Security audit, bug fixes, auto-save, and writing assistant improvements

Backend security & correctness:
- Add rate_limit.py: sliding-window rate limiter (asyncio) applied to login,
  register, forgot/reset password endpoints (10/60s or 5/300s per IP)
- app.py: add security headers in after_request (X-Frame-Options, CSP,
  X-Content-Type-Options, Referrer-Policy) using setdefault to preserve SSE headers
- auth.py: refactor duplicate login_required/admin_required into shared _check_auth()
- config.py: add TRUST_PROXY_HEADERS for proxy-aware client IP resolution
- routes/auth.py: rate limiting, _client_ip() helper, cleaned-up reset_password route
- routes/chat.py, notes.py, tasks.py: int() DoS fix on last_event_id; limit capped
  at 500; date.fromisoformat() wrapped in try/except → 400 on invalid dates
- services/auth.py: fix Setting.user_id update bug (filter on NULL not user.id);
  reset_password_with_token returns int|None (user_id) instead of bool
- services/backup.py: add _security_notice to full backup JSON export
- services/assist.py: system prompt explicitly preserves markdown list structure
  and nested indented sub-items

Infrastructure:
- docker-compose.yml: add healthcheck on app service (/api/health, 10s interval)
- .dockerignore: prevent secrets/node_modules/__pycache__/.env.* leaking into build

Frontend bug fixes:
- TaskCard.vue, TaskViewerView.vue: fix isOverdue() timezone bug (ISO string compare)
- useAssist.ts: accept() now resets state to idle when document changed since proposal
- stores/chat.ts: fix memory leak in _pollUntilLoaded() (try/catch around fetchStatus)
- TiptapEditor.vue: selection offset uses closest-match strategy (not first-match)
- utils/markdown.ts: explicit DOMPurify config with FORCE_BODY; remove as const
  (DOMPurify expects mutable string[])

New features:
- Auto-save (5-minute interval) in NoteEditorView and TaskEditorView — only when
  editing an existing dirty record; silent on error, shows "Auto-saved" toast
- sectionParser.ts: top-level bullet/numbered list items are now individual sections
  in the AI Assist panel (previously treated as one undifferentiated block)
- editor-shared.css: extracted ~500 lines of CSS duplicated between both editors;
  includes .inline-assist-btn at global scope (required for teleported elements)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-02-19 20:08:44 -05:00
parent 7b92d13863
commit 667ccd70cd
24 changed files with 865 additions and 1193 deletions
+24 -1
View File
@@ -42,8 +42,31 @@ function parseFallbackSections(body: string): MarkdownSection[] {
const headingIndices = new Set(
paragraphs.map((p, i) => isPseudoHeading(p.text) ? i : -1).filter(i => i >= 0)
);
if (headingIndices.size === 0)
if (headingIndices.size === 0) {
// No pseudo-headings — check if body is a bullet/numbered list.
// If so, treat each top-level item (no leading spaces) as a section.
const TOP_BULLET_RE = /^(?:[-*+]|\d+\.) /gm;
const bulletStarts: number[] = [];
let bm: RegExpExecArray | null;
while ((bm = TOP_BULLET_RE.exec(body)) !== null) {
bulletStarts.push(bm.index);
}
if (bulletStarts.length > 1) {
return bulletStarts.map((startIdx, i) => {
const endIdx = i + 1 < bulletStarts.length ? bulletStarts[i + 1] : body.length;
const content = body.slice(startIdx, endIdx);
const firstLine = content.split('\n')[0].replace(/^(?:[-*+]|\d+\.) /, '').trim();
return {
heading: firstLine.length > 50 ? firstLine.slice(0, 50) + '\u2026' : firstLine,
level: 0,
content,
startOffset: startIdx,
endOffset: endIdx,
};
});
}
return [{ heading: '', level: 0, content: body, startOffset: 0, endOffset: body.length }];
}
const sections: MarkdownSection[] = [];
const headingIdxArray = [...headingIndices].sort((a, b) => a - b);