favoritter

olemd/favoritter

Fork 0

Commit graph

Author	SHA1	Message	Date
Ole-Morten Duesund	a8f3aa6f7e	test: add comprehensive test suite (44 → 169 tests) and v1.1 plan Add 125 new test functions across 10 new test files, covering: - CSRF middleware (8 tests): double-submit cookie validation - Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers - API handlers (28 tests): auth, faves CRUD, tags, users, export/import - Web handlers (41 tests): signup, login, password reset, fave CRUD, admin panel, feeds, import/export, profiles, settings - Config (8 tests): env parsing, defaults, trusted proxies, normalization - Database (6 tests): migrations, PRAGMAs, idempotency, seeding - Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal - Render (6 tests): page/error/partial rendering, template functions - Settings store (3 tests): CRUD operations - Regression tests for display name fallback and CSP-safe autocomplete Also adds CSRF middleware to testServer chain for end-to-end CSRF verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md with implementation plans for notes+OG, PWA, editing UX, and admin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 00:18:01 +02:00
Ole-Morten Duesund	395b1b7523	fix: address security and quality issues from code review Security fixes: - Fix XSS in Atom feed: escape user-supplied URLs in HTML content - Wrap signup request approval in a transaction to prevent partial state on crash (user created but request still pending) - Stop leaking internal error messages to admin UI - Add request body size limit on API import endpoint - Log SetMustResetPassword errors instead of silently discarding Correctness fixes: - Handle errors from API fave update/delete instead of returning success on failure - Use actual data timestamp for feed <updated> instead of time.Now() (improves HTTP caching) - Replace hardcoded 10000 export limit with named constant (maxExportFaves = 100000) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-29 16:19:44 +02:00
Ole-Morten Duesund	fe4c751289	feat: add JSON REST API under /api/v1/ Phase 6 — JSON API: - POST /api/v1/auth/login — returns session token - POST /api/v1/auth/logout - GET/POST /api/v1/faves — list own faves (paginated), create fave - GET/PUT/DELETE /api/v1/faves/{id} — get, update, delete fave - GET /api/v1/tags?q= — search tags - GET /api/v1/users/{username} — public profile - GET /api/v1/users/{username}/faves — public faves (paginated) - GET /api/v1/export/json — export own faves - POST /api/v1/import — import faves from JSON All endpoints return JSON. Auth via session cookie (same as web UI). Privacy-aware: private faves hidden from non-owners. Respects profile visibility settings. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-29 16:13:23 +02:00

Author

SHA1

Message

Date

Ole-Morten Duesund

a8f3aa6f7e

test: add comprehensive test suite (44 → 169 tests) and v1.1 plan

Add 125 new test functions across 10 new test files, covering:
- CSRF middleware (8 tests): double-submit cookie validation
- Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers
- API handlers (28 tests): auth, faves CRUD, tags, users, export/import
- Web handlers (41 tests): signup, login, password reset, fave CRUD,
  admin panel, feeds, import/export, profiles, settings
- Config (8 tests): env parsing, defaults, trusted proxies, normalization
- Database (6 tests): migrations, PRAGMAs, idempotency, seeding
- Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal
- Render (6 tests): page/error/partial rendering, template functions
- Settings store (3 tests): CRUD operations
- Regression tests for display name fallback and CSP-safe autocomplete

Also adds CSRF middleware to testServer chain for end-to-end CSRF
verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md
with implementation plans for notes+OG, PWA, editing UX, and admin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 00:18:01 +02:00

Ole-Morten Duesund

395b1b7523

fix: address security and quality issues from code review

Security fixes:
- Fix XSS in Atom feed: escape user-supplied URLs in HTML content
- Wrap signup request approval in a transaction to prevent
  partial state on crash (user created but request still pending)
- Stop leaking internal error messages to admin UI
- Add request body size limit on API import endpoint
- Log SetMustResetPassword errors instead of silently discarding

Correctness fixes:
- Handle errors from API fave update/delete instead of returning
  success on failure
- Use actual data timestamp for feed <updated> instead of
  time.Now() (improves HTTP caching)
- Replace hardcoded 10000 export limit with named constant
  (maxExportFaves = 100000)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-29 16:19:44 +02:00

Ole-Morten Duesund

fe4c751289

feat: add JSON REST API under /api/v1/

Phase 6 — JSON API:
- POST /api/v1/auth/login — returns session token
- POST /api/v1/auth/logout
- GET/POST /api/v1/faves — list own faves (paginated), create fave
- GET/PUT/DELETE /api/v1/faves/{id} — get, update, delete fave
- GET /api/v1/tags?q= — search tags
- GET /api/v1/users/{username} — public profile
- GET /api/v1/users/{username}/faves — public faves (paginated)
- GET /api/v1/export/json — export own faves
- POST /api/v1/import — import faves from JSON

All endpoints return JSON. Auth via session cookie (same as web UI).
Privacy-aware: private faves hidden from non-owners.
Respects profile visibility settings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-29 16:13:23 +02:00

3 commits