chore: audit-flagged cleanups (no behaviour change)

Four small follow-ups from the 0.9.0 audit, none of them user-visible: - Migration 0007 drops `chapters_manga_idx`. The 0001 schema declared both `UNIQUE (manga_id, number)` and `CREATE INDEX chapters_manga_idx ON (manga_id, number)`, but Postgres maintains an identical index for the unique constraint automatically — the explicit one was just paying for a second per-write update. Query plans are unchanged because the planner already preferred the constraint's index. - `upload::parse_image` sniffs from the first 64 bytes instead of the full image buffer. `infer` only looks at magic bytes anyway, so scanning 20 MiB is wasted work. Functionally identical; cheaper in the hot path. - AVIF was on the whitelist but had no test fixture. New `avif_bytes` helper produces a minimal `ftyp avif` header that `infer` recognises, and a new `accepts_avif` unit test covers the path end-to-end. - Frontend `request()` sets `credentials: 'include'`. Same-origin callers see no change (default was already `'same-origin'`), but the first user who configures `CORS_ALLOWED_ORIGINS` for a cross-origin deployment gets working cookies without having to chase a runtime ApiError trail. No version bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 23:32:02 +02:00
parent 2df4084c56
commit d81aca42a0
3 changed files with 39 additions and 2 deletions
--- a/backend/migrations/0007_drop_redundant_chapter_index.sql
+++ b/backend/migrations/0007_drop_redundant_chapter_index.sql
@@ -0,0 +1,7 @@
+-- `chapters_manga_idx` over (manga_id, number) duplicates the implicit
+-- index Postgres maintains for the `UNIQUE (manga_id, number)`
+-- constraint from 0001 — same leading columns, same ordering, same
+-- selectivity. Dropping the explicit one saves a per-write index
+-- update without changing query plans.
+
+DROP INDEX IF EXISTS chapters_manga_idx;
--- a/backend/src/upload/mod.rs
+++ b/backend/src/upload/mod.rs
@@ -21,7 +21,11 @@ pub fn parse_image(bytes: Vec<u8>, max_size: usize, field_name: &str) -> AppResu
            "{field_name} exceeds {max_size}-byte cap"
        )));
    }
-    let kind = infer::get(&bytes).ok_or_else(|| {
+    // `infer` only looks at magic bytes in the first dozen-or-so bytes;
+    // hand it a small head slice rather than walking the whole 20-MiB
+    // image buffer when sniffing.
+    let head = &bytes[..bytes.len().min(64)];
+    let kind = infer::get(head).ok_or_else(|| {
        AppError::UnsupportedMediaType(format!("{field_name}: unrecognised image format"))
    })?;
    let (mime, ext) = match kind.mime_type() {
@@ -56,6 +60,20 @@ mod tests {
        b"%PDF-1.4\n%\xc4\xe5".to_vec()
    }

+    fn avif_bytes() -> Vec<u8> {
+        // Minimal `ftyp avif` header that `infer` recognises. A real
+        // AVIF would continue with `mdat`/`meta` boxes; the magic bytes
+        // alone are enough for sniffing.
+        vec![
+            0x00, 0x00, 0x00, 0x18, // box size = 24
+            b'f', b't', b'y', b'p', // box type
+            b'a', b'v', b'i', b'f', // major brand
+            0x00, 0x00, 0x00, 0x00, // minor version
+            b'm', b'i', b'f', b'1', // compatible brand
+            b'a', b'v', b'i', b'f', // compatible brand
+        ]
+    }
+
    #[test]
    fn accepts_png() {
        let img = parse_image(png_bytes(), 1024, "cover").unwrap();
@@ -70,6 +88,13 @@ mod tests {
        assert_eq!(img.ext, "jpg");
    }

+    #[test]
+    fn accepts_avif() {
+        let img = parse_image(avif_bytes(), 1024, "cover").unwrap();
+        assert_eq!(img.mime, "image/avif");
+        assert_eq!(img.ext, "avif");
+    }
+
    #[test]
    fn rejects_non_image_with_unsupported_media_type() {
        let err = parse_image(pdf_bytes(), 1024, "cover").unwrap_err();
--- a/frontend/src/lib/api/client.ts
+++ b/frontend/src/lib/api/client.ts
@@ -26,7 +26,12 @@ export class ApiError extends Error {
 type ErrorEnvelope = { error?: { code?: unknown; message?: unknown } };

 export async function request<T>(path: string, init?: RequestInit): Promise<T> {
-    const res = await fetch(`${BASE}${path}`, init);
+    // Forward credentials (session cookie) explicitly so cross-origin
+    // deployments — those configured via CORS_ALLOWED_ORIGINS — keep
+    // working. For same-origin requests this is a no-op compared to the
+    // default 'same-origin', so the same-origin happy path is
+    // unchanged.
+    const res = await fetch(`${BASE}${path}`, { credentials: 'include', ...init });
    if (!res.ok) {
        let code = 'http_error';
        let message = `${res.status} ${res.statusText}`;