59 Commits

Author	SHA1	Message	Date
gronod	7690d959b3	fix: blocklist-search lookup against queue cache instead of downloadClientRegistry ... Fixes the root cause of the regression from v1.7.16. The v1.7.16 fix correctly cast arrQueueId to String, but the lookup was performed against downloadClientRegistry.getAllDownloads() which returns raw download client data (qBittorrent, SABnzbd, etc.) that never has arrQueueId populated. The fix now looks up the queue record directly from the Sonarr/Radarr queue cache where record.id is the numeric queue ID, using String() casting on both sides to handle the DOM-dataset (string) vs API response (number) type difference. Resolves Gitea Issue #48 Closes #48	2026-05-24 22:48:17 +01:00
gronod	83c9d4d164	fix: blocklist-search queue ID type mismatch and bump version to 1.7.16 ... - Cast arrQueueId to String in both sides of the download lookup comparison in /api/dashboard/blocklist-search to resolve false-negative match failure caused by DOM dataset string vs Radarr/Sonarr API number type mismatch - Add regression integration test for string-vs-number arrQueueId matching - Bump version to 1.7.16, update CHANGELOG.md, openapi.yaml, and JSDoc examples Resolves #48	2026-05-24 22:12:34 +01:00
gronod	7b9c895888	fix: support query parameter-based secret validation fallback to fix Ombi webhooks (#47)	2026-05-24 21:25:38 +01:00
gronod	b5b4862e15	chore: bump version to 1.7.14 and update CHANGELOG for poller fix	2026-05-24 19:36:53 +01:00
gronod	76631cd37e	chore: bump version to 1.7.13 and update CHANGELOG	2026-05-24 19:24:01 +01:00
gronod	95e301ef56	chore: bump version to 1.7.12 and update CHANGELOG	2026-05-24 18:50:30 +01:00
gronod	afc940aba7	chore: bump version to 1.7.11 and update CHANGELOG	2026-05-24 10:48:52 +01:00
gronod	3f8970ea99	chore: bump version to 1.7.10 and update CHANGELOG	2026-05-24 10:23:22 +01:00
gronod	64c872423f	chore: bump version to 1.7.9 and update CHANGELOG	2026-05-23 20:58:09 +01:00
gronod	d1db3118f0	chore: bump version to 1.7.8 and update CHANGELOG	2026-05-23 20:52:27 +01:00
gronod	82b3824658	chore: bump version to 1.7.7 and update CHANGELOG	2026-05-23 20:38:05 +01:00
gronod	6ac0a8421e	fix: resolve rate-limiting and Ombi requests caching bugs (fixes #42, fixes #43)	2026-05-23 18:55:03 +01:00
gronod	f8c7e35f31	chore: bump version to 1.7.5 and update CHANGELOG	2026-05-23 10:13:25 +01:00
gronod	1d571b066d	chore: bump version to 1.7.4 and update CHANGELOG	2026-05-23 10:00:18 +01:00
gronod	f52a687a46	chore: bump version to 1.7.3 and update CHANGELOG	2026-05-23 09:39:58 +01:00
gronod	f1e0a77fad	fix: add common webhook config check for SOFARR_BASE_URL and SOFARR_WEBHOOK_SECRET ... - Ombi webhook status now checks for required environment variables - Added GET /api/webhook/config endpoint for common webhook config validation - Updated client-side fetchWebhookStatus to use common config check - Added integration tests for new endpoint and Ombi webhook status checks	2026-05-22 09:16:23 +01:00
gronod	37bed1cd4e	feat: add automated RAML 1.0 package generation to CI/CD pipeline ... - Add RAML generation scripts (generate-openapi, downgrade-openapi, simple-raml-converter, package-raml) - Add /api/swagger.json endpoint to server/app.js - Add minimal .spectral.yml ruleset for OpenAPI linting - Add npm scripts for OpenAPI/RAML generation and packaging - Extend CI swagger job with RAML generation steps - Upload raml-package artifact with 14-day retention - Update CHANGELOG.md for v1.7.1	2026-05-21 14:26:21 +01:00
gronod	1a4ff73067	feat(ci): add RAML 1.0 package generation pipeline ... - Add generate:openapi, generate:raml, package:raml scripts to package.json - Add archiver dependency for creating tar.gz archives - Create scripts/generate-openapi.js to fetch merged OpenAPI spec from running server - Create scripts/package-raml.js to build versioned RAML tar.gz archive - Create .spectral.yml with minimal OpenAPI linting rules - Add /api/swagger.json endpoint to server/app.js for serving merged spec - Extend swagger job in ci.yml with RAML generation steps - Upload raml-package artifact to CI with 14-day retention	2026-05-21 14:04:26 +01:00
gronod	1ed01d0ef0	chore(release): bump version to 1.7.0 ... - Increment version from 1.6.0 to 1.7.0 in package.json - Add detailed CHANGELOG.md entry for Swagger UI & OpenAPI 3.1 documentation - Update README.md version highlight to mention Swagger UI - Add API Documentation System section (7.4) to ARCHITECTURE.md - Add swagger-ui-express, swagger-jsdoc, yamljs, spectral-cli to Technology Stack - Update High-Level Architecture diagram with Swagger UI node - Update Request routing summary to include /api/swagger - Update SECURITY.md: Threat Model, Rate Limits, and Supported Versions tables	2026-05-21 13:35:31 +01:00
gronod	7dadb849f6	ci(swagger): add OpenAPI validation job to CI ... - Install @stoplight/spectral-cli as dev dependency - Add "Swagger Validation & Coverage" job to .gitea/workflows/ci.yml - Run spectral lint on server/openapi.yaml - Run npm test to execute coverage tests - Fail CI if spec is invalid or coverage is incomplete - Runs on every push/PR alongside existing jobs	2026-05-21 12:39:13 +01:00
gronod	93a8c3fd2e	feat(swagger): create develop-swagger branch and install dependencies ... - Install swagger-ui-express, swagger-jsdoc, yamljs - Prepare for OpenAPI 3.1 spec integration	2026-05-21 12:28:52 +01:00
gronod	5d0da45e10	chore: bump version to 1.6.0, update CHANGELOG and ARCHITECTURE docs	2026-05-21 11:49:57 +01:00
gronod	1e3926b206	Bump version to 1.5.5	2026-05-20 01:11:22 +01:00
gronod	49d66c07ee	Update ARCHITECTURE.md, bump version to 1.5.4, add CHANGELOG entry	2026-05-19 23:45:37 +01:00
gronod	a04f2c9b25	Bump version to 1.5.3	2026-05-19 23:09:23 +01:00
gronod	a7363fcb3a	v1.5.2: Build and deploy React client with Webhooks Configuration panel	2026-05-19 20:27:11 +01:00
gronod	eeab314a08	chore: bump version to 1.5.1	2026-05-19 19:07:05 +01:00
gronod	917939a9fc	fix(ui): wire status panel close button via addEventListener ... Inline onclick attribute was silently blocked by the server CSP nonce policy. Replace with addEventListener after innerHTML is set. chore: bump version to 1.5.0a	2026-05-19 18:51:50 +01:00
gronod	76f0aad453	chore: bump version to 1.5.0	2026-05-19 18:33:03 +01:00
gronod	6529702f73	chore: bump version to 1.4.0	2026-05-19 14:58:37 +01:00
gronod	a50e5a7d69	feat: add rtorrent client via PDCA ... - Implement RTorrentClient extending DownloadClient abstract class - Use xmlrpc package (v1.3.2) for XML-RPC communication - Support HTTP Basic Auth when credentials are configured - Map rTorrent states (d.state, d.is_active, d.is_hash_checking) to normalized statuses - Calculate ETA from download speed and remaining bytes - Add getRtorrentInstances() to config.js - Register RTorrentClient in downloadClients.js registry - Add 8 comprehensive unit tests covering all functionality - Update .env.sample with rtorrent configuration examples - Update ARCHITECTURE.md with rtorrent client details - Update ADDING-A-DOWNLOAD-CLIENT.md with rtorrent-specific notes	2026-05-19 11:40:31 +01:00
gronod	a0f630fb81	chore: bump version to 1.3.1 (point release)	2026-05-18 06:35:16 +01:00
gronod	e640215502	chore: bump version to 1.4.0	2026-05-18 06:31:31 +01:00
gronod	aef21d1b50	chore: bump to v1.3.0; update CHANGELOG, README, ARCHITECTURE docs	2026-05-17 23:29:02 +01:00
gronod	4c9985e01a	chore: bump version to 1.2.2, update CHANGELOG	2026-05-17 21:22:02 +01:00
gronod	6a8ca90fd3	feat: add version footer to dashboard UI (v1.2.1) ... - /health endpoint now includes version field - Footer displays 'sofarr vX.Y.Z' fetched on page load - Subtle .app-version styling (smaller, dimmed) - Bump version to 1.2.1, update CHANGELOG	2026-05-17 20:34:59 +01:00
gronod	c0dd93a1ab	feat: production hardening v1.2.0 ... Phase 1 - Licensing & Compliance: - Add MIT LICENSE file - Add copyright headers to server/index.js, poller.js, config.js, sanitizeError.js, and new loadSecrets.js Phase 2 - Security Hardening: - Add server/utils/loadSecrets.js: Docker secrets support via _FILE env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.) - Add SSRF/URL validation in config.js: validates all configured service instance URLs for scheme and well-formedness at startup - Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP connections, 10s force-exit fallback - Warn at startup if COOKIE_SECRET is shorter than 32 characters - Validate EMBY_URL scheme at startup - Improve sanitizeError: redact host:port from axios error URLs while preserving path/query for other redaction patterns Phase 3 - Config Robustness: - Weak COOKIE_SECRET warning (< 32 chars) - EMBY_URL validated via validateInstanceUrl on startup Phase 4 - Docker & Deployment: - .dockerignore: add tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json - docker-compose.yaml: add commented Option B (Docker secrets _FILE pattern) alongside existing plain-env Option A Phase 5 - Docs & Release Readiness: - Add CHANGELOG.md with entries from v1.0.0 to v1.2.0 - Update SECURITY.md: supported versions table, fix Docker secrets note to reflect _FILE support now implemented - Add public/.well-known/security.txt for responsible disclosure - Bump version to 1.2.0	2026-05-17 19:40:07 +01:00
gronod	2550722446	feat: include version number in server startup message	2026-05-17 17:51:59 +01:00
gronod	27648c78b3	chore: bump version to 1.1.1	2026-05-17 17:44:01 +01:00
gronod	e4be334ad4	chore: bump version to 1.1.0	2026-05-17 17:31:26 +01:00
gronod	dcf613446e	docs: final 1.0.0 documentation pass ... README.md: - Node prerequisite: v12+ → v22+ - Real-Time Updates: describe SSE push, remove polling/refresh-selector wording - On-demand mode: update for SSE connect triggering poll - API Endpoints: add /stream, /me, /csrf, /user-summary, /status, /cover-art - Remove stale /api/qbittorrent proxy entry - Docker tags: update to 1.0.x SECURITY.md: - Supported versions: add 1.0.x, retire 0.2.x - CSP header: add style-src-attr 'unsafe-inline' - Nginx example: add proxy_buffering off / proxy_read_timeout for SSE Diagrams: - seq-dashboard.puml: rewrite as SSE stream sequence (connect, initial payload, pushed updates, heartbeat, disconnect) - seq-polling.puml: add SSE subscriber notification step after cache population - state-ui.puml: replace Refresh Rate sub-state with SSE Connection state machine; update splash loading and logout transitions - state-poller.puml: add Notifying SSE subscribers step in Polling state package.json: bump to 1.0.0	2026-05-17 09:19:35 +01:00
gronod	55e4aedfca	chore: bump version to 0.2.0	2026-05-17 08:12:23 +01:00
gronod	5fd55b4e1a	test: add comprehensive test suite (115 tests, Vitest + supertest + nock) ... Framework: - Vitest v4 as test runner (fast ESM/CJS support, V8 coverage built-in) - supertest for integration tests against createApp() factory - nock for HTTP interception (works with CJS require('axios'), unlike vi.mock) New files: - vitest.config.js — test config: node env, isolate, V8 coverage, per-file thresholds - tests/setup.js — isolated DATA_DIR per worker, SKIP_RATE_LIMIT, console suppression - tests/README.md — approach, structure, design decisions - server/app.js — testable Express factory (extracted from index.js side-effects) Unit tests (91 tests): - tests/unit/sanitizeError.test.js — secret redaction: apikey, token, bearer, basic-auth URLs - tests/unit/config.test.js — JSON array + legacy single-instance config parsing - tests/unit/requireAuth.test.js — valid/invalid/tampered cookies, schema validation - tests/unit/verifyCsrf.test.js — double-submit pattern, timing-safe compare, safe methods - tests/unit/qbittorrent.test.js — formatBytes, formatEta, mapTorrentToDownload state map - tests/unit/tokenStore.test.js — store/get/clear lifecycle, TTL expiry, atomic disk write Integration tests (24 tests): - tests/integration/health.test.js — /health and /ready endpoints - tests/integration/auth.test.js — full login/logout/me/csrf flows, input validation, cookie attributes, no token leakage, Emby mock via nock Production code changes (minimal, no behaviour change): - server/routes/auth.js: EMBY_URL captured at request-time (not module load) for testability - server/routes/auth.js: loginLimiter max → Number.MAX_SAFE_INTEGER when SKIP_RATE_LIMIT set - server/utils/sanitizeError.js: fix HEADER_PATTERN to redact full line (not just first token) CI: - .gitea/workflows/ci.yml: add parallel 'test' job (npm run test:coverage, artifact upload) - package.json: add test/test:watch/test:coverage/test:ui scripts - .gitignore: add coverage/	2026-05-17 07:45:33 +01:00
gronod	8ba1ee4f56	fix: restore missing dotenv dependency ... dotenv was accidentally dropped from package.json dependencies when better-sqlite3 was removed in the previous commit.	2026-05-17 07:16:08 +01:00
gronod	37c1b64982	fix(docker): replace better-sqlite3 with pure-JS JSON token store ... better-sqlite3 is a native C++ addon that requires compilation on Alpine (musl libc, no pre-built binaries exist) and fails on Debian slim too because prebuild-install cannot detect the libc type correctly. Replace with a pure-JS JSON file token store (server/utils/tokenStore.js): - Atomic writes via temp file + rename (no corruption on crash) - Same API: storeToken/getToken/clearToken - TTL enforcement on read and hourly prune - Zero native code, zero build tools required Dockerfile: - Revert to node:22-alpine (was node:22-slim) - Remove build tools (python3/make/g++) — no longer needed - Restore wget HEALTHCHECK (available in Alpine busybox) docker-compose.yaml: restore wget healthcheck package.json: remove better-sqlite3 dependency	2026-05-17 07:13:56 +01:00
gronod	bdbbcabfbc	feat(security): production hardening for external deployment ... Container (Dockerfile): - Multi-stage build (deps + runtime) for minimal attack surface - Upgrade base image from node:18-alpine to node:22-alpine - Run as non-root 'node' user (UID 1000); source files owned by root - /app/data directory owned by node for SQLite + logs - Docker HEALTHCHECK: wget /health every 30s docker-compose.yaml: - Port bound to 127.0.0.1 only (expose via reverse proxy) - read_only: true filesystem; /tmp tmpfs for Node.js - no-new-privileges:true, cap_drop: ALL - Named volume sofarr-data for persistent data - TRUST_PROXY, COOKIE_SECRET, NODE_ENV added Helmet v7 + CSP nonce: - Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7 - CSP with per-request nonce injected into index.html script/link tags (replaces blanket unsafe-inline; nonce changes every request) - HSTS: max-age=1yr, includeSubDomains, preload - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: camera/mic/geolocation/payment/usb all off - index.html served dynamically with nonce injection; static assets served normally via express.static({index:false}) Trust proxy: - TRUST_PROXY env var configures app.set('trust proxy') so rate limiting and secure cookies work correctly behind Nginx/Caddy Session & auth: - Token store migrated from in-memory Map to SQLite via better-sqlite3 (server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL - CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js): POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching the csrf_token cookie; timing-safe comparison - CSRF token issued on login + GET /api/auth/csrf; cleared on logout - Login input validation: username/password length + type checked before hitting Emby - skipSuccessfulRequests:true on login rate limiter (only count failures) - express.json({ limit: '64kb' }) to reject oversized payloads Rate limiting: - General API limiter: 300 req/15min per IP on all /api/* routes - Login limiter unchanged (10 failures/15min) but now only counts fails Logging: - Log file moved from /app/server.log to DATA_DIR/server.log (writable by non-root node user in container) - Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3) - DATA_DIR defaults to ./data locally, /app/data in container Error handling: - Global Express error handler: catches unhandled errors, logs message, returns generic 500 (no stack traces to clients) Health/readiness: - GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK - GET /ready: returns 503 if EMBY_URL not configured Error sanitization (sanitizeError.js): - Added patterns for password= params, bearer tokens, Basic auth in URLs Supply chain: - Remove unused cors dependency - add better-sqlite3@^9 - CI: upgrade to Node 22, raise audit level to --audit-level=high - .gitignore: add data/, *.db, *.db-wal, *.db-shm Docs: - SECURITY.md: threat model, hardening checklist, proxy examples, header table, rate limit table, Docker secrets guidance - .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented	2026-05-17 06:47:25 +01:00
gronod	6b8c215497	chore: bump version to 0.1.5	2026-05-16 17:18:05 +01:00
gronod	031877e6a0	fix(ci): upgrade nodemon to ^3 to resolve semver ReDoS vulnerability ... nodemon@2 depends on simple-update-notifier which depends on a vulnerable range of semver (7.0.0-7.5.1, GHSA-c2qf-rxjj-qqgw). Upgrading to nodemon@3 pulls in a clean dependency tree. npm audit now reports 0 vulnerabilities.	2026-05-16 17:11:24 +01:00
gronod	14de5e4644	fix(security #17): add npm audit to CI pipeline and package scripts ... Added .gitea/workflows/ci.yml which runs 'npm audit --audit-level=moderate' on every push and PR. Fails the build on any moderate or higher severity finding. Also added 'npm run audit' and 'npm run audit:fix' convenience scripts to package.json for local use.	2026-05-16 16:27:33 +01:00
gronod	b608fa0337	fix(security #12): add helmet security response headers ... Adds X-DNS-Prefetch-Control, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection, HSTS (in prod) and others. CSP disabled for now as the SPA uses inline scripts/styles; a nonce/hash-based policy is a future hardening step.	2026-05-16 16:23:47 +01:00