Security audit, bug fixes, auto-save, and writing assistant improvements
Backend security & correctness: - Add rate_limit.py: sliding-window rate limiter (asyncio) applied to login, register, forgot/reset password endpoints (10/60s or 5/300s per IP) - app.py: add security headers in after_request (X-Frame-Options, CSP, X-Content-Type-Options, Referrer-Policy) using setdefault to preserve SSE headers - auth.py: refactor duplicate login_required/admin_required into shared _check_auth() - config.py: add TRUST_PROXY_HEADERS for proxy-aware client IP resolution - routes/auth.py: rate limiting, _client_ip() helper, cleaned-up reset_password route - routes/chat.py, notes.py, tasks.py: int() DoS fix on last_event_id; limit capped at 500; date.fromisoformat() wrapped in try/except → 400 on invalid dates - services/auth.py: fix Setting.user_id update bug (filter on NULL not user.id); reset_password_with_token returns int|None (user_id) instead of bool - services/backup.py: add _security_notice to full backup JSON export - services/assist.py: system prompt explicitly preserves markdown list structure and nested indented sub-items Infrastructure: - docker-compose.yml: add healthcheck on app service (/api/health, 10s interval) - .dockerignore: prevent secrets/node_modules/__pycache__/.env.* leaking into build Frontend bug fixes: - TaskCard.vue, TaskViewerView.vue: fix isOverdue() timezone bug (ISO string compare) - useAssist.ts: accept() now resets state to idle when document changed since proposal - stores/chat.ts: fix memory leak in _pollUntilLoaded() (try/catch around fetchStatus) - TiptapEditor.vue: selection offset uses closest-match strategy (not first-match) - utils/markdown.ts: explicit DOMPurify config with FORCE_BODY; remove as const (DOMPurify expects mutable string[]) New features: - Auto-save (5-minute interval) in NoteEditorView and TaskEditorView — only when editing an existing dirty record; silent on error, shows "Auto-saved" toast - sectionParser.ts: top-level bullet/numbered list items are now individual sections in the AI Assist panel (previously treated as one undifferentiated block) - editor-shared.css: extracted ~500 lines of CSS duplicated between both editors; includes .inline-assist-btn at global scope (required for teleported elements) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -35,7 +35,7 @@ chat_bp = Blueprint("chat", __name__, url_prefix="/api/chat")
|
||||
@login_required
|
||||
async def list_conversations_route():
|
||||
uid = get_current_user_id()
|
||||
limit = request.args.get("limit", 50, type=int)
|
||||
limit = min(request.args.get("limit", 50, type=int), 500)
|
||||
offset = request.args.get("offset", 0, type=int)
|
||||
conversations, total = await list_conversations(uid, limit=limit, offset=offset)
|
||||
return jsonify({
|
||||
@@ -167,7 +167,10 @@ async def generation_stream_route(conv_id: int):
|
||||
|
||||
# Determine starting point from Last-Event-ID header or query param
|
||||
last_id_str = request.headers.get("Last-Event-ID") or request.args.get("last_event_id")
|
||||
last_id = int(last_id_str) if last_id_str is not None else -1
|
||||
try:
|
||||
last_id = int(last_id_str) if last_id_str is not None else -1
|
||||
except (ValueError, TypeError):
|
||||
last_id = -1
|
||||
|
||||
async def stream():
|
||||
cursor = last_id
|
||||
@@ -335,14 +338,17 @@ async def chat_status_route():
|
||||
result["ollama"] = "available"
|
||||
model_names = {m["name"] for m in tags_resp.json().get("models", [])}
|
||||
base = default_model.removesuffix(":latest")
|
||||
if default_model in model_names or f"{base}:latest" in model_names:
|
||||
if default_model in model_names or f"{base}:latest" in model_names or base in model_names:
|
||||
# Installed — now check if currently loaded in memory
|
||||
result["model"] = "cold"
|
||||
if not isinstance(ps_resp, Exception):
|
||||
ps_resp.raise_for_status()
|
||||
loaded_names = {m["name"] for m in ps_resp.json().get("models", [])}
|
||||
if default_model in loaded_names or f"{base}:latest" in loaded_names:
|
||||
result["model"] = "loaded"
|
||||
try:
|
||||
ps_resp.raise_for_status()
|
||||
loaded_names = {m["name"] for m in ps_resp.json().get("models", [])}
|
||||
if default_model in loaded_names or f"{base}:latest" in loaded_names or base in loaded_names:
|
||||
result["model"] = "loaded"
|
||||
except Exception:
|
||||
logger.debug("Ollama /api/ps check failed", exc_info=True)
|
||||
except Exception:
|
||||
logger.debug("Ollama status check failed", exc_info=True)
|
||||
return jsonify(result)
|
||||
|
||||
Reference in New Issue
Block a user