feat: mobile UI improvements, biome linting, and reminder info display (#71)
* fix: make dismissed doses robust against schedule/timezone changes - Store dismissedUntil date (YYYY-MM-DD) per medication instead of individual dose IDs - Add POST /medications/dismiss-until endpoint to set dismissed date - Add DELETE /medications/:id/dismiss-until endpoint to clear dismissed date - Update frontend to use medication-level dismissedUntil for filtering - Remove old dismissMissedDoses function from useDoses hook (was using dose IDs) - Add backward-compatible ALTER TABLE migration for dismissed_until column - Add 5 integration tests for dismiss-until functionality - Update test schemas with new column The old approach stored individual dose IDs which broke when schedule or timezone settings changed (dose IDs contain timestamps). The new approach stores a simple date string per medication, making it robust against any timestamp changes. * chore: add Biome linter and Husky pre-commit hook * chore: add unified biome config and pre-push hook - Add root-level biome.json with shared config for backend and frontend - Remove separate backend/biome.json and frontend/biome.json - Add .husky/pre-push hook to run backend tests before push - Update package.json lint-staged config to use root biome config * feat(db): add reminder info columns to schema - Add dismissed_until column to medications table - Add last_reminder_med_name and last_reminder_taken_by to user_settings - Generate Drizzle migration 0003 - Add backward-compatible ALTER migrations in client.ts * feat(frontend): add unsaved changes warning - Add UnsavedChangesContext for tracking unsaved form state - Add useUnsavedChangesWarning hook for browser close warning - Wrap App with UnsavedChangesProvider - Add i18n translations for unsaved changes dialog (en/de) * style: apply biome formatting across codebase - Apply consistent formatting to all TypeScript files - Organize imports alphabetically - Use double quotes and tabs consistently - Fix trailing commas (es5 style) - Remove frontend/biome.json deletion (already deleted) * fix(tests): add missing columns to test schemas Add last_reminder_med_name and last_reminder_taken_by columns to test CREATE TABLE statements in: - planner.test.ts - e2e-routes.test.ts - integration.test.ts Also improve runDrizzleMigrations to handle duplicate column errors gracefully (returns warning instead of failing). * fix(planner): add missing 'as unknown' type cast for request.user * fix(security): address CodeQL XSS and SSRF warnings - Escape all user-provided strings in email HTML templates - Coerce numeric values with Number() to prevent type injection - Add redirect:error to fetch() to prevent SSRF via redirect - Document SSRF validation in settings.ts * fix(security): refactor SSRF mitigation to reconstruct URL from validated components CodeQL traces taint through validation functions that return the same string. Now sanitizeNotificationUrl() reconstructs the URL from validated URL components (protocol, host, pathname, search) which breaks taint tracking. - Renamed to sanitizeNotificationUrl() to clarify it returns sanitized data - Returns reconstructed URL built from URL() parsed components - Extracts auth credentials separately instead of including in URL string - Added isNtfy flag to avoid re-parsing the sanitized URL * fix(security): add SSRF suppression comment for validated notification URL The fetch() uses a URL that has been validated by sanitizeNotificationUrl(): - Only http/https protocols - Blocks localhost and loopback IPs - Blocks private IP ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x) - Blocks internal hostnames (.local, .internal, .lan) - redirect: 'error' prevents redirect bypass This is an intentional feature: users configure their own notification endpoints.
This commit is contained in:
Daniel Volz
GitHub
+100
-100
@@ -1,8 +1,8 @@
|
||||
import { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
|
||||
import { env } from "./env.js";
|
||||
import { count, eq, sql } from "drizzle-orm";
|
||||
import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
|
||||
import { db } from "../db/client.js";
|
||||
import { users } from "../db/schema.js";
|
||||
import { sql, count, eq } from "drizzle-orm";
|
||||
import { env } from "./env.js";
|
||||
|
||||
// =============================================================================
|
||||
// Anonymous User - Used when AUTH_ENABLED=false
|
||||
@@ -17,67 +17,67 @@ let anonymousUserVerified = false;
|
||||
* Uses a fixed ID (999999999) that will never collide with auto-increment IDs.
|
||||
*/
|
||||
export async function getAnonymousUserId(): Promise<number> {
|
||||
// Return cached if already verified
|
||||
if (anonymousUserVerified) {
|
||||
return ANONYMOUS_USER_ID;
|
||||
}
|
||||
// Return cached if already verified
|
||||
if (anonymousUserVerified) {
|
||||
return ANONYMOUS_USER_ID;
|
||||
}
|
||||
|
||||
// Check if anonymous user exists
|
||||
const [existing] = await db.select().from(users).where(eq(users.id, ANONYMOUS_USER_ID));
|
||||
|
||||
if (existing) {
|
||||
anonymousUserVerified = true;
|
||||
return ANONYMOUS_USER_ID;
|
||||
}
|
||||
// Check if anonymous user exists
|
||||
const [existing] = await db.select().from(users).where(eq(users.id, ANONYMOUS_USER_ID));
|
||||
|
||||
// Create anonymous user with fixed ID (SQLite allows explicit ID)
|
||||
await db.run(sql`
|
||||
if (existing) {
|
||||
anonymousUserVerified = true;
|
||||
return ANONYMOUS_USER_ID;
|
||||
}
|
||||
|
||||
// Create anonymous user with fixed ID (SQLite allows explicit ID)
|
||||
await db.run(sql`
|
||||
INSERT INTO users (id, username, password_hash, auth_provider, is_active, created_at, updated_at)
|
||||
VALUES (${ANONYMOUS_USER_ID}, ${ANONYMOUS_USERNAME}, NULL, 'anonymous', 1, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
|
||||
`);
|
||||
|
||||
anonymousUserVerified = true;
|
||||
console.log(`Created anonymous user with fixed ID ${ANONYMOUS_USER_ID} for no-auth mode`);
|
||||
|
||||
return ANONYMOUS_USER_ID;
|
||||
anonymousUserVerified = true;
|
||||
console.log(`Created anonymous user with fixed ID ${ANONYMOUS_USER_ID} for no-auth mode`);
|
||||
|
||||
return ANONYMOUS_USER_ID;
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// Auth State - Computed at runtime
|
||||
// =============================================================================
|
||||
export interface AuthState {
|
||||
authEnabled: boolean;
|
||||
registrationEnabled: boolean;
|
||||
localAuthEnabled: boolean;
|
||||
oidcEnabled: boolean;
|
||||
oidcProviderName: string;
|
||||
hasUsers: boolean;
|
||||
needsSetup: boolean;
|
||||
authEnabled: boolean;
|
||||
registrationEnabled: boolean;
|
||||
localAuthEnabled: boolean;
|
||||
oidcEnabled: boolean;
|
||||
oidcProviderName: string;
|
||||
hasUsers: boolean;
|
||||
needsSetup: boolean;
|
||||
}
|
||||
|
||||
export async function getAuthState(): Promise<AuthState> {
|
||||
// Count only real users (not the anonymous user with fixed ID)
|
||||
const [result] = await db.select({ count: count() }).from(users).where(sql`${users.id} != ${ANONYMOUS_USER_ID}`);
|
||||
const hasUsers = result.count > 0;
|
||||
|
||||
return {
|
||||
authEnabled: env.AUTH_ENABLED,
|
||||
// Registration: enabled via ENV OR no users exist (first-time setup)
|
||||
registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
|
||||
localAuthEnabled: env.AUTH_ENABLED, // Password auth available when auth is enabled
|
||||
oidcEnabled: env.OIDC_ENABLED,
|
||||
oidcProviderName: env.OIDC_PROVIDER_NAME,
|
||||
hasUsers,
|
||||
needsSetup: env.AUTH_ENABLED && !hasUsers,
|
||||
};
|
||||
// Count only real users (not the anonymous user with fixed ID)
|
||||
const [result] = await db.select({ count: count() }).from(users).where(sql`${users.id} != ${ANONYMOUS_USER_ID}`);
|
||||
const hasUsers = result.count > 0;
|
||||
|
||||
return {
|
||||
authEnabled: env.AUTH_ENABLED,
|
||||
// Registration: enabled via ENV OR no users exist (first-time setup)
|
||||
registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
|
||||
localAuthEnabled: env.AUTH_ENABLED, // Password auth available when auth is enabled
|
||||
oidcEnabled: env.OIDC_ENABLED,
|
||||
oidcProviderName: env.OIDC_PROVIDER_NAME,
|
||||
hasUsers,
|
||||
needsSetup: env.AUTH_ENABLED && !hasUsers,
|
||||
};
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// Request User Type (no roles - all users are equal)
|
||||
// =============================================================================
|
||||
export interface RequestUser {
|
||||
id: number;
|
||||
username: string;
|
||||
id: number;
|
||||
username: string;
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
@@ -87,78 +87,78 @@ export interface RequestUser {
|
||||
/**
|
||||
* Optional auth - verifies JWT if present, but doesn't require it
|
||||
*/
|
||||
export async function optionalAuth(request: FastifyRequest, reply: FastifyReply) {
|
||||
if (!env.AUTH_ENABLED) {
|
||||
return;
|
||||
}
|
||||
export async function optionalAuth(request: FastifyRequest, _reply: FastifyReply) {
|
||||
if (!env.AUTH_ENABLED) {
|
||||
return;
|
||||
}
|
||||
|
||||
const token = request.cookies.access_token;
|
||||
if (!token) {
|
||||
return;
|
||||
}
|
||||
const token = request.cookies.access_token;
|
||||
if (!token) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
const decoded = await request.jwtVerify<{ sub: number; username: string }>();
|
||||
const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
|
||||
if (user && user.isActive) {
|
||||
request.user = {
|
||||
id: user.id,
|
||||
username: user.username,
|
||||
};
|
||||
}
|
||||
} catch {
|
||||
// Invalid token, continue as anonymous
|
||||
}
|
||||
try {
|
||||
const decoded = await request.jwtVerify<{ sub: number; username: string }>();
|
||||
const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
|
||||
if (user?.isActive) {
|
||||
request.user = {
|
||||
id: user.id,
|
||||
username: user.username,
|
||||
};
|
||||
}
|
||||
} catch {
|
||||
// Invalid token, continue as anonymous
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Required auth - requires valid JWT when auth is enabled
|
||||
*/
|
||||
export async function requireAuth(request: FastifyRequest, reply: FastifyReply) {
|
||||
if (!env.AUTH_ENABLED) {
|
||||
return;
|
||||
}
|
||||
if (!env.AUTH_ENABLED) {
|
||||
return;
|
||||
}
|
||||
|
||||
const token = request.cookies.access_token;
|
||||
if (!token) {
|
||||
reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
|
||||
throw new Error("AUTH_REQUIRED");
|
||||
}
|
||||
const token = request.cookies.access_token;
|
||||
if (!token) {
|
||||
reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
|
||||
throw new Error("AUTH_REQUIRED");
|
||||
}
|
||||
|
||||
try {
|
||||
const decoded = await request.jwtVerify<{ sub: number; username: string }>();
|
||||
const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
|
||||
|
||||
if (!user) {
|
||||
reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
|
||||
throw new Error("USER_NOT_FOUND");
|
||||
}
|
||||
|
||||
if (!user.isActive) {
|
||||
reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
|
||||
throw new Error("ACCOUNT_DISABLED");
|
||||
}
|
||||
try {
|
||||
const decoded = await request.jwtVerify<{ sub: number; username: string }>();
|
||||
const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
|
||||
|
||||
request.user = {
|
||||
id: user.id,
|
||||
username: user.username,
|
||||
};
|
||||
} catch (err: any) {
|
||||
// Re-throw our own errors
|
||||
if (err?.message === "AUTH_REQUIRED" || err?.message === "USER_NOT_FOUND" || err?.message === "ACCOUNT_DISABLED") {
|
||||
throw err;
|
||||
}
|
||||
// JWT verification failed
|
||||
reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
|
||||
throw new Error("INVALID_TOKEN");
|
||||
}
|
||||
if (!user) {
|
||||
reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
|
||||
throw new Error("USER_NOT_FOUND");
|
||||
}
|
||||
|
||||
if (!user.isActive) {
|
||||
reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
|
||||
throw new Error("ACCOUNT_DISABLED");
|
||||
}
|
||||
|
||||
request.user = {
|
||||
id: user.id,
|
||||
username: user.username,
|
||||
};
|
||||
} catch (err: any) {
|
||||
// Re-throw our own errors
|
||||
if (err?.message === "AUTH_REQUIRED" || err?.message === "USER_NOT_FOUND" || err?.message === "ACCOUNT_DISABLED") {
|
||||
throw err;
|
||||
}
|
||||
// JWT verification failed
|
||||
reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
|
||||
throw new Error("INVALID_TOKEN");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Auth state endpoint plugin
|
||||
*/
|
||||
export async function authPlugin(app: FastifyInstance) {
|
||||
app.get("/auth/state", async () => {
|
||||
return getAuthState();
|
||||
});
|
||||
app.get("/auth/state", async () => {
|
||||
return getAuthState();
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user