checkpoint

tannerlinsley · tannerlinsley · commit 481e88dc6a61 · 2026-01-13T00:24:42.000-07:00
diff --git a/src/auth/context.server.ts b/src/auth/context.server.ts
@@ -28,8 +28,15 @@ function getSessionSecret(): string {
         'SESSION_SECRET environment variable is required in production',
       )
     }
+    // In development, require explicit opt-in to use insecure default
+    if (process.env.ALLOW_INSECURE_SESSION_SECRET !== 'true') {
+      throw new Error(
+        'SESSION_SECRET environment variable is required. ' +
+          'Set ALLOW_INSECURE_SESSION_SECRET=true to use insecure default in development.',
+      )
+    }
     console.warn(
-      '[Auth] SESSION_SECRET not set, using insecure default for development only',
+      '[Auth] WARNING: Using insecure session secret for development. Do NOT use in production.',
     )
     return 'dev-secret-key-change-in-production'
   }
diff --git a/src/auth/session.server.ts b/src/auth/session.server.ts
@@ -244,11 +244,12 @@ export function createOAuthStateCookie(
   state: string,
   isProduction: boolean,
 ): string {
-  return `oauth_state=${encodeURIComponent(state)}; HttpOnly; Path=/; Max-Age=${10 * 60}; SameSite=Lax${isProduction ? '; Secure' : ''}`
+  // Use SameSite=Strict for OAuth state to prevent CSRF during OAuth flow
+  return `oauth_state=${encodeURIComponent(state)}; HttpOnly; Path=/; Max-Age=${10 * 60}; SameSite=Strict${isProduction ? '; Secure' : ''}`
 }
 
 export function clearOAuthStateCookie(isProduction: boolean): string {
-  return `oauth_state=; HttpOnly; Path=/; Max-Age=0; SameSite=Lax${isProduction ? '; Secure' : ''}`
+  return `oauth_state=; HttpOnly; Path=/; Max-Age=0; SameSite=Strict${isProduction ? '; Secure' : ''}`
 }
 
 export function getOAuthStateCookie(request: Request): string | null {
diff --git a/src/components/game/ui/GameHUD.tsx b/src/components/game/ui/GameHUD.tsx
@@ -1,6 +1,6 @@
 import { useEffect, useState } from 'react'
 import { useGameStore } from '../hooks/useGameStore'
-import { Compass, Map, Coins, ShoppingBag } from 'lucide-react'
+import { Map, Coins, ShoppingBag, Zap } from 'lucide-react'
 
 export function GameHUD() {
   const {
@@ -13,7 +13,7 @@ export function GameHUD() {
     cornerIslands,
     showcaseUnlocked,
     cornersUnlocked,
-    boatRotation,
+
     coinsCollected,
     boatHealth,
     shipStats,
@@ -22,6 +22,7 @@ export function GameHUD() {
     clearLastUnlockedUpgrade,
     openShop,
     setPhase,
+    fireCannon,
   } = useGameStore()
 
   // Cooldown progress (0-1, 1 = ready)
@@ -116,22 +117,6 @@ export function GameHUD() {
 
   if (phase !== 'playing') return null
 
-  // Convert rotation to compass direction
-  const getCompassDirection = (rotation: number) => {
-    // Normalize to 0-360
-    const degrees = ((rotation * 180) / Math.PI + 360) % 360
-
-    if (degrees >= 337.5 || degrees < 22.5) return 'N'
-    if (degrees >= 22.5 && degrees < 67.5) return 'NW'
-    if (degrees >= 67.5 && degrees < 112.5) return 'W'
-    if (degrees >= 112.5 && degrees < 157.5) return 'SW'
-    if (degrees >= 157.5 && degrees < 202.5) return 'S'
-    if (degrees >= 202.5 && degrees < 247.5) return 'SE'
-    if (degrees >= 247.5 && degrees < 292.5) return 'E'
-    if (degrees >= 292.5 && degrees < 337.5) return 'NE'
-    return 'N'
-  }
-
   // lastUnlockedUpgrade is now the full Upgrade object
   const upgradeInfo = lastUnlockedUpgrade
 
@@ -140,7 +125,16 @@ export function GameHUD() {
       {/* Coin hint */}
       {showCoinHint && (
         <div className="absolute top-16 left-1/2 -translate-x-1/2 animate-in fade-in slide-in-from-top-2 duration-300">
-          <div className="bg-black/60 backdrop-blur-sm rounded-xl px-4 py-2 text-center text-white text-sm max-w-xs">
+          <div className="bg-black/60 backdrop-blur-sm rounded-xl px-4 py-2 text-center text-white text-sm max-w-xs relative">
+            <button
+              onClick={() => {
+                setShowCoinHint(false)
+                setCoinHintDismissed(true)
+              }}
+              className="absolute -top-1 -right-1 w-5 h-5 bg-white/20 hover:bg-white/30 rounded-full flex items-center justify-center text-white/60 hover:text-white transition-colors pointer-events-auto"
+            >
+              ×
+            </button>
             <span className="text-yellow-400 font-medium">Coins</span> make you
             faster and can be spent in the{' '}
             <span className="text-yellow-400 font-medium">shop</span>!
@@ -149,15 +143,7 @@ export function GameHUD() {
       )}
 
       {/* Top bar */}
-      <div className="flex justify-between items-start p-4">
-        {/* Compass */}
-        <div className="pointer-events-auto bg-black/30 backdrop-blur-sm rounded-xl px-4 py-2 flex items-center gap-2 text-white">
-          <Compass className="w-5 h-5" />
-          <span className="font-mono font-bold text-lg w-8">
-            {getCompassDirection(boatRotation)}
-          </span>
-        </div>
-
+      <div className="flex justify-end items-start p-4">
         {/* Coin counter + Shop button */}
         <button
           onClick={openShop}
@@ -169,7 +155,7 @@ export function GameHUD() {
         </button>
 
         {/* Island counter */}
-        <div className="pointer-events-auto bg-black/30 backdrop-blur-sm rounded-xl px-4 py-2 flex items-center gap-2 text-white">
+        <div className="pointer-events-auto bg-black/30 backdrop-blur-sm rounded-xl px-4 py-2 flex items-center gap-2 text-white ml-2">
           <Map className="w-5 h-5" />
           <span className="font-bold">
             {discoveredIslands.size} / {totalIslands}
@@ -182,31 +168,45 @@ export function GameHUD() {
 
       {/* Bottom bar - Battle stage only */}
       {stage === 'battle' && (
-        <div className="absolute bottom-4 left-1/2 -translate-x-1/2 flex flex-col items-center gap-2">
+        <div
+          className={`absolute bottom-4 flex flex-col items-center gap-2 ${'max-md:right-4 max-md:left-auto max-md:translate-x-0 left-1/2 -translate-x-1/2'}`}
+        >
+          {/* Touch fire button - only visible on touch devices */}
+          <button
+            onClick={fireCannon}
+            className="md:hidden pointer-events-auto bg-red-500/80 backdrop-blur-sm rounded-full p-4 flex items-center justify-center text-white hover:bg-red-600/80 active:scale-95 transition-all shadow-lg"
+            aria-label="Fire cannons"
+          >
+            <Zap className="w-6 h-6" />
+          </button>
           {/* Health bar */}
           <div
             className={`backdrop-blur-sm rounded-full px-4 py-2 flex items-center gap-3 transition-colors duration-75 ${
               damageFlash ? 'bg-red-500/70' : 'bg-black/40'
-            }`}
+            } max-md:px-3 max-md:py-1.5`}
           >
-            <span className="text-red-400 text-sm font-medium">HP</span>
-            <div className="w-32 h-3 bg-black/50 rounded-full overflow-hidden">
+            <span className="text-red-400 text-sm font-medium max-md:text-xs">
+              HP
+            </span>
+            <div className="w-32 h-3 bg-black/50 rounded-full overflow-hidden max-md:w-20 max-md:h-2">
               <div
                 className="h-full bg-gradient-to-r from-red-600 to-red-400"
                 style={{
                   width: `${(boatHealth / shipStats.maxHealth) * 100}%`,
                 }}
               />
             </div>
-            <span className="text-white text-sm font-mono w-12">
+            <span className="text-white text-sm font-mono w-12 max-md:text-xs max-md:w-10">
               {Math.round(boatHealth)}/{shipStats.maxHealth}
             </span>
           </div>
 
           {/* Cooldown gauge */}
-          <div className="bg-black/40 backdrop-blur-sm rounded-full px-4 py-2 flex items-center gap-3">
-            <span className="text-cyan-400 text-sm font-medium">CANNON</span>
-            <div className="w-24 h-2 bg-black/50 rounded-full overflow-hidden">
+          <div className="bg-black/40 backdrop-blur-sm rounded-full px-4 py-2 flex items-center gap-3 max-md:px-3 max-md:py-1.5">
+            <span className="text-cyan-400 text-sm font-medium max-md:text-xs">
+              CANNON
+            </span>
+            <div className="w-24 h-2 bg-black/50 rounded-full overflow-hidden max-md:w-16 max-md:h-1.5">
               <div
                 className={`h-full transition-all duration-75 ${
                   cooldownProgress >= 1
@@ -216,7 +216,7 @@ export function GameHUD() {
                 style={{ width: `${cooldownProgress * 100}%` }}
               />
             </div>
-            <span className="text-white/60 text-xs w-12">
+            <span className="text-white/60 text-xs w-12 max-md:text-[10px] max-md:w-10">
               {cooldownProgress >= 1 ? 'READY' : 'LOADING'}
             </span>
           </div>
diff --git a/src/components/game/ui/StatsHUD.tsx b/src/components/game/ui/StatsHUD.tsx
@@ -91,7 +91,7 @@ export function StatsHUD() {
         : '-'
 
   return (
-    <div className="absolute top-16 right-4 z-10 pointer-events-auto">
+    <div className="absolute top-16 right-4 z-10 pointer-events-auto hidden md:block">
       <div className="bg-black/40 backdrop-blur-sm rounded-lg px-4 py-3 text-xs text-white min-w-[150px] border border-white/5">
         {/* Speed */}
         <div className="space-y-1 mb-2">
diff --git a/src/components/game/ui/TouchControls.tsx b/src/components/game/ui/TouchControls.tsx
@@ -96,6 +96,7 @@ export function TouchControls() {
     }
 
     const onTouchMove = (e: TouchEvent) => {
+      e.preventDefault()
       const touch = e.touches[0]
       handleMove(touch.clientX, touch.clientY)
     }
@@ -105,7 +106,7 @@ export function TouchControls() {
     }
 
     window.addEventListener('touchstart', onTouchStart, { passive: true })
-    window.addEventListener('touchmove', onTouchMove, { passive: true })
+    window.addEventListener('touchmove', onTouchMove, { passive: false })
     window.addEventListener('touchend', onTouchEnd)
     window.addEventListener('touchcancel', onTouchEnd)
 
diff --git a/src/mcp/server.ts b/src/mcp/server.ts
@@ -6,6 +6,7 @@ import { doc, docSchema } from './tools/doc'
 import { searchDocs, searchDocsSchema } from './tools/search-docs'
 import { npmStats, npmStatsSchema } from './tools/npm-stats'
 import { ecosystem, ecosystemSchema } from './tools/ecosystem'
+import { env } from '~/utils/env'
 
 export type McpAuthContext = {
   userId: string
@@ -81,7 +82,7 @@ export const ALL_TOOL_NAMES = [
 export type ToolName = (typeof ALL_TOOL_NAMES)[number]
 
 function getEnabledTools(): Set<ToolName> | undefined {
-  const envVar = process.env.TANSTACK_MCP_ENABLED_TOOLS
+  const envVar = env.TANSTACK_MCP_ENABLED_TOOLS
   if (!envVar) return undefined
 
   const validTools = new Set<ToolName>()
diff --git a/src/routes/oauth/register.ts b/src/routes/oauth/register.ts
@@ -12,8 +12,14 @@ export const Route = createFileRoute('/oauth/register')({
   server: {
     handlers: {
       POST: async ({ request }: { request: Request }) => {
+        // CORS: Allow any origin for OAuth client registration
+        // This is secure because:
+        // 1. Registration only generates deterministic client IDs
+        // 2. No secrets are issued (PKCE public clients)
+        // 3. Redirect URIs are validated for localhost or HTTPS
+        const origin = request.headers.get('Origin')
         setResponseHeader('Content-Type', 'application/json')
-        setResponseHeader('Access-Control-Allow-Origin', '*')
+        setResponseHeader('Access-Control-Allow-Origin', origin || '*')
         setResponseHeader('Access-Control-Allow-Methods', 'POST, OPTIONS')
         setResponseHeader(
           'Access-Control-Allow-Headers',
@@ -85,11 +91,12 @@ export const Route = createFileRoute('/oauth/register')({
           )
         }
       },
-      OPTIONS: async () => {
+      OPTIONS: async ({ request }: { request: Request }) => {
+        const origin = request.headers.get('Origin')
         return new Response(null, {
           status: 204,
           headers: {
-            'Access-Control-Allow-Origin': '*',
+            'Access-Control-Allow-Origin': origin || '*',
             'Access-Control-Allow-Methods': 'POST, OPTIONS',
             'Access-Control-Allow-Headers': 'Content-Type, Authorization',
           },
diff --git a/src/routes/oauth/token.ts b/src/routes/oauth/token.ts
@@ -10,8 +10,13 @@ export const Route = createFileRoute('/oauth/token')({
   server: {
     handlers: {
       POST: async ({ request }: { request: Request }) => {
-        // Set CORS headers for all responses
-        setResponseHeader('Access-Control-Allow-Origin', '*')
+        // CORS: Allow any origin for OAuth token endpoint
+        // This is secure because:
+        // 1. PKCE (code_verifier) is required - attacker cannot forge this
+        // 2. Authorization code is one-time use and short-lived
+        // 3. No cookies are used - tokens are returned in response body
+        const origin = request.headers.get('Origin')
+        setResponseHeader('Access-Control-Allow-Origin', origin || '*')
         setResponseHeader('Access-Control-Allow-Methods', 'POST, OPTIONS')
         setResponseHeader(
           'Access-Control-Allow-Headers',
@@ -135,11 +140,12 @@ export const Route = createFileRoute('/oauth/token')({
           { status: 400 },
         )
       },
-      OPTIONS: async () => {
+      OPTIONS: async ({ request }: { request: Request }) => {
+        const origin = request.headers.get('Origin')
         return new Response(null, {
           status: 204,
           headers: {
-            'Access-Control-Allow-Origin': '*',
+            'Access-Control-Allow-Origin': origin || '*',
             'Access-Control-Allow-Methods': 'POST, OPTIONS',
             'Access-Control-Allow-Headers': 'Content-Type, Authorization',
           },
diff --git a/src/server/github.ts b/src/server/github.ts
@@ -1,7 +1,8 @@
 import { graphql } from '@octokit/graphql'
+import { env } from '~/utils/env'
 
 export const graphqlWithAuth = graphql.defaults({
   headers: {
-    authorization: `token ${process.env.GITHUB_AUTH_TOKEN}`,
+    authorization: `token ${env.GITHUB_AUTH_TOKEN}`,
   },
 })
diff --git a/src/utils/discord.server.ts b/src/utils/discord.server.ts
@@ -1,4 +1,6 @@
-const DISCORD_WEBHOOK_URL = process.env.DISCORD_WEBHOOK_URL
+import { env } from '~/utils/env'
+
+const DISCORD_WEBHOOK_URL = env.DISCORD_WEBHOOK_URL
 
 type EmbedField = {
   name: string
diff --git a/src/utils/email.server.ts b/src/utils/email.server.ts
@@ -5,11 +5,10 @@ import {
   sendTestNotification,
 } from './discord.server'
 import type { Capability } from '~/db/types'
+import { env } from '~/utils/env'
 
 // Keep Resend configured for future email needs
-const resend = process.env.RESEND_API_KEY
-  ? new Resend(process.env.RESEND_API_KEY)
-  : null
+const resend = env.RESEND_API_KEY ? new Resend(env.RESEND_API_KEY) : null
 
 const FROM_EMAIL = 'TanStack <notifications@tanstack.com>'
 
diff --git a/src/utils/env.ts b/src/utils/env.ts
@@ -11,6 +11,11 @@ const serverEnvSchema = v.object({
   SITE_URL: v.optional(v.string()), // Base URL for OAuth redirects (e.g., https://tanstack.com or http://localhost:3000)
   DATABASE_URL: v.optional(v.string()),
   SESSION_SECRET: v.optional(v.string()), // Secret key for signing session cookies (required in production)
+  DISCORD_WEBHOOK_URL: v.optional(v.string()),
+  RESEND_API_KEY: v.optional(v.string()),
+  POSTHOG_API_KEY: v.optional(v.string()),
+  SENTRY_DSN: v.optional(v.string()),
+  TANSTACK_MCP_ENABLED_TOOLS: v.optional(v.string()),
 })
 
 const clientEnvSchema = v.object({
diff --git a/src/utils/feed.functions.ts b/src/utils/feed.functions.ts
@@ -300,19 +300,17 @@ export const searchFeedEntries = createServerFn({ method: 'POST' })
   .handler(async ({ data }) => {
     const limit = data.limit ?? 20
 
-    // Use PostgreSQL full-text search
-    const searchQuery = data.search
-      .split(/\s+/)
-      .map((term) => `'${term.replace(/'/g, "''")}'`)
-      .join(' & ')
+    // Use PostgreSQL full-text search with plainto_tsquery for safe input handling
+    // plainto_tsquery automatically handles special characters and escaping
+    const searchInput = data.search.trim()
 
     const entries = await db
       .select()
       .from(feedEntries)
       .where(
         and(
           eq(feedEntries.showInFeed, true),
-          sql`to_tsvector('english', ${feedEntries.title} || ' ' || ${feedEntries.content} || ' ' || COALESCE(${feedEntries.excerpt}, '')) @@ to_tsquery('english', ${searchQuery})`,
+          sql`to_tsvector('english', ${feedEntries.title} || ' ' || ${feedEntries.content} || ' ' || COALESCE(${feedEntries.excerpt}, '')) @@ plainto_tsquery('english', ${searchInput})`,
         ),
       )
       .limit(limit)
@@ -568,7 +566,9 @@ export const setFeedConfig = createServerFn({ method: 'POST' })
     }),
   )
   .handler(async ({ data }) => {
-    // No admin check - config can be set by sync actions
+    // Require admin capability for modifying feed configuration
+    await requireAdmin()
+
     const existing = await db.query.feedConfig.findFirst({
       where: eq(feedConfig.key, data.key),
     })
diff --git a/src/utils/feed.server.ts b/src/utils/feed.server.ts
diff --git a/src/utils/posthog.server.ts b/src/utils/posthog.server.ts
diff --git a/src/utils/sentry.server.ts b/src/utils/sentry.server.ts
diff --git a/src/utils/users.server.ts b/src/utils/users.server.ts

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,15 @@ function getSessionSecret(): string {`
`28`	`28`	`'SESSION_SECRET environment variable is required in production',`
`29`	`29`	`)`
`30`	`30`	`}`
	`31`	`+ // In development, require explicit opt-in to use insecure default`
	`32`	`+ if (process.env.ALLOW_INSECURE_SESSION_SECRET !== 'true') {`
	`33`	`+ throw new Error(`
	`34`	`+ 'SESSION_SECRET environment variable is required. ' +`
	`35`	`+ 'Set ALLOW_INSECURE_SESSION_SECRET=true to use insecure default in development.',`
	`36`	`+ )`
	`37`	`+ }`
`31`	`38`	`console.warn(`
`32`		`- '[Auth] SESSION_SECRET not set, using insecure default for development only',`
	`39`	`+ '[Auth] WARNING: Using insecure session secret for development. Do NOT use in production.',`
`33`	`40`	`)`
`34`	`41`	`return 'dev-secret-key-change-in-production'`
`35`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -244,11 +244,12 @@ export function createOAuthStateCookie(`
`244`	`244`	`state: string,`
`245`	`245`	`isProduction: boolean,`
`246`	`246`	`): string {`
`247`		- return `oauth_state=${encodeURIComponent(state)}; HttpOnly; Path=/; Max-Age=${10 * 60}; SameSite=Lax${isProduction ? '; Secure' : ''}`
	`247`	`+ // Use SameSite=Strict for OAuth state to prevent CSRF during OAuth flow`
	`248`	+ return `oauth_state=${encodeURIComponent(state)}; HttpOnly; Path=/; Max-Age=${10 * 60}; SameSite=Strict${isProduction ? '; Secure' : ''}`
`248`	`249`	`}`
`249`	`250`
`250`	`251`	`export function clearOAuthStateCookie(isProduction: boolean): string {`
`251`		- return `oauth_state=; HttpOnly; Path=/; Max-Age=0; SameSite=Lax${isProduction ? '; Secure' : ''}`
	`252`	+ return `oauth_state=; HttpOnly; Path=/; Max-Age=0; SameSite=Strict${isProduction ? '; Secure' : ''}`
`252`	`253`	`}`
`253`	`254`
`254`	`255`	`export function getOAuthStateCookie(request: Request): string \| null {`
Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,7 @@ export function TouchControls() {`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`const onTouchMove = (e: TouchEvent) => {`
	`99`	`+ e.preventDefault()`
`99`	`100`	`const touch = e.touches[0]`
`100`	`101`	`handleMove(touch.clientX, touch.clientY)`
`101`	`102`	`}`
`@@ -105,7 +106,7 @@ export function TouchControls() {`
`105`	`106`	`}`
`106`	`107`
`107`	`108`	`window.addEventListener('touchstart', onTouchStart, { passive: true })`
`108`		`- window.addEventListener('touchmove', onTouchMove, { passive: true })`
	`109`	`+ window.addEventListener('touchmove', onTouchMove, { passive: false })`
`109`	`110`	`window.addEventListener('touchend', onTouchEnd)`
`110`	`111`	`window.addEventListener('touchcancel', onTouchEnd)`
`111`	`112`