a05aaf8d71
fix(diagrams): replace par/and/end with group in seq-polling
...
Build and Push Docker Image / build (push) Successful in 22s
CI / Security audit (push) Successful in 1m4s
CI / Tests & coverage (push) Has been cancelled
Render PlantUML Diagrams / Render .puml → .png (push) Successful in 1m2s
par keyword is not supported in the PlantUML version on the Gitea runner.
Replace with a group block (universally supported) and a spanning note
to convey the parallelism.
2026-05-17 10:28:46 +01:00
9751dbf98d
docs(diagrams): review + fix all .puml files; touch all to trigger render
...
Build and Push Docker Image / build (push) Successful in 31s
CI / Security audit (push) Successful in 51s
CI / Tests & coverage (push) Successful in 1m6s
Render PlantUML Diagrams / Render .puml → .png (push) Failing after 47s
seq-auth:
- startAutoRefresh() -> startSSE(), stopAutoRefresh() -> stopSSE()
- Cookie secure flag: 'secure (prod)' -> 'secure (if TRUST_PROXY)'
component:
- Fix typo creatApp -> createApp
- Add GET /csrf, POST /logout to browser->auth arrow
- Add GET /stream (SSE) to browser->dashboard arrow
class-server:
- Add subscribers Set, onPollComplete(), offPollComplete() to Poller class
class-data:
- Add SSE Event /stream shape alongside API Response /user-downloads
- Add sser *-- dl relationship
state-ui:
- Fix invalid multi-line transition labels with raw Unicode arrows
(broke PlantUML parser); replace with valid \n escapes on single line
seq-dashboard, seq-polling, state-poller, activity-matching:
- Whitespace touch to trigger render-diagrams CI workflow
2026-05-17 10:20:52 +01:00
121c49b35b
docs: update ARCHITECTURE.md and README for 1.0.x fixes
...
Build and Push Docker Image / build (push) Successful in 22s
CI / Security audit (push) Successful in 1m0s
CI / Tests & coverage (push) Successful in 1m14s
ARCHITECTURE.md:
- Cookie secure flag: NODE_ENV → TRUST_PROXY (3 locations)
- upgrade-insecure-requests: document it gates on TRUST_PROXY not NODE_ENV
- Docker image note: NODE_ENV=production no longer implies secure cookies
- Security checklist: clarify TRUST_PROXY enables secure cookie + CSP + HSTS
- dashboard.js route table: add /stream endpoint note
- NODE_ENV env var table: correct description
README.md:
- qBittorrent availability: note red highlight when < 100%
- Login side-effects: secure cookie gated on TRUST_PROXY not NODE_ENV
2026-05-17 10:06:43 +01:00
dcf613446e
docs: final 1.0.0 documentation pass
...
Build and Push Docker Image / build (push) Successful in 28s
CI / Security audit (push) Successful in 50s
CI / Tests & coverage (push) Successful in 1m3s
README.md:
- Node prerequisite: v12+ → v22+
- Real-Time Updates: describe SSE push, remove polling/refresh-selector wording
- On-demand mode: update for SSE connect triggering poll
- API Endpoints: add /stream, /me, /csrf, /user-summary, /status, /cover-art
- Remove stale /api/qbittorrent proxy entry
- Docker tags: update to 1.0.x
SECURITY.md:
- Supported versions: add 1.0.x, retire 0.2.x
- CSP header: add style-src-attr 'unsafe-inline'
- Nginx example: add proxy_buffering off / proxy_read_timeout for SSE
Diagrams:
- seq-dashboard.puml: rewrite as SSE stream sequence (connect,
initial payload, pushed updates, heartbeat, disconnect)
- seq-polling.puml: add SSE subscriber notification step after
cache population
- state-ui.puml: replace Refresh Rate sub-state with SSE Connection
state machine; update splash loading and logout transitions
- state-poller.puml: add Notifying SSE subscribers step in Polling state
package.json: bump to 1.0.0
2026-05-17 09:19:35 +01:00
abdd0da306
feat: replace client polling with Server-Sent Events (SSE)
...
Build and Push Docker Image / build (push) Successful in 23s
CI / Security audit (push) Successful in 38s
CI / Tests & coverage (push) Failing after 38s
Server:
- poller.js: add pollSubscribers Set with onPollComplete/offPollComplete;
notify all SSE callbacks immediately after every successful poll
- dashboard.js: add GET /api/dashboard/stream endpoint (text/event-stream)
- requireAuth enforced via cookie (no CSRF needed — GET is a safe method)
- X-Accel-Buffering: no for nginx proxy compatibility
- 25s heartbeat comments to survive proxy idle timeouts
- initial payload sent immediately on connect
- cleanup on req.close: deregister callback, stop heartbeat, remove client
- active client tracking updated: type='sse', connectedAt, no refreshRateMs
Frontend:
- app.js: replace setInterval/fetchUserDownloads with EventSource
- startSSE() opens /api/dashboard/stream; stopSSE() closes it
- first incoming message hides loading spinner
- showAll toggle re-opens stream with ?showAll=true param
- logout calls stopSSE() before POST /api/auth/logout
- status panel: fixed 5s refresh, shows SSE clients + connect duration
- statusRefreshHandle now always 5s, not tied to old refresh-rate selector
- index.html: remove now-unused refresh-rate <select> element
Docs:
- ARCHITECTURE.md §4.3: update poller description
- ARCHITECTURE.md §5: rename to SSE Stream (§5.2) + Download Matching (§5.3)
- ARCHITECTURE.md §7: update active client tracking description
- ARCHITECTURE.md §9: add /stream endpoint, update /status clients schema
- ARCHITECTURE.md §10: update key functions table; replace Auto-Refresh
section with Live Push via SSE
- class-server.puml: add /stream to dashboard routes; update ClientInfo
- component.puml: annotate dashboard with SSE note; update label
2026-05-17 08:35:22 +01:00
8c829f9651
docs: audit and update all documentation to reflect current codebase
...
Build and Push Docker Image / build (push) Successful in 35s
CI / Security audit (push) Successful in 58s
CI / Tests & coverage (push) Failing after 1m5s
ARCHITECTURE.md:
- Node version: 18+ → 22 (Alpine)
- Tech stack: add helmet, express-rate-limit, cookie-parser, testing tools
- Directory structure: add server/app.js, verifyCsrf.js, tokenStore.js,
sanitizeError.js, tests/, docs/, .gitea/workflows/, vitest.config.js
- §4.1: document app.js factory (createApp) vs index.js entry point;
CSP nonce, rate limiters, CSRF middleware, trust proxy
- §4.2: add CSRF Required column; document verifyCsrf; fix auth note
- §4.3: add tokenStore.js and sanitizeError.js descriptions
- §6 Auth flow: add rememberMe, rate limiter, stable DeviceId, server-side
token store, CSRF token issuance, correct cookie TTL (session/30d not 24h)
- §9 API: add csrfToken to login response, rememberMe field, 400/429 codes;
add GET /api/auth/csrf endpoint; fix /me response; fix /logout CSRF note
- §11 Config: add DATA_DIR, COOKIE_SECRET, TRUST_PROXY, NODE_ENV; split
into Core / Emby / Service Instances / Tuning sections
- §12 Deployment: update Dockerfile description to multi-stage node:22-alpine;
add COOKIE_SECRET, TRUST_PROXY, named volume to compose example;
add security hardening checklist; add CI/CD table
diagrams/seq-auth.puml:
- Add TokenStore participant
- Add rememberMe, CSRF token issuance, stable DeviceId note
- Add login rate limiter note
- Add GET /csrf refresh flow
- Add server-side token revocation on logout
diagrams/class-server.puml:
- Add app.js createApp() factory class
- Add verifyCsrf middleware class
- Add TokenStore and SanitizeError utility classes
- Update auth.js routes (add GET /csrf)
- Fix relationships: entry → appfn → routes
diagrams/component.puml:
- Add app.js factory component
- Add helmet, express-rate-limit components
- Add verifyCsrf middleware component
- Add tokenStore.js and sanitizeError.js utility components
- Fix wiring: entry → createApp() → mounts routes
Dockerfile:
- Fix stale comments referencing better-sqlite3 and SQLite
server/routes/auth.js:
- Fix stale comment: SQLite-backed → JSON file-backed
2026-05-17 08:05:08 +01:00
6675e5dcfe
docs: update architecture docs and diagrams for recent changes
...
Build and Push Docker Image / build (push) Successful in 24s
ARCHITECTURE.md:
- Directory structure: add middleware/requireAuth.js and favicon assets
- §4.1: remove CORS from middleware list
- §4.2: all proxy routes now auth-required via requireAuth; add
middleware description
- §6: cookie payload corrected (no token); document secure+sameSite
- §7: add emby:users cache key (60s TTL)
- §8: Download Object table: userTag → allTags/matchedUserTag/tagBadges
- §9 POST /login: document cookie security attributes
- §10: add Tag Badge Rendering section; remove hardcoded line count
Diagrams:
- class-server.puml: add requireAuth middleware module; update
dashboard.js methods (extractAllTags, extractUserTag w/ username,
buildTagBadges, getEmbyUsers); add TagBadge value class; add auth
relationships for all proxy routes
- class-data.puml: Download Object userTag → allTags/matchedUserTag/
tagBadges; add TagBadge class; remove token from Session Cookie
- seq-auth.puml: cookie payload no longer contains token; add
secure/sameSite note
- component.puml: remove CORS component; add requireAuth; consolidate
Emby connection to show tag badge + user-summary usage
- activity-matching.puml: update to extractAllTags/extractUserTag
(with username); showAll uses hasAnyTag; tagBadges built from
embyUserMap; add Emby user fetch step; update legend
- seq-dashboard.puml: add emby:users cache lookup / Emby fetch for
showAll; update matching groups to show tag classification; add
tag badge rendering note on renderDownloads()
2026-05-16 15:41:23 +01:00
e97bd3c67b
docs: comprehensive architecture documentation with PlantUML diagrams
...
- docs/ARCHITECTURE.md: full system overview, technology stack, directory
structure, component architecture, data flow, auth, polling/caching,
download matching pipeline, API reference, frontend architecture,
configuration, deployment guide
- docs/diagrams/component.puml: system component diagram
- docs/diagrams/seq-auth.puml: authentication sequence diagram
- docs/diagrams/seq-dashboard.puml: dashboard request sequence diagram
- docs/diagrams/seq-polling.puml: background polling cycle sequence
- docs/diagrams/class-server.puml: server-side class/module diagram
- docs/diagrams/class-data.puml: data model / entity diagram
- docs/diagrams/state-ui.puml: frontend UI state diagram
- docs/diagrams/state-poller.puml: poller state diagram
- docs/diagrams/activity-matching.puml: download matching activity diagram
2026-05-16 00:32:16 +01:00
