|
redirectToLogin();
|
|
// Tagged so the caller's catch can distinguish "we already showed
|
|
// the user a redirect" from a real authorization failure they
|
|
// should snackbar.
|
|
throw new AuthRedirectError();
|
|
}
|
|
|
|
if (res.status === 204) return undefined as T;
|
|
|
|
if (!res.ok) {
|
|
const err = await res.json().catch(() => ({ detail: res.statusText }));
|
|
// Structured blocked-by detail (from delete_protection.raise_if_used)
|
|
if (err && err.detail && typeof err.detail === 'object' && Array.isArray(err.detail.blocked_by)) {
|
|
const bb: BlockedByDetail = {
|
|
message: err.detail.message || `HTTP ${res.status}`,
|
|
entity: err.detail.entity || '',
|
|
blocked_by: err.detail.blocked_by,
|
|
};
|
|
throw new ApiError(bb.message, res.status, bb);
|
|
}
|
|
const msg = typeof err.detail === 'string' ? err.detail : (err.detail?.message || `HTTP ${res.status}`);
|
|
throw new ApiError(msg, res.status);
|
|
}
|
|
|
|
return res.json();
|
|
} finally {
|
|
clearTimeout(timeout);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Auth-aware ``fetch`` wrapper for calls that can't go through ``api()`` —
|
|
* typically multipart/form-data uploads or binary downloads where we need the
|
|
* raw ``Response`` object rather than parsed JSON.
|
|
*
|
|
* - Injects the Bearer token automatically.
|
|
* - Does NOT set ``Content-Type`` (the caller's body — e.g. ``FormData`` —
|
|
* decides the encoding; browsers add the boundary).
|
|
* - Attempts a one-shot token refresh on 401, matching ``api()``.
|
|
* - Translates non-OK responses to ``ApiError`` so callers can use the same
|
|
* ``getBlockedBy`` / ``err.message`` handling pattern.
|
|
*/
|
|
export async function fetchAuth(
|
|
path: string,
|
|
options: RequestInit & { timeoutMs?: number } = {},
|
|
): Promise<Response> {
|
|
const token = getToken();
|
|
const headers: Record<string, string> = { ...(options.headers as Record<string, string>) };
|
|
if (token) headers['Authorization'] = `Bearer ${token}`;
|
|
|
|
const url = path.startsWith('http') ? path : `${API_BASE}${path}`;
|
|
|
|
// Abort after timeout so uploads/downloads don't hang indefinitely if
|
|
// the backend stops responding. Callers can override per-request via
|
|
// options.timeoutMs or pass their own signal to opt out.
|
|
const { timeoutMs, ...fetchOptions } = options;
|
|
const controller = new AbortController();
|
|
const timeout = setTimeout(
|
|
() => controller.abort(),
|
|
timeoutMs ?? DEFAULT_FETCHAUTH_TIMEOUT_MS,
|
|
);
|
|
const signal = options.signal ?? controller.signal;
|
|
|
|
try {
|
|
let res = await fetch(url, { ...fetchOptions, headers, signal });
|
|
|
|
if (res.status === 401 && token) {
|
|
const refreshed = await refreshAccessToken();
|
|
if (refreshed) {
|
|
headers['Authorization'] = `Bearer ${getToken()}`;
|
|
res = await fetch(url, { ...fetchOptions, headers, signal });
|
|
}
|
|
}
|
|
|
|
if (res.status === 401) {
|
|
redirectToLogin();
|
|
throw new AuthRedirectError();
|
|
}
|
|
|
|
if (!res.ok) {
|
|
const err = await res.clone().json().catch(() => ({ detail: res.statusText }));
|
|
if (err && err.detail && typeof err.detail === 'object' && Array.isArray(err.detail.blocked_by)) {
|
|
const bb: BlockedByDetail = {
|
|
message: err.detail.message || `HTTP ${res.status}`,
|
|
entity: err.detail.entity || '',
|
|
blocked_by: err.detail.blocked_by,
|
|
};
|
|
throw new ApiError(bb.message, res.status, bb);
|
|
}
|
|
const msg = typeof err.detail === 'string' ? err.detail : (err.detail?.message || `HTTP ${res.status}`);
|
|
throw new ApiError(msg, res.status);
|
|
}
|
|
|
|
return res;
|
|
} finally {
|
|
clearTimeout(timeout);
|
|
}
|
|
}
|