Gandalf/sofarr - sofarr - Gitea: Git with a cup of tea

Gandalf/sofarr

Author	SHA1	Message	Date
Gronod	ddcfbda0c2	feat(history): add /api/history/recent endpoint with Sonarr/Radarr history fetching, tag filtering, and 5-min cache	2026-05-17 12:05:30 +01:00
Gronod	94fe0dea4d	fix: only emit upgrade-insecure-requests when TRUST_PROXY is set Some checks failed Build and Push Docker Image / build (push) Successful in 31s Details CI / Tests & coverage (push) Has been cancelled Details CI / Security audit (push) Has been cancelled Details NODE_ENV=production enabled upgrade-insecure-requests unconditionally, which instructed browsers to upgrade HTTP subresource requests to HTTPS. When sofarr is accessed directly over HTTP (no reverse proxy), this silently blocks all CSS, JS, and image loads — the page renders unstyled with no functionality. The correct signal for 'we are behind HTTPS' is TRUST_PROXY, not NODE_ENV. upgrade-insecure-requests is now only emitted when a TLS-terminating reverse proxy is confirmed to be in front.	2026-05-17 09:34:52 +01:00
Gronod	cafa608e8c	fix: allow inline style= attributes via CSP style-src-attr Some checks failed Build and Push Docker Image / build (push) Successful in 23s Details CI / Security audit (push) Successful in 45s Details CI / Tests & coverage (push) Failing after 46s Details Timing bars in the status panel and any other dynamically-injected style= attributes were being silently blocked by the Content Security Policy. style-src only governs <style> blocks and linked stylesheets; inline element attributes need style-src-attr separately. Adding style-src-attr 'unsafe-inline' is the minimal fix — it only affects attribute-level inline styles, not script execution. Also removes the temporary debug console.log added in the previous commit.	2026-05-17 08:53:07 +01:00
Gronod	5fd55b4e1a	test: add comprehensive test suite (115 tests, Vitest + supertest + nock) Some checks failed Build and Push Docker Image / build (push) Successful in 49s Details CI / Security audit (push) Successful in 1m23s Details CI / Tests & coverage (push) Failing after 2m13s Details Framework: - Vitest v4 as test runner (fast ESM/CJS support, V8 coverage built-in) - supertest for integration tests against createApp() factory - nock for HTTP interception (works with CJS require('axios'), unlike vi.mock) New files: - vitest.config.js — test config: node env, isolate, V8 coverage, per-file thresholds - tests/setup.js — isolated DATA_DIR per worker, SKIP_RATE_LIMIT, console suppression - tests/README.md — approach, structure, design decisions - server/app.js — testable Express factory (extracted from index.js side-effects) Unit tests (91 tests): - tests/unit/sanitizeError.test.js — secret redaction: apikey, token, bearer, basic-auth URLs - tests/unit/config.test.js — JSON array + legacy single-instance config parsing - tests/unit/requireAuth.test.js — valid/invalid/tampered cookies, schema validation - tests/unit/verifyCsrf.test.js — double-submit pattern, timing-safe compare, safe methods - tests/unit/qbittorrent.test.js — formatBytes, formatEta, mapTorrentToDownload state map - tests/unit/tokenStore.test.js — store/get/clear lifecycle, TTL expiry, atomic disk write Integration tests (24 tests): - tests/integration/health.test.js — /health and /ready endpoints - tests/integration/auth.test.js — full login/logout/me/csrf flows, input validation, cookie attributes, no token leakage, Emby mock via nock Production code changes (minimal, no behaviour change): - server/routes/auth.js: EMBY_URL captured at request-time (not module load) for testability - server/routes/auth.js: loginLimiter max → Number.MAX_SAFE_INTEGER when SKIP_RATE_LIMIT set - server/utils/sanitizeError.js: fix HEADER_PATTERN to redact full line (not just first token) CI: - .gitea/workflows/ci.yml: add parallel 'test' job (npm run test:coverage, artifact upload) - package.json: add test/test:watch/test:coverage/test:ui scripts - .gitignore: add coverage/	2026-05-17 07:45:33 +01:00