bugfix: security & correctness bundle (0.34.1)

Five fixes bundled into one release: - preserve user-attached tags across crawler upserts (repo::crawler::sync_tags now scopes to added_by IS NULL; orphaned attachments from deleted users are reaped as crawler-owned) - gate manga PATCH and cover endpoints on uploaded_by (require_can_edit in api::mangas; non-NULL uploaded_by must match the caller) - equalise login response time across user-existence branches (run argon2 against a OnceLock-cached dummy hash on the no-user branch so timing doesn't leak username existence) - crawler download defences (SSRF allowlist of host literals including IPv4-mapped IPv6 ranges, 32 MiB streamed size cap, reject non-whitelisted image types, three-way chapter-probe classifier replaces the binary #avatar_menu check) - tighten validation and clean up dead unload path (attach_tag + create_token enforce 64-char caps; LocalStorage rejects NUL bytes explicitly; reader flushFinalProgress drops the always-405 sendBeacon path) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 20:24:51 +02:00
parent c5c1179e9d
commit 8d34132883
25 changed files with 1399 additions and 88 deletions
--- a/frontend/src/lib/api/auth.test.ts
+++ b/frontend/src/lib/api/auth.test.ts
@@ -94,6 +94,11 @@ describe('auth api client', () => {
        expect(url).toMatch(/\/v1\/auth\/logout$/);
        const init = fetchSpy.mock.calls[0][1] as RequestInit;
        expect(init.method).toBe('POST');
+        // Consistent content-type for all mutation requests, matching
+        // the rest of the module — axum doesn't require it but the
+        // header keeps the request style uniform.
+        const headers = new Headers(init.headers);
+        expect(headers.get('content-type')).toBe('application/json');
    });

    it('me returns the user on 200', async () => {
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -32,7 +32,14 @@ export async function login(creds: Credentials): Promise<User> {
 }

 export async function logout(): Promise<void> {
-    await request<void>('/v1/auth/logout', { method: 'POST' });
+    await request<void>('/v1/auth/logout', {
+        method: 'POST',
+        // Consistent with the other POST/PATCH helpers in this module.
+        // axum doesn't require it (no body), but keeping the header
+        // on every mutation request avoids the false-flag in logs and
+        // matches the project's style.
+        headers: { 'content-type': 'application/json' }
+    });
 }

 export type ChangePassword = {
--- a/frontend/src/routes/manga/[id]/chapter/[chapter_id]/+page.svelte
+++ b/frontend/src/routes/manga/[id]/chapter/[chapter_id]/+page.svelte
@@ -350,54 +350,48 @@
    });

    /**
-     * `fetch()` initiated during `pagehide` / `beforeunload` is
-     * cancelled by every browser by default. `sendBeacon` is the
-     * supported way to ship a small payload during unload — it's
-     * guaranteed to survive even if the tab is closing. Failure here
-     * is silent because the API is fire-and-forget.
+     * Flush read-progress as the tab is closing. A plain `fetch()`
+     * during `pagehide` / `beforeunload` is cancelled by every
+     * browser; `fetch(..., { keepalive: true })` is the supported
+     * escape hatch and survives the close.
+     *
+     * `sendBeacon` would be the textbook alternative, but it's
+     * POST-only and `/me/read-progress` takes PUT — so a beacon
+     * always 405s, adds server-log noise, then falls through to this
+     * same keepalive path anyway. The beacon was dropped; the
+     * keepalive fetch is the only path.
     */
-    function beaconFinalProgress() {
+    function flushFinalProgress() {
        if (!session.user) return;
        const body = JSON.stringify({
            manga_id: manga.id,
            chapter_id: chapter.id,
            page: progressPage
        });
-        const blob = new Blob([body], { type: 'application/json' });
-        // sendBeacon only supports POST — the server's PUT route is
-        // strict on method. The dedicated POST alias is omitted; in
-        // practice the in-app navigation path (back-link, chapter
-        // links) already covers the common-case unmount via the
-        // onDestroy fetch. Fall through to fetch+keepalive for browser
-        // implementations that don't honor sendBeacon for this endpoint.
        try {
-            const ok = navigator.sendBeacon('/api/v1/me/read-progress', blob);
-            if (!ok) throw new Error('sendBeacon rejected');
+            void fetch('/api/v1/me/read-progress', {
+                method: 'PUT',
+                headers: { 'content-type': 'application/json' },
+                body,
+                keepalive: true,
+                credentials: 'include'
+            });
        } catch {
-            try {
-                void fetch('/api/v1/me/read-progress', {
-                    method: 'PUT',
-                    headers: { 'content-type': 'application/json' },
-                    body,
-                    keepalive: true,
-                    credentials: 'include'
-                });
-            } catch {
-                // Final fallback failed; the in-app onDestroy flush
-                // below catches the SPA-navigation case.
-            }
+            // keepalive fetch was rejected (very old Firefox etc.);
+            // the in-app onDestroy flush below catches the SPA-
+            // navigation case, which is the common one anyway.
        }
    }

    onMount(() => {
-        window.addEventListener('pagehide', beaconFinalProgress);
+        window.addEventListener('pagehide', flushFinalProgress);
    });

    onDestroy(() => {
        observer?.disconnect();
        if (progressTimer) clearTimeout(progressTimer);
        if (typeof window !== 'undefined') {
-            window.removeEventListener('pagehide', beaconFinalProgress);
+            window.removeEventListener('pagehide', flushFinalProgress);
        }
        // Don't let the fullscreen flag leak to non-reader pages —
        // otherwise the layout header would stay slid-off on /upload