sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
97 Commits 1 Branch 0 Tags
f5fe32b9993e558cb4d7a28795f76d1f486a55cc
Commit Graph

7 Commits

Author SHA1 Message Date
Krystie
0c658a26a8 fix(routes): complete post-refactor dependency wiring cleanup 2026-05-04 16:44:18 -07:00
Sami
f865790fe1 fix(routes): restore ctx access in 15 route files broken by Phase 2.1 refactor 
The modular refactor changed function signatures to destructured deps but
left internal ctx.* references intact, causing "ctx is not defined" errors
on /api/config, /api/logo, and many other endpoints. Also implements
loadTotpConfig and saveTotpConfig which were left as stubs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-30 03:01:29 -07:00
Krystie
564c442ea4 fix(routes): Correct require paths for errors.js in subdirectory routes 2026-03-30 00:21:25 -07:00
Krystie
77ae8171b8 Refactor config routes: explicit dependency injection 
- Updated all config route modules to use destructured dependencies
- Added JSDoc comments for factory functions
- Replaced ctx. references with direct parameter access
- All files pass syntax validation

Files refactored:
- routes/config/assets.js
- routes/config/backup.js
- routes/config/settings.js
- routes/config/index.js (orchestrator)
 2026-03-29 21:43:29 -07:00
Krystie
b172a21b63 Migrate 25 route files to throw-based error handling 
Converted routes:
- All auth routes (totp.js, keys.js, sso-gate.js)
- Recipe deployment routes (deploy.js, manage.js, index.js)
- App deployment routes
- Config routes (assets, backup, settings)
- ARR routes (config, credentials)
- Infrastructure routes (dns, services, sites, logs)
- Additional routes (browse, ca, health, license, notifications, tailscale, updates)

Changes:
- Replaced ctx.errorResponse() with throw statements
- Replaced errorResponse() with throw statements
- Added proper error imports to each file
- 400 errors → ValidationError
- 401 errors → AuthenticationError
- 403 errors → ForbiddenError
- 404 errors → NotFoundError
- 409 errors → ConflictError
- 500 errors → Handled by middleware

Result: 25 files migrated, ~150 error responses standardized
 2026-03-29 18:53:03 -07:00
Sami
59b6d7d360 Fix 16 HIGH/MEDIUM security bugs across API 
HIGH fixes:
- TOTP disable now requires valid code verification
- TOTP secret removed from plaintext file storage
- Container ID validated before update/check-update/logs operations
- DNS server parameter restricted to configured servers (SSRF prevention)
- Backup export no longer includes encryption key
- Backup restore of sensitive files requires TOTP re-authentication

MEDIUM fixes:
- Session cookie Secure flag added
- Caddy reload errors no longer leaked to client
- saveConfig uses atomic locked updates via configStateManager
- Log file path traversal prevented via symlink resolution
- Credential cache entries now expire after 5 minutes
- _httpFetch enforces 10MB response size limit
- External URL path injection into Caddyfile blocked
- Custom volume host paths validated against allowed roots
- Error logs endpoint no longer returns stack traces
- Logo delete path traversal prevented via path.basename()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 00:15:28 -08:00
Sami
f61e85d9a7 Initial commit: DashCaddy v1.0 
Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.
 2026-03-05 02:26:12 -08:00