Claude/analyze software improvements 6 m9e x#56
Open
lbh000000 wants to merge 5 commits intosamqin123:mainfrom
Open
Claude/analyze software improvements 6 m9e x#56lbh000000 wants to merge 5 commits intosamqin123:mainfrom
lbh000000 wants to merge 5 commits intosamqin123:mainfrom
Conversation
Security:
- Add PBKDF2 password hashing (src/lib/password.ts) with backward compat for plain-text legacy passwords
- Remove plaintext password from auth cookie; use HMAC-signed timestamp for localstorage mode
- Update middleware to verify HMAC signature for localstorage mode (previously compared raw passwords)
- Apply hashing in redis.db.ts, upstash.db.ts, and d1.db.ts (registerUser, verifyUser, changePassword)
- Add SSRF protection to image-proxy: restrict proxied images to a whitelist of known CDN domains
Dockerfile:
- Replace fragile sed commands with scripts/switch-runtime.js (proper Node.js script)
- Add export const dynamic = 'force-dynamic' directly to layout.tsx (removes need for Dockerfile sed)
TypeScript:
- Replace eval('require') with createRequire from 'module' in config.ts
- Remove (this.storage as any) casts in DbManager — IStorage already defines all methods
- Remove no-console and no-explicit-any eslint-disable comments from several files
Logging:
- Add structured logger (src/lib/logger.ts): debug/info/warn/error levels, suppresses debug/info in production
- Replace console.log/error in all 14 API route files, config.ts, redis.db.ts, upstash.db.ts, d1.db.ts, middleware.ts
Tests:
- Add src/lib/__tests__/password.test.ts: PBKDF2 hash/verify, timing attack resistance, backward compat
- Add src/lib/__tests__/downstream.test.ts: API result parsing, dedup, error handling
- Add src/lib/__tests__/auth.test.ts: cookie parsing, no password leakage
Performance:
- Switch search/route.ts from Promise.all to Promise.allSettled so one failing source doesn't abort all results
Config validation:
- Add Zod schema (ConfigFileSchema) in config.ts; validate config.json on load with graceful fallback
https://claude.ai/code/session_01SAR2ag4vcE9NzJpqWgzJm1
require('module') cannot be resolved by webpack when building edge-runtime
bundles that transitively import config.ts. The original eval('require')
pattern deliberately bypasses webpack static analysis and is the correct
approach for Next.js projects mixing edge and Node.js runtimes.
Added a detailed comment explaining why eval() is necessary here.
https://claude.ai/code/session_01SAR2ag4vcE9NzJpqWgzJm1
The previous strict domain allowlist blocked all video source cover images since they come from many different third-party CDNs. New approach: allow any external HTTP(S) URL but block requests to private/internal IP ranges to prevent SSRF: - Loopback: 127.0.0.0/8, ::1 - RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 - Link-local: 169.254.0.0/16 - Cloud metadata: 100.64.0.0/10 This restores cover image functionality while still protecting against server-side request forgery attacks targeting internal services. https://claude.ai/code/session_01SAR2ag4vcE9NzJpqWgzJm1
…overs
Two issues caused all cover images to fail on HTTPS deployments:
1. Mixed Content: video source images are http:// URLs, blocked by browsers on HTTPS sites
2. Hotlink protection: Douban CDN returns 403 when fetched directly by the browser
The app has a built-in image proxy at /api/image-proxy that adds proper
Referer/User-Agent headers and fetches images server-side. However,
getImageProxyUrl() was returning null when IMAGE_PROXY env var was not
set, so images loaded bare without any proxy.
Fix: fall back to BUILTIN_IMAGE_PROXY ('/api/image-proxy?url=') instead
of null when no proxy is explicitly configured. User-level and env-var
settings still take precedence, and users can still disable the proxy
in settings if needed.
https://claude.ai/code/session_01SAR2ag4vcE9NzJpqWgzJm1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.