Skip to content

fix: security and correctness pass on articles, auth, storage#5

Merged
basedest merged 4 commits into
masterfrom
claude/imeccable-skill-usage-MCYY3
Jun 22, 2026
Merged

fix: security and correctness pass on articles, auth, storage#5
basedest merged 4 commits into
masterfrom
claude/imeccable-skill-usage-MCYY3

Conversation

@basedest

Copy link
Copy Markdown
Owner

Batch 1 (P0) of the codebase audit. Highlights:

  • server/trpc.ts: protectedProcedure now chains loggingMiddleware so all
    authenticated calls are logged
  • article.repository: escape user input before regex-matching titles to
    prevent ReDoS / regex injection in article.list
  • article.service: rely on Mongo unique-index duplicate-key error for slug
    conflict (removes check-then-create race)
  • article: introduce authorId for ownership checks; keep author display
    name for URLs/UI. Editor page and ArticleItem prefer authorId, fall
    back to author name for legacy docs
  • article.router: drop legacy content: z.any() field; tighten validation
  • shared/types/session: type role as 'admin' | 'user'
  • storage/s3: only set endpoint when explicitly configured (real AWS S3
    uses the default regional endpoint); env config now exposes S3_ENDPOINT
  • routers: log raw upload errors server-side; return generic message to
    client (no storage-config leakage)
  • features/auth: stop logging verification URLs (contained tokens)
  • shared/lib/server/connection: rethrow on MongoDB connection failure
    instead of swallowing it
  • entities/{article,user}/model: add Mongoose indexes on hot fields
  • shared/emails/verify-email: replace real-looking JWT preview token with
    a placeholder

claude added 3 commits May 22, 2026 18:11
Batch 1 (P0) of the codebase audit. Highlights:

- server/trpc.ts: protectedProcedure now chains loggingMiddleware so all
  authenticated calls are logged
- article.repository: escape user input before regex-matching titles to
  prevent ReDoS / regex injection in article.list
- article.service: rely on Mongo unique-index duplicate-key error for slug
  conflict (removes check-then-create race)
- article: introduce authorId for ownership checks; keep author display
  name for URLs/UI. Editor page and ArticleItem prefer authorId, fall
  back to author name for legacy docs
- article.router: drop legacy content: z.any() field; tighten validation
- shared/types/session: type role as 'admin' | 'user'
- storage/s3: only set endpoint when explicitly configured (real AWS S3
  uses the default regional endpoint); env config now exposes S3_ENDPOINT
- routers: log raw upload errors server-side; return generic message to
  client (no storage-config leakage)
- features/auth: stop logging verification URLs (contained tokens)
- shared/lib/server/connection: rethrow on MongoDB connection failure
  instead of swallowing it
- entities/{article,user}/model: add Mongoose indexes on hot fields
- shared/emails/verify-email: replace real-looking JWT preview token with
  a placeholder
Batch 2 (P1) of the codebase audit.

i18n:
- Translate previously hardcoded user-facing strings: article delete
  dialog, article-list empty state, multi-select Create option, mobile
  menu toggle label, article view dates
- Add EN/RU bilingual fallback to the root not-found.tsx and
  global-error.tsx (both render outside the [locale] segment, so the
  intl provider is unavailable)
- Locale-aware date formatting (article view + article-item) via
  next-intl useLocale/getLocale

UX / a11y:
- multi-select: role=combobox/listbox/option, aria-label, Escape clears
  input, options keyboard-activatable, configurable createLabel
- header: aria-expanded, aria-controls, aria-label on mobile menu toggle
- smart-list pagination: tabIndex=-1 on disabled prev/next so screen
  readers and keyboard users skip them
- search-bar: placeholder is now required so the caller always passes a
  translated string (smart-list already does)
- editor slug generator: accept Unicode letter classes (non-Latin/non-
  Cyrillic titles no longer collapse to an empty slug; falls back to a
  timestamped slug as a last resort)

Code quality:
- smart-list: drop the file-level eslint-disable
  react-hooks/set-state-in-effect; replace useEffect prop-syncing with
  the React-docs "set state during render" pattern
- views/editor: split the 324-LOC page into the orchestrator (~210 LOC),
  use-article-edit-permission hook, and image-upload-section component
- register-form: read Better Auth's structured `error.code` for the
  email-taken case instead of substring-matching the message text
Batch 3 (P2) of the codebase audit.

CI:
- .github/workflows/test.yml: run yarn type-check and yarn build after
  lint and test so production-build regressions and TS errors that
  escape vitest are caught before merge

ESLint:
- enable @typescript-eslint/no-floating-promises and no-misused-promises
  (type-aware) on src/, server/, and app/ to surface unhandled async
  paths

Vitest:
- add v8 coverage config (text + json + html reporters) so `yarn test
  --coverage` produces measurable output

Storage / env:
- shared/config/env/server: MinIO fallbacks now apply only in
  development; production must set every S3_* var explicitly. The
  silent minioadmin/minioadmin default in production is gone

Tests:
- shared/lib/escape-regex: extract regex-escape into a reusable util
  and add a Vitest spec, including a ReDoS-injection regression case.
  article.repository now uses the util.
@vercel

vercel Bot commented May 22, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
articlify Ready Ready Preview, Comment Jun 22, 2026 9:09pm

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b0c5272e1a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/test.yml
The build step added in this PR could never pass in CI. Three independent
blockers, fixed here:

- workflows/test.yml: `yarn build` runs as NODE_ENV=production, so
  getServerConfig() requires the full storage env set or it throws before
  the app renders (Codex P1). Also add a mongodb service: the build connects
  to Mongo for generateStaticParams (article.getAllSlugs) and getSession(),
  so it needs a reachable DB (an empty one suffices).
- article.router: pass `role ?? undefined` in delete() to match the actor
  type and the sibling update() call; fixes the tsc/type-check failure.
- error.tsx, global-error.tsx: `void` the fire-and-forget reportError() to
  satisfy no-floating-promises.

Plus eslint --fix (prettier) formatting on article.service, register-form,
vitest.config, and eslint.config.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@basedest basedest merged commit 48b6970 into master Jun 22, 2026
3 checks passed
github-actions Bot pushed a commit that referenced this pull request Jun 23, 2026
## [1.1.1](v1.1.0...v1.1.1) (2026-06-23)

### Bug Fixes

* green up CI build gate for PR [#5](#5) ([48b6970](48b6970))
* i18n, a11y, and structural improvements across UI ([fc7b93b](fc7b93b))
* security and correctness pass on articles, auth, storage ([889c3b5](889c3b5))
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 1.1.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants