Krystie
a86546181e
fix(lint): Add ctx shim to routes/auth/totp
...
- Add credentialManager, totpConfig, saveTotpConfig, session to deps
- Create ctx shim for backward compatibility
- Fix hasOwnProperty anti-pattern (use Object.prototype.hasOwnProperty.call)
Result: 54 errors → 0 errors
2026-03-29 22:37:21 -07:00
Krystie
df3e8efdd0
Refactor auth routes: explicit dependency injection
...
- Updated all auth route modules to use destructured dependencies
- Added JSDoc comments for factory functions
- Replaced ctx. references with direct parameter access
- Updated auth/index.js to extract and pass explicit dependencies
- sso-gate.js maintains session helper exports from session-handlers
- All files pass syntax validation
Files refactored:
- routes/auth/keys.js
- routes/auth/session-handlers.js
- routes/auth/sso-gate.js
- routes/auth/totp.js
- routes/auth/index.js (orchestrator)
2026-03-29 21:42:30 -07:00
Krystie
b172a21b63
Migrate 25 route files to throw-based error handling
...
Converted routes:
- All auth routes (totp.js, keys.js, sso-gate.js)
- Recipe deployment routes (deploy.js, manage.js, index.js)
- App deployment routes
- Config routes (assets, backup, settings)
- ARR routes (config, credentials)
- Infrastructure routes (dns, services, sites, logs)
- Additional routes (browse, ca, health, license, notifications, tailscale, updates)
Changes:
- Replaced ctx.errorResponse() with throw statements
- Replaced errorResponse() with throw statements
- Added proper error imports to each file
- 400 errors → ValidationError
- 401 errors → AuthenticationError
- 403 errors → ForbiddenError
- 404 errors → NotFoundError
- 409 errors → ConflictError
- 500 errors → Handled by middleware
Result: 25 files migrated, ~150 error responses standardized
2026-03-29 18:53:03 -07:00
6c3848102b
refactor: Phase 1 code cleanup - constants, logging, and repository organization
2026-03-28 18:54:39 -07:00
b4022288dc
fix: service edit, CSRF token stability, and license restore (v1.1.1)
...
- Fix service edit double-write bug (was creating duplicate entries)
- Add editable display name field to service edit modal
- Backend update endpoint now accepts name, logo, and recalculates url
- Fix CSRF token regeneration breaking all POST requests (nonce was
being regenerated on every request, invalidating cached tokens)
- CSRF nonce now persists across requests, rotated only on TOTP login
- Frontend secureFetch auto-retries on CSRF failure with fresh token
- Restore lifetime license activation on DNS2
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-23 13:39:05 -07:00
59b6d7d360
Fix 16 HIGH/MEDIUM security bugs across API
...
HIGH fixes:
- TOTP disable now requires valid code verification
- TOTP secret removed from plaintext file storage
- Container ID validated before update/check-update/logs operations
- DNS server parameter restricted to configured servers (SSRF prevention)
- Backup export no longer includes encryption key
- Backup restore of sensitive files requires TOTP re-authentication
MEDIUM fixes:
- Session cookie Secure flag added
- Caddy reload errors no longer leaked to client
- saveConfig uses atomic locked updates via configStateManager
- Log file path traversal prevented via symlink resolution
- Credential cache entries now expire after 5 minutes
- _httpFetch enforces 10MB response size limit
- External URL path injection into Caddyfile blocked
- Custom volume host paths validated against allowed roots
- Error logs endpoint no longer returns stack traces
- Logo delete path traversal prevented via path.basename()
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-07 00:15:28 -08:00
f61e85d9a7
Initial commit: DashCaddy v1.0
...
Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.
2026-03-05 02:26:12 -08:00
