aboutsummaryrefslogtreecommitdiffstats
path: root/web/web.go
Commit message (Collapse)AuthorAgeFilesLines
* Improve image proxy: streaming, size limits, Content-Type validationclaude/improve-image-proxy-5iY78Claude7 days1-22/+61
| | | | | | | | | | | | | | | | | | | | | | Rewrites the image proxy handler to address several issues: - Stream responses with io.Copy instead of buffering entire image in memory - Add 25MB size limit via io.LimitReader to prevent memory exhaustion - Close resp.Body (was previously leaked on every request) - Validate Content-Type is an image, rejecting HTML/JS/etc - Forward Content-Type and Content-Length from upstream - Use http.NewRequestWithContext to propagate client cancellation - Check upstream status codes, returning 502 for non-2xx - Fix ETag: use proper quoted format, remove bogus Etag request header check - Increase timeout from 5s to 30s for slow image servers - Use proper HTTP status codes (400 for bad input, 502 for upstream errors) - Add Cache-Control max-age directive alongside Expires header Tests: comprehensive coverage for Content-Type filtering, upstream errors, streaming, ETag validation, User-Agent forwarding, and Content-Length. Benchmarks: cache hit path and streaming at 1KB/64KB/1MB/5MB sizes. https://claude.ai/code/session_01CZcDDVmF6wNs2YjdhvCppy
* Remove legacy V2 React frontend and update build/test scripts to focus on ↵Adam Mathes9 days1-1/+1
| | | | Vanilla JS (V3)
* Enhance CSRF protection for login pageAdam Mathes9 days1-3/+7
| | | | | | | | | | Login form now includes a CSRF token from the cookie as a hidden form field. The CSRF middleware accepts tokens from either the X-CSRF-Token header (for JS clients) or the csrf_token form field (for HTML forms). Removed /login from the CSRF exclusion list so login POSTs are now validated. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix v3 build process and CSRF login/logout exclusionsAdam Mathes9 days1-3/+6
| | | | | | | - Update Makefile to correctly build and copy frontend-vanilla (v3) assets - Fix frontend-vanilla/vite.config.ts to build to its own dist directory - Normalize CSRF check path and exclude /api/logout to fix v3 session clearing - Include latest built assets for v3
* Fix restricted login access and modernize login pageAdam Mathes9 days1-1/+1
| | | | | | | | - Close NK-oqd24q: Fix login access for v3/api - Update web.go to exclude /login/ from CSRF check during initial submission - Modernize web/static/login.html with new CSS and structure - Add web/login_test.go to verify CSRF exclusion - Created NK-ngokc3 for further CSRF enhancements
* Web: Make vanilla (v3) frontend the default at root, move react (v2) to /v2/Adam Mathes10 days1-7/+6
|
* Scaffold Vanilla JS Frontend (v3): Create directory, update Makefile/web.go, ↵Adam Mathes10 days1-3/+6
| | | | embed dist/v3
* Backend: Fix linting issues, improve error handling, and replace magic numbersAdam Mathes10 days1-10/+10
|
* Create 'make check' unified workflow and fix various lint issuesAdam Mathes10 days1-26/+14
|
* Cleanup root directory by moving scripts to scripts/ and fix CSRF cookie ↵Adam Mathes11 days1-2/+2
| | | | policy for dev env
* task: delete vanilla js prototype\n\n- Removed vanilla/ directory and ↵Adam Mathes11 days1-7/+0
| | | | web/dist/vanilla directory\n- Updated Makefile, Dockerfile, and CI workflow to remove vanilla references\n- Cleaned up web/web.go to remove vanilla embed and routes\n- Verified build and tests pass\n\nCloses NK-2tcnmq
* feat: fix authentication to handle no-password scenario\n\n- Updated ↵Adam Mathes11 days1-0/+16
| | | | Authenticated() to return true when no password is configured\n- Updated apiLoginHandler to succeed when no password is set\n- Added comprehensive backend tests for both password/no-password cases\n- Added E2E tests for authentication flows (password tests are skipped by default)\n- All tests pass for both authentication scenarios\n\nFixes issue where app would require login even when no password was configured.\nNow properly supports passwordless mode for local development.
* feat: add secure_cookies configuration option\n\n- Added SecureCookies bool ↵Adam Mathes11 days1-3/+3
| | | | field to config.Settings\n- Added --secure-cookies command line flag\n- Updated CSRFMiddleware to use config setting instead of hardcoded value\n- Default is false for local development, set to true for production HTTPS\n- Updated config.example and README.md with documentation\n- Updated tests to pass config to CSRFMiddleware\n\nThis allows users to easily switch between insecure cookies (for local dev)\nand secure cookies (for production HTTPS) via config file or command line.
* fix: CSRF cookie configuration for local network access\n\n- Changed ↵Adam Mathes11 days1-1/+2
| | | | SameSite from Lax to None to allow cookie access across localhost/IP variations\n- Added Secure=false for local development (should be true in production with HTTPS)\n- Added credentials:'include' to all fetch requests to ensure cookies are sent\n- Updated tests to expect credentials parameter in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN IPs like 192.168.x.x
* fix: relax CSP to allow unsafe-eval for legacy UIAdam Mathes11 days1-1/+1
|
* routing: make new UI default at / and move legacy UI to /v1/ (fixing ↵Adam Mathes11 days1-1/+7
| | | | NK-mgmn5m, NK-p89hyt)
* security: add HTTP security headers (fixing NK-7xuajb)Adam Mathes11 days1-1/+17
|
* security: mitigate SSRF in image proxy and feed fetcher (fixing NK-0ca7nq)Adam Mathes11 days1-3/+2
|
* security: implement CSRF protection and improve session cookie security ↵Adam Mathes11 days1-5/+43
| | | | (fixing NK-gfh33y)
* Refactor: project structure, implement dependency injection, and align v2 UI ↵Adam Mathes11 days1-12/+20
| | | | with v1
* Audit and reduce Go dependencies: replace go.rice with embed, pflag with flagAdam Mathes12 days1-40/+25
|
* Optimize asset packaging: move UI assets to root dist/ and decouple rice ↵Adam Mathes12 days1-4/+4
| | | | embedding
* feat: add vanilla JS frontend prototype (NK-2xsgef)Adam Mathes12 days1-0/+11
|
* fix(v2): remove distracting selection styles and fix build (NK-8rhpp3)Adam Mathes12 days1-23/+61
|
* Implement robust Gzip middleware and update page size analysisAdam Mathes12 days1-4/+89
|
* Implement Frontend Logout with testsAdam Mathes12 days1-0/+8
|
* Implement frontend login logic with >90% coverageAdam Mathes13 days1-0/+39
|
* Scaffold new frontend and close NK-t0nmbjAdam Mathes13 days1-0/+3
|
* wip: tui updates (buggy)Adam Mathes13 days1-1/+11
|
* Refactor backend to a clean REST APIAdam Mathes13 days1-188/+28
| | | | | | | | | | - Created new 'api' package with testable router and RESTful handlers - Handlers in 'api' use proper HTTP methods and status codes - Standardized JSON responses and error handling - Refactored 'web' package to delegate logic to 'api' - Maintained backward compatibility for legacy frontend routes - Simplified 'web/web_test.go' and added comprehensive 'api/api_test.go' - All tests passing with improved modularity
* wip adding /crawl/ manual crawl updateAdam Mathes2018-07-041-0/+13
|
* enable feed export from web interfaceAdam Mathes2018-07-041-0/+9
|
* wip, simplificationsAdam Mathes2018-07-041-1/+1
|
* log fatal web serving errorsAdam Mathes2018-06-171-1/+1
|
* add back in search support, requires sqliteAdam Mathes2018-06-161-1/+7
|
* remove runtime static file dependencies, use rice boxesAdam Mathes2018-06-121-14/+17
|
* debug cleanupAdam Mathes2018-04-291-2/+3
|
* separator for scrapeAdam Mathes2018-04-271-8/+41
|
* img proxyAdam Mathes2018-04-261-4/+17
|
* img proxyAdam Mathes2018-04-261-9/+24
|
* wip img proxyAdam Mathes2018-04-241-0/+26
|
* wip single category on feedAdam Mathes2018-04-221-2/+24
|
* crawl immediately on web feed addAdam Mathes2017-04-171-0/+6
|
* switch to single binary (neko) with standard flags. update config file to ↵Adam Mathes2017-02-201-17/+23
| | | | use nicer names
* change to personal namespaceAdam Mathes2017-02-071-3/+3
|
* fix includesAdam Mathes2017-02-021-4/+3
|
* add back in starred functionality, fix login pageAdam Mathes2017-01-301-1/+6
|
* better cookie handlingAdam Mathes2017-01-261-7/+6
|
* shitty cookie auth that needs work but safari keeps asking me for my digest ↵Adam Mathes2017-01-251-21/+55
| | | | auth password and it is annoying so, whatev
* neko v2 initial commitAdam Mathes2017-01-231-0/+131
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-25 20:18:51 +0000