alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
f1cfb61d13c2f3a856ac2844c0d7d0637bcb582a
web-app-launcher/src/routes/admin/invites/+page.svelte
T
alexei.dolgolyov f1cfb61d13
Lint & Test / lint-and-check (push) Failing after 5m5s
Details
Lint & Test / test (push) Has been skipped
Details
Lint & Test / build (push) Has been skipped
Details
Lint & Test / docker-build (push) Has been skipped
Details
Lint & Test / audit (push) Has been skipped
Details
feat: production hardening + password reset, metrics, signed webhooks 
Security hardening (CRITICAL/HIGH from production-readiness audit):
- Require strong JWT_SECRET + separate INTEGRATION_ENCRYPTION_KEY at boot;
  refuse placeholder defaults. Integration key now derived via HKDF.
- SSRF guard (src/lib/server/utils/safeFetch.ts): DNS-resolves and rejects
  RFC1918/loopback/link-local/IPv4-mapped IPv6/decimal-IP/cloud-metadata.
  Manual redirect handling re-validates each 3xx Location hop. Applied to
  healthcheck, RSS, calendar, metric, system-stats, camera, notifications,
  discovery, apps/preview, and all integration clients.
- API tokens, session refresh tokens, invite tokens, password-reset tokens
  switched from bcrypt to sha256 with @unique indexed lookup (O(1) instead
  of O(N) bcrypt-compares; eliminates a trivial DoS).
- Refresh-token reuse detection via Session.previousTokenHash.
- Permission checks on App PATCH/DELETE and Widget/Section endpoints.
- /api/integrations/alerts now requires auth.
- SVG uploads sanitized through DOMPurify (svg profile, scheme allow-list).
- Custom CSS sanitizer + selector scoping (decodes CSS unicode escapes
  before pattern match, drops forbidden at-rules incl. @import without
  whitespace, strips dangerous url() args). Scoped to .custom-css-scope.
- Backup restore validates SQLite magic header, takes a safety snapshot,
  uses atomic rename, re-applies pragmas.
- SQLite WAL + busy_timeout + foreign_keys + synchronous=NORMAL at startup.
- Healthcheck scheduler was dead code; wired in hooks.server.ts with
  HMR-safe singleton, concurrency cap, overlap prevention, retention jobs
  for AppClick/Notification/AuditLog. Composite indexes added on hot paths.
- Security headers (CSP, HSTS-on-https, X-Frame-Options, Permissions-Policy)
  emitted on every response.
- Account-enumeration mitigation on login (dummy bcrypt on no-user/oauth
  branches) + rate limiting on login/register/onboarding/refresh/invite/
  password-reset.
- OAuth callback sanitizes IdP error_description before echoing.

New features:
- Custom +error.svelte pages (root + boards + admin) via shared
  ErrorState component. Inverted hierarchy (status as label, title as hero).
- /forgot-password + /reset-password + admin-mediated /admin/password-resets
  page. SHA256 tokens, 24h TTL, all sessions revoked on apply.
- /invite page for manual invite-token redemption.
- /api/metrics Prometheus exposition with optional METRICS_TOKEN bearer
  auth. Counters for login/healthcheck/notification/integration; gauges
  for users/boards/apps + per-status app counts.
- Webhook HMAC-SHA256 signing for HTTP notification channels (optional
  shared secret + configurable signature header, default X-Signature-256).
- PATCH /api/users/me/password for self-service password change.
- Persistent uploads at /app/data/uploads with served-from-volume handler
  at /uploads/[...path]. SVGs served with CSP: sandbox.
- /api/health does a DB ping; returns 503 on disconnect.
- Public /status filtered to guest-accessible-board apps when unauthenticated.
- Audit log coverage: LOGIN_SUCCESS/FAILED, LOGOUT, OAUTH_LOGIN,
  OAUTH_USER_PROVISIONED, SESSION_REVOKED, API_TOKEN_*, INVITE_*,
  APP_UPDATED, PASSWORD_CHANGED, PASSWORD_RESET_*.

Performance:
- Board page: removed double findAll() over-fetch; include links + appTags
  in board query; widgets lazy-loaded via dynamic imports (marked,
  DOMPurify, hls.js, integration renderers).
- uptimeService.getAllAppsUptime: single batched query instead of N+1.
- 30s in-memory user-locals cache; invalidated on user mutation.
- pruneOldStatuses: single window-function DELETE instead of N+1.

Code quality:
- Typed error classes (NotFoundError, PermissionError, RateLimitError,
  IntegrationError) with toHttpError mapper.
- Locals.user shape exposes avatarUrl and narrows role via guard.
- App input types derived from Zod schemas via z.infer.
- 274 tests passing (up from 212); 62 new tests covering SSRF guard,
  CSS sanitizer, SVG sanitizer, rate limiter.

CI / Docker / config:
- Test workflow adds build, docker-build, audit jobs. Release workflow
  uses buildx multi-arch (amd64+arm64) with provenance + SBOM.
- Dockerfile uses tini, multi-stage prune, persistent uploads dir, single
  prisma migrate deploy (no destructive db push fallback).
- docker-compose: JWT_SECRET + INTEGRATION_ENCRYPTION_KEY required at
  startup, log rotation, resource limits.
- README documents breaking-change upgrade path.

Bug fixes from UI/UX review:
- ~55 missing i18n keys added to en/ru (auth flows, error pages, admin
  nav, register invite banner, settings.card_style).
- Hardcoded English on login replaced with $t('auth.remember_me').
- Admin nav uses i18n keys; mobile horizontal-scroll layout.
- Page <title> tags standardized.
- Password-resets: separated error/info/success surfaces, ConfirmDialog
  replaces window.confirm.
- Auth pages have matching lucide icon badges.
- Webhook secret has eye toggle and monospace input.
- text-green-500 → text-emerald-500 to match codebase convention.

Pre-existing CI lint failures cleaned up (31 errors → 0): each-key
attributes added, unused-svelte-ignore comments removed, two any casts
typed, dead skeleton components removed, /boards/[id]/edit redirect to
inline edit mode.

Tests: 274 / 274 passing
Type check: 0 errors / 0 warnings
Build: green
2026-05-26 19:51:21 +03:00

261 lines
7.3 KiB
Svelte
Raw Blame History

<script lang="ts">
import { invalidateAll } from '$app/navigation';
import { t } from 'svelte-i18n';
import type { PageData } from './$types.js';
let { data }: { data: PageData } = $props();
let showForm = $state(false);
let creating = $state(false);
let err = $state<string | null>(null);
let email = $state('');
let role = $state<'user' | 'admin'>('user');
let expiresInDays = $state(7);
let createdUrl = $state<string | null>(null);
async function submit(evt: SubmitEvent) {
evt.preventDefault();
err = null;
creating = true;
try {
const res = await fetch('/api/admin/invites', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: email || undefined,
role,
expiresInDays
})
});
const json = await res.json();
if (!json.success) {
err = json.error ?? 'Failed to create invite';
return;
}
createdUrl = json.data.url;
email = '';
role = 'user';
expiresInDays = 7;
showForm = false;
await invalidateAll();
} catch {
err = 'Failed to create invite';
} finally {
creating = false;
}
}
async function revoke(id: string) {
err = null;
try {
const res = await fetch(`/api/admin/invites/${id}`, { method: 'DELETE' });
const json = await res.json();
if (!json.success) {
err = json.error ?? 'Failed to revoke invite';
return;
}
await invalidateAll();
} catch {
err = 'Failed to revoke invite';
}
}
async function copyUrl(url: string) {
try {
await navigator.clipboard.writeText(url);
} catch {
/* ignore */
}
}
function fmt(d: string | Date | null): string {
if (!d) return '—';
return new Date(d).toLocaleString();
}
function inviteStatus(inv: { usedAt: Date | string | null; expiresAt: Date | string }): string {
if (inv.usedAt) return 'Used';
if (new Date(inv.expiresAt) < new Date()) return 'Expired';
return 'Active';
}
</script>
<svelte:head>
<title>{$t('admin.invites') ?? 'Invites'}{$t('admin.panel') ?? 'Admin'}</title>
</svelte:head>
<div class="mx-auto max-w-4xl space-y-6 px-4 py-8">
<div class="flex items-center justify-between">
<div>
<h1 class="text-2xl font-bold text-foreground">Invites</h1>
<p class="mt-1 text-sm text-muted-foreground">
Generate invite links so people can register even when public registration is disabled.
</p>
</div>
{#if !showForm}
<button
type="button"
onclick={() => (showForm = true)}
class="rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90"
>
Generate invite
</button>
{/if}
</div>
{#if err}
<div class="rounded-lg border border-destructive/50 bg-destructive/10 p-3 text-sm text-destructive">
{err}
</div>
{/if}
{#if createdUrl}
<div class="rounded-lg border border-yellow-500/50 bg-yellow-500/10 p-4">
<h3 class="mb-1 text-sm font-semibold text-foreground">Invite created</h3>
<p class="mb-3 text-xs text-muted-foreground">
Share this link with the recipient. It will only be shown once.
</p>
<div class="flex items-center gap-2">
<code
class="flex-1 truncate rounded-md border border-input bg-background px-3 py-2 text-xs font-mono text-foreground"
>
{createdUrl}
</code>
<button
type="button"
onclick={() => createdUrl && copyUrl(createdUrl)}
class="rounded-md bg-primary px-3 py-2 text-xs font-medium text-primary-foreground hover:bg-primary/90"
>
Copy
</button>
</div>
<button
type="button"
onclick={() => (createdUrl = null)}
class="mt-3 text-xs text-muted-foreground hover:text-foreground"
>
I have copied the link
</button>
</div>
{/if}
{#if showForm}
<form
onsubmit={submit}
class="space-y-4 rounded-xl border border-border bg-card p-5"
>
<div>
<label for="inv-email" class="mb-1 block text-sm font-medium text-card-foreground">
Email <span class="text-xs font-normal text-muted-foreground">(optional — locks invite to one email)</span>
</label>
<input
id="inv-email"
type="email"
bind:value={email}
placeholder="jane@example.com"
class="w-full rounded-lg border border-input bg-background px-3 py-2 text-sm text-foreground"
/>
</div>
<div class="grid grid-cols-2 gap-4">
<div>
<label for="inv-role" class="mb-1 block text-sm font-medium text-card-foreground">Role</label>
<select
id="inv-role"
bind:value={role}
class="w-full rounded-lg border border-input bg-background px-3 py-2 text-sm text-foreground"
>
<option value="user">User</option>
<option value="admin">Admin</option>
</select>
</div>
<div>
<label for="inv-expiry" class="mb-1 block text-sm font-medium text-card-foreground">
Expires in (days)
</label>
<input
id="inv-expiry"
type="number"
min="1"
max="90"
bind:value={expiresInDays}
class="w-full rounded-lg border border-input bg-background px-3 py-2 text-sm text-foreground"
/>
</div>
</div>
<div class="flex justify-end gap-2">
<button
type="button"
onclick={() => (showForm = false)}
class="rounded-md border border-border px-3 py-2 text-sm text-foreground hover:bg-muted"
>
Cancel
</button>
<button
type="submit"
disabled={creating}
class="rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90 disabled:opacity-50"
>
{creating ? 'Creating…' : 'Create invite'}
</button>
</div>
</form>
{/if}
<div class="overflow-hidden rounded-xl border border-border bg-card">
<table class="w-full text-sm">
<thead class="bg-muted/40 text-xs uppercase tracking-wide text-muted-foreground">
<tr>
<th class="px-4 py-3 text-left font-medium">Email</th>
<th class="px-4 py-3 text-left font-medium">Role</th>
<th class="px-4 py-3 text-left font-medium">Status</th>
<th class="px-4 py-3 text-left font-medium">Expires</th>
<th class="px-4 py-3 text-left font-medium">Created</th>
<th class="px-4 py-3 text-right">
<span class="sr-only">Actions</span>
</th>
</tr>
</thead>
<tbody>
{#each data.invites as inv (inv.id)}
{@const status = inviteStatus(inv)}
<tr class="border-t border-border">
<td class="px-4 py-3 text-card-foreground">{inv.email ?? '—'}</td>
<td class="px-4 py-3 text-card-foreground">{inv.role}</td>
<td class="px-4 py-3">
<span
class="rounded-full px-2 py-0.5 text-xs {status === 'Active'
? 'bg-emerald-500/15 text-emerald-500'
: status === 'Used'
? 'bg-muted text-muted-foreground'
: 'bg-destructive/15 text-destructive'}"
>
{status}
</span>
</td>
<td class="px-4 py-3 text-muted-foreground">{fmt(inv.expiresAt)}</td>
<td class="px-4 py-3 text-muted-foreground">{fmt(inv.createdAt)}</td>
<td class="px-4 py-3 text-right">
<button
type="button"
onclick={() => revoke(inv.id)}
class="text-xs text-destructive hover:underline"
>
Revoke
</button>
</td>
</tr>
{/each}
{#if data.invites.length === 0}
<tr>
<td colspan="6" class="px-4 py-6 text-center text-sm text-muted-foreground">
No invites yet.
</td>
</tr>
{/if}
</tbody>
</table>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink