sirily/nroxy
1
0
Fork 0
Code Issues 5 Pull Requests 2 Actions 2 Packages Projects Releases Wiki Activity

fix: harden web runtime and follow-up auth/db security fixes (#21)

Browse Source 
## Summary
- harden the web runtime with JSON body limits, stricter generation input validation, rate limiting, and trusted Origin/Referer checks for cookie-authenticated mutations
- redact password-reset tokens from debug email transport logs and fail closed for unsupported email providers
- scope generation idempotency keys per user with a Prisma migration and regression coverage

## Testing
- docker build -f infra/docker/web.Dockerfile -t nroxy-web-check .
- docker run --rm --entrypoint sh nroxy-web-check -lc "pnpm --filter @nproxy/providers test && pnpm --filter @nproxy/db test && pnpm --filter @nproxy/web test"

Closes #14
Closes #7
Closes #8

Co-authored-by: sirily <sirily@git.shararam.party>
Reviewed-on: #21
This commit was merged in pull request #21.
This commit is contained in:
sirily
2026-03-11 16:28:56 +03:00
parent 9641678fa3
commit 1a7250467e
14 changed files with 924 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packages/db/prisma/migrations/20260311160000_scope_generation_idempotency_per_user/migration.sql Normal file
View File

@@ -0,0 +1,4 @@
DROP INDEX "GenerationRequest_idempotencyKey_key";
CREATE UNIQUE INDEX "GenerationRequest_userId_idempotencyKey_key"
ON "GenerationRequest"("userId", "idempotencyKey");

3
packages/db/prisma/schema.prisma
View File

@@ -187,7 +187,7 @@ model GenerationRequest {
resolutionPreset String
batchSize Int
imageStrength Decimal? @db.Decimal(4, 3)
idempotencyKey String? @unique
idempotencyKey String?
terminalErrorCode String?
terminalErrorText String?
requestedAt DateTime @default(now())
@@ -200,6 +200,7 @@ model GenerationRequest {
assets GeneratedAsset[]
usageLedgerEntry UsageLedgerEntry?
@@unique([userId, idempotencyKey])
@@index([userId, status, requestedAt])
}