alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat: production hardening + password reset, metrics, signed webhooks
Lint & Test / lint-and-check (push) Failing after 5m5s
Details
Lint & Test / test (push) Has been skipped
Details
Lint & Test / build (push) Has been skipped
Details
Lint & Test / docker-build (push) Has been skipped
Details
Lint & Test / audit (push) Has been skipped
Details

Browse Source 
Security hardening (CRITICAL/HIGH from production-readiness audit):
- Require strong JWT_SECRET + separate INTEGRATION_ENCRYPTION_KEY at boot;
  refuse placeholder defaults. Integration key now derived via HKDF.
- SSRF guard (src/lib/server/utils/safeFetch.ts): DNS-resolves and rejects
  RFC1918/loopback/link-local/IPv4-mapped IPv6/decimal-IP/cloud-metadata.
  Manual redirect handling re-validates each 3xx Location hop. Applied to
  healthcheck, RSS, calendar, metric, system-stats, camera, notifications,
  discovery, apps/preview, and all integration clients.
- API tokens, session refresh tokens, invite tokens, password-reset tokens
  switched from bcrypt to sha256 with @unique indexed lookup (O(1) instead
  of O(N) bcrypt-compares; eliminates a trivial DoS).
- Refresh-token reuse detection via Session.previousTokenHash.
- Permission checks on App PATCH/DELETE and Widget/Section endpoints.
- /api/integrations/alerts now requires auth.
- SVG uploads sanitized through DOMPurify (svg profile, scheme allow-list).
- Custom CSS sanitizer + selector scoping (decodes CSS unicode escapes
  before pattern match, drops forbidden at-rules incl. @import without
  whitespace, strips dangerous url() args). Scoped to .custom-css-scope.
- Backup restore validates SQLite magic header, takes a safety snapshot,
  uses atomic rename, re-applies pragmas.
- SQLite WAL + busy_timeout + foreign_keys + synchronous=NORMAL at startup.
- Healthcheck scheduler was dead code; wired in hooks.server.ts with
  HMR-safe singleton, concurrency cap, overlap prevention, retention jobs
  for AppClick/Notification/AuditLog. Composite indexes added on hot paths.
- Security headers (CSP, HSTS-on-https, X-Frame-Options, Permissions-Policy)
  emitted on every response.
- Account-enumeration mitigation on login (dummy bcrypt on no-user/oauth
  branches) + rate limiting on login/register/onboarding/refresh/invite/
  password-reset.
- OAuth callback sanitizes IdP error_description before echoing.

New features:
- Custom +error.svelte pages (root + boards + admin) via shared
  ErrorState component. Inverted hierarchy (status as label, title as hero).
- /forgot-password + /reset-password + admin-mediated /admin/password-resets
  page. SHA256 tokens, 24h TTL, all sessions revoked on apply.
- /invite page for manual invite-token redemption.
- /api/metrics Prometheus exposition with optional METRICS_TOKEN bearer
  auth. Counters for login/healthcheck/notification/integration; gauges
  for users/boards/apps + per-status app counts.
- Webhook HMAC-SHA256 signing for HTTP notification channels (optional
  shared secret + configurable signature header, default X-Signature-256).
- PATCH /api/users/me/password for self-service password change.
- Persistent uploads at /app/data/uploads with served-from-volume handler
  at /uploads/[...path]. SVGs served with CSP: sandbox.
- /api/health does a DB ping; returns 503 on disconnect.
- Public /status filtered to guest-accessible-board apps when unauthenticated.
- Audit log coverage: LOGIN_SUCCESS/FAILED, LOGOUT, OAUTH_LOGIN,
  OAUTH_USER_PROVISIONED, SESSION_REVOKED, API_TOKEN_*, INVITE_*,
  APP_UPDATED, PASSWORD_CHANGED, PASSWORD_RESET_*.

Performance:
- Board page: removed double findAll() over-fetch; include links + appTags
  in board query; widgets lazy-loaded via dynamic imports (marked,
  DOMPurify, hls.js, integration renderers).
- uptimeService.getAllAppsUptime: single batched query instead of N+1.
- 30s in-memory user-locals cache; invalidated on user mutation.
- pruneOldStatuses: single window-function DELETE instead of N+1.

Code quality:
- Typed error classes (NotFoundError, PermissionError, RateLimitError,
  IntegrationError) with toHttpError mapper.
- Locals.user shape exposes avatarUrl and narrows role via guard.
- App input types derived from Zod schemas via z.infer.
- 274 tests passing (up from 212); 62 new tests covering SSRF guard,
  CSS sanitizer, SVG sanitizer, rate limiter.

CI / Docker / config:
- Test workflow adds build, docker-build, audit jobs. Release workflow
  uses buildx multi-arch (amd64+arm64) with provenance + SBOM.
- Dockerfile uses tini, multi-stage prune, persistent uploads dir, single
  prisma migrate deploy (no destructive db push fallback).
- docker-compose: JWT_SECRET + INTEGRATION_ENCRYPTION_KEY required at
  startup, log rotation, resource limits.
- README documents breaking-change upgrade path.

Bug fixes from UI/UX review:
- ~55 missing i18n keys added to en/ru (auth flows, error pages, admin
  nav, register invite banner, settings.card_style).
- Hardcoded English on login replaced with $t('auth.remember_me').
- Admin nav uses i18n keys; mobile horizontal-scroll layout.
- Page <title> tags standardized.
- Password-resets: separated error/info/success surfaces, ConfirmDialog
  replaces window.confirm.
- Auth pages have matching lucide icon badges.
- Webhook secret has eye toggle and monospace input.
- text-green-500 → text-emerald-500 to match codebase convention.

Pre-existing CI lint failures cleaned up (31 errors → 0): each-key
attributes added, unused-svelte-ignore comments removed, two any casts
typed, dead skeleton components removed, /boards/[id]/edit redirect to
inline edit mode.

Tests: 274 / 274 passing
Type check: 0 errors / 0 warnings
Build: green
This commit is contained in:
Admin
2026-05-26 19:51:21 +03:00
parent 38335e925b
commit f1cfb61d13
144 changed files with 5586 additions and 2284 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/lib/i18n/en.json
+54
View File
@@ -31,6 +31,51 @@
"auth.no_account": "Don't have an account?",
"auth.have_account": "Already have an account?",
"auth.sign_in_link": "Sign in",
"auth.back_to_login": "Back to sign in",
"auth.remember_me": "Keep me signed in for 30 days",
"auth.forgot_password": "Forgot password?",
"auth.forgot_password_title": "Reset password",
"auth.forgot_password_hint": "Enter your account email. An admin will share a reset link with you.",
"auth.forgot_password_submit": "Request reset link",
"auth.forgot_password_submitted_title": "Request received",
"auth.forgot_password_submitted_hint": "If an account exists for that email, your admin can now generate a reset link for you in the admin panel.",
"auth.reset_password_title": "Choose a new password",
"auth.reset_password_for": "Resetting password for",
"auth.reset_password_submit": "Set new password",
"auth.reset_invalid_title": "Reset link is invalid",
"auth.reset_invalid_hint": "The link may have expired, already been used, or copied incorrectly. Ask your admin to issue a new one.",
"auth.request_new_reset": "Request a new reset link",
"auth.new_password": "New password",
"auth.confirm_password": "Confirm password",
"auth.invite_title": "Redeem invite",
"auth.invite_hint": "Paste the invite token an admin sent you. You'll be taken to the registration page next.",
"auth.invite_token": "Invite token",
"auth.invite_continue": "Continue",
"auth.invite_banner_admin": "You've been invited to join as an",
"auth.invite_banner_user": "You've been invited to join.",
"auth.invite_banner_locked": "This invite is locked to",
"error.unauthorized_title": "Sign in to continue",
"error.unauthorized_hint": "Your session may have expired. Sign back in to continue.",
"error.forbidden_title": "You don't have access to this",
"error.forbidden_hint": "Ask an admin to grant access if you believe this is a mistake.",
"error.not_found_title": "Page not found",
"error.not_found_hint": "The page you were looking for doesn't exist or was moved.",
"error.rate_limited_title": "Too many requests",
"error.rate_limited_hint": "Slow down. Try again in a moment.",
"error.generic_title": "Something went wrong",
"error.generic_hint": "An unexpected error occurred. Try refreshing, or head back to the dashboard.",
"error.back_to_dashboard": "Back to dashboard",
"error.technical_details": "Technical details",
"error.board_not_found_title": "This board doesn't exist",
"error.board_not_found_hint": "It may have been deleted or you have the wrong URL.",
"error.board_forbidden_title": "You don't have access to this board",
"error.board_forbidden_hint": "Ask the board owner or an admin to share it with you.",
"error.board_generic_title": "Couldn't load this board",
"error.admin_forbidden_title": "Admin access required",
"error.admin_forbidden_hint": "Your account doesn't have the admin role. Ask another admin to grant access if you need it.",
"error.admin_not_found_title": "Admin page not found",
"error.admin_generic_title": "Couldn't load this admin page",
"board.title": "Boards",
"board.boards_available": "{count} board(s) available",
@@ -134,6 +179,10 @@
"admin.users": "Users",
"admin.groups": "Groups",
"admin.settings": "Settings",
"admin.invites": "Invites",
"admin.password_resets": "Password Resets",
"admin.tags": "Tags",
"admin.audit_log": "Audit Log",
"admin.user_management": "User Management",
"admin.create_user": "Create User",
@@ -331,10 +380,15 @@
"settings.saturation": "Saturation",
"settings.background": "Background Effect",
"settings.language": "Language",
"settings.card_style": "Card Style",
"settings.save": "Save Preferences",
"settings.saving": "Saving...",
"settings.saved": "Preferences saved!",
"card_style.solid": "Solid",
"card_style.glass": "Glass",
"card_style.outline": "Outline",
"offline.title": "You're Offline",
"offline.description": "It looks like you've lost your internet connection. Check your network and try again.",
"offline.retry": "Retry",