42d01da7f7
ci: fix mermaid parse — use jsdom to provide browser globals required by mermaid.core.mjs
2026-05-17 18:58:43 +01:00
6cf01f5530
ci: fix mermaid parse check — use mermaid.core.mjs (no Puppeteer/Chromium needed)
CI / Security audit (push) Has been cancelled
Build and Push Docker Image / build (push) Has been cancelled
CI / Tests & coverage (push) Has been cancelled
Docs Check / Markdown lint (push) Has been cancelled
Docs Check / Mermaid diagram parse check (push) Has been cancelled
2026-05-17 18:50:46 +01:00
a368636ec4
ci: add separate docs-check workflow for Markdown lint and Mermaid parse validation
...
CI / Security audit (push) Has been cancelled
CI / Tests & coverage (push) Has been cancelled
Docs Check / Markdown lint (push) Has been cancelled
Docs Check / Mermaid diagram parse check (push) Has been cancelled
Build and Push Docker Image / build (push) Has been cancelled
- docs-check.yml runs on push/PR only when .md files change
- markdown-lint job: uses markdownlint-cli to check all .md files
- mermaid-parse job: extracts all mermaid blocks from .md files and
validates each via mmdc (mermaid-js CLI) in headless Chromium
- Both jobs use continue-on-error: true so docs failures never block
a release or fail the main CI pipeline
- .markdownlint.json disables MD013 (line length), MD033 (inline HTML),
MD041 (first-line heading) to reduce noise on this repo
2026-05-17 18:36:16 +01:00
742f34f6eb
ci: remove v2-develop branch from build pipeline
Build and Push Docker Image / build (push) Successful in 20s
CI / Security audit (push) Successful in 37s
CI / Tests & coverage (push) Successful in 41s
CI / Security audit (pull_request) Successful in 34s
CI / Tests & coverage (pull_request) Successful in 39s
2026-05-17 13:25:50 +01:00
71880c6298
ci: add v2-develop branch to build pipeline (tags as sofarr:v2-develop)
Build and Push Docker Image / build (push) Successful in 22s
CI / Security audit (push) Successful in 38s
CI / Tests & coverage (push) Successful in 39s
2026-05-17 12:50:23 +01:00
224ec33a14
docs: migrate all diagrams from PlantUML to Mermaid
...
Build and Push Docker Image / build (push) Successful in 38s
CI / Security audit (push) Successful in 52s
CI / Tests & coverage (push) Successful in 1m0s
CI / Security audit (pull_request) Successful in 48s
CI / Tests & coverage (pull_request) Successful in 57s
- Replace section 13 of ARCHITECTURE.md with 9 inline Mermaid diagrams
(component, auth sequence, dashboard SSE sequence, polling sequence,
server class, data model, UI state, poller state, matching flowchart)
- Diagrams render natively in Gitea/GitHub — no CI job required
- Delete docs/diagrams/*.puml (all 9 files)
- Delete .gitea/workflows/render-diagrams.yml
- Update CI/CD table note and ToC entry
2026-05-17 10:37:46 +01:00
28f2aa17d8
ci: rename secret GITEA_TOKEN → BOT_TOKEN (GITEA_ prefix is reserved)
Build and Push Docker Image / build (push) Successful in 37s
CI / Security audit (push) Successful in 56s
CI / Tests & coverage (push) Successful in 1m4s
2026-05-17 10:12:51 +01:00
0ffe62e1ca
ci: add render-diagrams workflow (.puml → .png committed back to repo)
Build and Push Docker Image / build (push) Successful in 31s
CI / Security audit (push) Successful in 1m2s
CI / Tests & coverage (push) Successful in 1m8s
2026-05-17 10:09:59 +01:00
0d4b169c79
ci: downgrade upload-artifact to v3 (v4+ not supported on Gitea GHES)
Build and Push Docker Image / build (push) Successful in 22s
CI / Security audit (push) Successful in 37s
CI / Tests & coverage (push) Successful in 1m11s
2026-05-17 09:11:18 +01:00
5fd55b4e1a
test: add comprehensive test suite (115 tests, Vitest + supertest + nock)
...
Build and Push Docker Image / build (push) Successful in 49s
CI / Security audit (push) Successful in 1m23s
CI / Tests & coverage (push) Failing after 2m13s
Framework:
- Vitest v4 as test runner (fast ESM/CJS support, V8 coverage built-in)
- supertest for integration tests against createApp() factory
- nock for HTTP interception (works with CJS require('axios'), unlike vi.mock)
New files:
- vitest.config.js — test config: node env, isolate, V8 coverage, per-file thresholds
- tests/setup.js — isolated DATA_DIR per worker, SKIP_RATE_LIMIT, console suppression
- tests/README.md — approach, structure, design decisions
- server/app.js — testable Express factory (extracted from index.js side-effects)
Unit tests (91 tests):
- tests/unit/sanitizeError.test.js — secret redaction: apikey, token, bearer, basic-auth URLs
- tests/unit/config.test.js — JSON array + legacy single-instance config parsing
- tests/unit/requireAuth.test.js — valid/invalid/tampered cookies, schema validation
- tests/unit/verifyCsrf.test.js — double-submit pattern, timing-safe compare, safe methods
- tests/unit/qbittorrent.test.js — formatBytes, formatEta, mapTorrentToDownload state map
- tests/unit/tokenStore.test.js — store/get/clear lifecycle, TTL expiry, atomic disk write
Integration tests (24 tests):
- tests/integration/health.test.js — /health and /ready endpoints
- tests/integration/auth.test.js — full login/logout/me/csrf flows, input validation,
cookie attributes, no token leakage, Emby mock via nock
Production code changes (minimal, no behaviour change):
- server/routes/auth.js: EMBY_URL captured at request-time (not module load) for testability
- server/routes/auth.js: loginLimiter max → Number.MAX_SAFE_INTEGER when SKIP_RATE_LIMIT set
- server/utils/sanitizeError.js: fix HEADER_PATTERN to redact full line (not just first token)
CI:
- .gitea/workflows/ci.yml: add parallel 'test' job (npm run test:coverage, artifact upload)
- package.json: add test/test:watch/test:coverage/test:ui scripts
- .gitignore: add coverage/
2026-05-17 07:45:33 +01:00
bdbbcabfbc
feat(security): production hardening for external deployment
...
Build and Push Docker Image / build (push) Successful in 1m2s
CI / Security audit (push) Successful in 3m29s
Container (Dockerfile):
- Multi-stage build (deps + runtime) for minimal attack surface
- Upgrade base image from node:18-alpine to node:22-alpine
- Run as non-root 'node' user (UID 1000); source files owned by root
- /app/data directory owned by node for SQLite + logs
- Docker HEALTHCHECK: wget /health every 30s
docker-compose.yaml:
- Port bound to 127.0.0.1 only (expose via reverse proxy)
- read_only: true filesystem; /tmp tmpfs for Node.js
- no-new-privileges:true, cap_drop: ALL
- Named volume sofarr-data for persistent data
- TRUST_PROXY, COOKIE_SECRET, NODE_ENV added
Helmet v7 + CSP nonce:
- Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7
- CSP with per-request nonce injected into index.html script/link tags
(replaces blanket unsafe-inline; nonce changes every request)
- HSTS: max-age=1yr, includeSubDomains, preload
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera/mic/geolocation/payment/usb all off
- index.html served dynamically with nonce injection; static assets
served normally via express.static({index:false})
Trust proxy:
- TRUST_PROXY env var configures app.set('trust proxy') so rate
limiting and secure cookies work correctly behind Nginx/Caddy
Session & auth:
- Token store migrated from in-memory Map to SQLite via better-sqlite3
(server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL
- CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js):
POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching
the csrf_token cookie; timing-safe comparison
- CSRF token issued on login + GET /api/auth/csrf; cleared on logout
- Login input validation: username/password length + type checked before
hitting Emby
- skipSuccessfulRequests:true on login rate limiter (only count failures)
- express.json({ limit: '64kb' }) to reject oversized payloads
Rate limiting:
- General API limiter: 300 req/15min per IP on all /api/* routes
- Login limiter unchanged (10 failures/15min) but now only counts fails
Logging:
- Log file moved from /app/server.log to DATA_DIR/server.log (writable
by non-root node user in container)
- Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3)
- DATA_DIR defaults to ./data locally, /app/data in container
Error handling:
- Global Express error handler: catches unhandled errors, logs message,
returns generic 500 (no stack traces to clients)
Health/readiness:
- GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK
- GET /ready: returns 503 if EMBY_URL not configured
Error sanitization (sanitizeError.js):
- Added patterns for password= params, bearer tokens, Basic auth in URLs
Supply chain:
- Remove unused cors dependency
- add better-sqlite3@^9
- CI: upgrade to Node 22, raise audit level to --audit-level=high
- .gitignore: add data/, *.db, *.db-wal, *.db-shm
Docs:
- SECURITY.md: threat model, hardening checklist, proxy examples,
header table, rate limit table, Docker secrets guidance
- .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented
2026-05-17 06:47:25 +01:00
14de5e4644
fix(security #17 ): add npm audit to CI pipeline and package scripts
...
Build and Push Docker Image / build (push) Successful in 32s
CI / npm audit (push) Failing after 2m20s
Added .gitea/workflows/ci.yml which runs 'npm audit --audit-level=moderate'
on every push and PR. Fails the build on any moderate or higher severity
finding.
Also added 'npm run audit' and 'npm run audit:fix' convenience scripts
to package.json for local use.
2026-05-16 16:27:33 +01:00
137d40affe
ci: remove arm builds, amd64 only for now
2026-05-16 00:32:16 +01:00
84e4201dc1
ci: build develop tag on every push to develop branch
...
- Triggers on develop branch in addition to release/* branches
- Develop pushes get tagged as :develop only
- Release pushes continue to get :version, :release, and :latest tags
2026-05-16 00:32:16 +01:00
67b816cd61
ci: build multi-arch images (amd64, arm64, arm/v7)
...
- Add QEMU for cross-platform emulation
- Add Docker Buildx for multi-platform builds
- Build for linux/amd64, linux/arm64, linux/arm/v7
2026-05-15 20:53:37 +01:00
db89a920e4
ci: add automated release creation on tag push
...
Create Release / release (push) Successful in 1m38s
Build and Push Docker Image / build (push) Successful in 2m14s
- Triggers on v* tags
- Generates release notes from commit log since previous tag
- Includes Docker pull command and source archive links
- Creates formal Gitea Release via akkuman/gitea-release-action
2026-05-15 16:55:07 +01:00
a3dbe8b6c0
docs: add Docker deployment instructions and OCI labels
...
Build and Push Docker Image / build (push) Successful in 2m26s
- Add LABEL tags to Dockerfile (OCI standard + custom.hardware.requirement)
- Add dynamic version/created labels in CI workflow
- Add Docker deployment section to README with docker run, compose, and update instructions
- Registry pull source: docker.i3omb.com/sofarr
2026-05-15 16:50:50 +01:00
44055f0327
ci: remove registry login step (Distribution registry has no auth by default)
Build and Push Docker Image / build (push) Successful in 7m18s
2026-05-15 15:38:39 +01:00
70c9953a2d
ci: use distribution registry at reg.i3omb.com
Build and Push Docker Image / build (push) Has been cancelled
2026-05-15 15:19:15 +01:00
87f8c2d42b
ci: add Dockerfile and Gitea Actions workflow for automated image builds
...
Build and Push Docker Image / build (push) Has been cancelled
- Dockerfile based on node:18-alpine
- Gitea Actions workflow triggers on push to release/* branches
- Builds and pushes to Gitea container registry with version tags
2026-05-15 15:15:09 +01:00
