Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
238 Commits 16 Branches 15 Tags
main
Commit Graph

4 Commits

Author SHA1 Message Date
Gronod
c0dd93a1ab feat: production hardening v1.2.0
Some checks failed
Build and Push Docker Image / build (push) Successful in 59s
Details
CI / Security audit (push) Successful in 1m5s
Details
CI / Tests & coverage (push) Successful in 1m24s
Details
Docs Check / Markdown lint (push) Failing after 45s
Details
Docs Check / Mermaid diagram parse check (push) Successful in 1m27s
Details
CI / Security audit (pull_request) Successful in 51s
Details
CI / Tests & coverage (pull_request) Successful in 1m1s
Details
Docs Check / Markdown lint (pull_request) Failing after 39s
Details
Docs Check / Mermaid diagram parse check (pull_request) Successful in 1m12s
Details 
Phase 1 - Licensing & Compliance:
- Add MIT LICENSE file
- Add copyright headers to server/index.js, poller.js, config.js,
  sanitizeError.js, and new loadSecrets.js

Phase 2 - Security Hardening:
- Add server/utils/loadSecrets.js: Docker secrets support via _FILE
  env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.)
- Add SSRF/URL validation in config.js: validates all configured
  service instance URLs for scheme and well-formedness at startup
- Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP
  connections, 10s force-exit fallback
- Warn at startup if COOKIE_SECRET is shorter than 32 characters
- Validate EMBY_URL scheme at startup
- Improve sanitizeError: redact host:port from axios error URLs
  while preserving path/query for other redaction patterns

Phase 3 - Config Robustness:
- Weak COOKIE_SECRET warning (< 32 chars)
- EMBY_URL validated via validateInstanceUrl on startup

Phase 4 - Docker & Deployment:
- .dockerignore: add tests/, coverage/, vitest.config.js,
  CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json
- docker-compose.yaml: add commented Option B (Docker secrets
  _FILE pattern) alongside existing plain-env Option A

Phase 5 - Docs & Release Readiness:
- Add CHANGELOG.md with entries from v1.0.0 to v1.2.0
- Update SECURITY.md: supported versions table, fix Docker secrets
  note to reflect _FILE support now implemented
- Add public/.well-known/security.txt for responsible disclosure
- Bump version to 1.2.0
 2026-05-17 19:40:07 +01:00
Gronod
de8563704a security: ensure log files excluded recursively from git and Docker builds (issue #16)
All checks were successful
Build and Push Docker Image / build (push) Successful in 33s
Details 
*.log only matched root-level logs; add **/*.log to cover server/server.log
and any other subdirectory log files in both .gitignore and .dockerignore.
 2026-05-16 15:08:44 +01:00
Gronod
83049786eb security: fix issues #1-4 from security audit
All checks were successful
Build and Push Docker Image / build (push) Successful in 39s
Details 
#1 Session cookie: add secure (production-only) and sameSite=strict
    to prevent transmission over HTTP and cross-site request abuse.
#2 Remove Emby AccessToken from cookie payload — it was stored in
    the browser cookie but is never needed client-side; reduces blast
    radius if cookie is ever exposed.
#3 Add requireAuth middleware to all proxy routes (/api/emby,
    /api/sabnzbd, /api/sonarr, /api/radarr) — previously unauthenticated,
    now require a valid emby_user session cookie.
#4 Remove open CORS wildcard (cors() with no options). The frontend
    is served from the same origin so no CORS headers are required.
    Also update clearCookie() to include matching cookie options.
 2026-05-16 15:07:50 +01:00
Gronod
87f8c2d42b ci: add Dockerfile and Gitea Actions workflow for automated image builds
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
Details 
- Dockerfile based on node:18-alpine
- Gitea Actions workflow triggers on push to release/* branches
- Builds and pushes to Gitea container registry with version tags
 2026-05-15 15:15:09 +01:00