adamf/web_server
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security vulnerabilities across backend, frontend, and infra
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 4m44s
Details

Browse Source 
- Fix auth bypass in UpdatePost/DeletePost (missing return after auth check)
- Remove Spotify access token from callback response
- Replace internal error messages with generic responses in all handlers
- Harden GraphQL: complexity limit, disable playground/introspection in prod
- Add security headers (X-Frame-Options, HSTS, etc.) to nginx
- Disable Hasura console/dev mode in production
- Add DOMPurify sanitization to Markdown component
- Fix cookie removal to use correct domain/path from auth config
- Fix nil dereference in rowing handler when Claude API errors
- Fix wildcard CORS on stamp endpoint
- Pin nginx and certbot Docker image versions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Adam French
2026-03-29 23:59:10 +01:00
parent 091bfcaef6
commit 75cede3b1b
14 changed files with 141 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backend/handlers/handle_rowing.go
View File

@@ -5,6 +5,7 @@ import (
"encoding/base64"
"encoding/json"
"io"
"log"
"net/http"
"strings"
@@ -24,7 +25,8 @@ type ExtractedRowingData struct {
func (store *Store) GetRowing(ctx *gin.Context) {
var rowing []models.Rowing
if err := store.DB.Order("Created_At DESC").Find(&rowing).Error; err != nil {
ctx.JSON(http.StatusInternalServerError, err.Error())
log.Println(err)
ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal error"})
return
}
ctx.JSON(http.StatusOK, rowing)
@@ -118,18 +120,13 @@ No text, no markdown, no explanation. Just the JSON object.`),
},
})
if err != nil {
ctx.JSON(http.StatusInternalServerError, gin.H{
"raw": message.Content[0].Text,
"error": err.Error(),
})
log.Println(err)
ctx.JSON(http.StatusInternalServerError, gin.H{"error": "failed to process image"})
return
}
if len(message.Content) == 0 {
ctx.JSON(http.StatusInternalServerError, gin.H{
"raw": message.Content[0].Text,
"error": "empty response from Claude",
})
ctx.JSON(http.StatusInternalServerError, gin.H{"error": "empty response from image processor"})
return
}
@@ -144,11 +141,8 @@ No text, no markdown, no explanation. Just the JSON object.`),
err = json.Unmarshal([]byte(raw), &extractedData)
if err != nil {
ctx.JSON(http.StatusInternalServerError, gin.H{
"error": "failed to parse JSON response",
"detail": err.Error(),
"raw": raw,
})
log.Println(err)
ctx.JSON(http.StatusInternalServerError, gin.H{"error": "failed to parse image data"})
return
}