Security audit, bug fixes, auto-save, and writing assistant improvements
Backend security & correctness: - Add rate_limit.py: sliding-window rate limiter (asyncio) applied to login, register, forgot/reset password endpoints (10/60s or 5/300s per IP) - app.py: add security headers in after_request (X-Frame-Options, CSP, X-Content-Type-Options, Referrer-Policy) using setdefault to preserve SSE headers - auth.py: refactor duplicate login_required/admin_required into shared _check_auth() - config.py: add TRUST_PROXY_HEADERS for proxy-aware client IP resolution - routes/auth.py: rate limiting, _client_ip() helper, cleaned-up reset_password route - routes/chat.py, notes.py, tasks.py: int() DoS fix on last_event_id; limit capped at 500; date.fromisoformat() wrapped in try/except → 400 on invalid dates - services/auth.py: fix Setting.user_id update bug (filter on NULL not user.id); reset_password_with_token returns int|None (user_id) instead of bool - services/backup.py: add _security_notice to full backup JSON export - services/assist.py: system prompt explicitly preserves markdown list structure and nested indented sub-items Infrastructure: - docker-compose.yml: add healthcheck on app service (/api/health, 10s interval) - .dockerignore: prevent secrets/node_modules/__pycache__/.env.* leaking into build Frontend bug fixes: - TaskCard.vue, TaskViewerView.vue: fix isOverdue() timezone bug (ISO string compare) - useAssist.ts: accept() now resets state to idle when document changed since proposal - stores/chat.ts: fix memory leak in _pollUntilLoaded() (try/catch around fetchStatus) - TiptapEditor.vue: selection offset uses closest-match strategy (not first-match) - utils/markdown.ts: explicit DOMPurify config with FORCE_BODY; remove as const (DOMPurify expects mutable string[]) New features: - Auto-save (5-minute interval) in NoteEditorView and TaskEditorView — only when editing an existing dirty record; silent on error, shows "Auto-saved" toast - sectionParser.ts: top-level bullet/numbered list items are now individual sections in the AI Assist panel (previously treated as one undifferentiated block) - editor-shared.css: extracted ~500 lines of CSS duplicated between both editors; includes .inline-assist-btn at global scope (required for teleported elements) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -42,8 +42,31 @@ function parseFallbackSections(body: string): MarkdownSection[] {
|
||||
const headingIndices = new Set(
|
||||
paragraphs.map((p, i) => isPseudoHeading(p.text) ? i : -1).filter(i => i >= 0)
|
||||
);
|
||||
if (headingIndices.size === 0)
|
||||
if (headingIndices.size === 0) {
|
||||
// No pseudo-headings — check if body is a bullet/numbered list.
|
||||
// If so, treat each top-level item (no leading spaces) as a section.
|
||||
const TOP_BULLET_RE = /^(?:[-*+]|\d+\.) /gm;
|
||||
const bulletStarts: number[] = [];
|
||||
let bm: RegExpExecArray | null;
|
||||
while ((bm = TOP_BULLET_RE.exec(body)) !== null) {
|
||||
bulletStarts.push(bm.index);
|
||||
}
|
||||
if (bulletStarts.length > 1) {
|
||||
return bulletStarts.map((startIdx, i) => {
|
||||
const endIdx = i + 1 < bulletStarts.length ? bulletStarts[i + 1] : body.length;
|
||||
const content = body.slice(startIdx, endIdx);
|
||||
const firstLine = content.split('\n')[0].replace(/^(?:[-*+]|\d+\.) /, '').trim();
|
||||
return {
|
||||
heading: firstLine.length > 50 ? firstLine.slice(0, 50) + '\u2026' : firstLine,
|
||||
level: 0,
|
||||
content,
|
||||
startOffset: startIdx,
|
||||
endOffset: endIdx,
|
||||
};
|
||||
});
|
||||
}
|
||||
return [{ heading: '', level: 0, content: body, startOffset: 0, endOffset: body.length }];
|
||||
}
|
||||
|
||||
const sections: MarkdownSection[] = [];
|
||||
const headingIdxArray = [...headingIndices].sort((a, b) => a - b);
|
||||
|
||||
Reference in New Issue
Block a user