feat: harden auth, shutdown, and session bundle (0.35.0)
Three features bundled into one release: - rate-limit /auth/login, /register, /me/password (token bucket, 5 req/sec sustained with 10-request burst by default; 429 + Retry-After header on hit; tracing::warn! per hit so operators see attack patterns; AUTH_RATE_PER_SEC / AUTH_RATE_BURST env knobs) - handle SIGTERM for graceful container stops (replaces bare ctrl_c() with a select over ctrl_c + SignalKind::terminate() so docker compose stop runs the daemon shutdown path instead of letting Chromium leak past SIGKILL) - clear session.user on 401 from any API call (setOn401Hook in api/client.ts, registered from session.svelte.ts gated on $app/environment::browser so the SSR bundle never installs it; fixes "logged in but no bookmarks/collections" mid-session expiry state) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -1,5 +1,5 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach, type MockInstance } from 'vitest';
|
||||
import { ApiError, request } from './client';
|
||||
import { ApiError, request, setOn401Hook } from './client';
|
||||
import { getManga } from './mangas';
|
||||
|
||||
describe('request error envelope parsing', () => {
|
||||
@@ -73,3 +73,88 @@ describe('request error envelope parsing', () => {
|
||||
expect(err.code).toBe('http_error');
|
||||
});
|
||||
});
|
||||
|
||||
describe('on401 hook', () => {
|
||||
let fetchSpy: MockInstance<typeof globalThis.fetch>;
|
||||
|
||||
beforeEach(() => {
|
||||
fetchSpy = vi.spyOn(globalThis, 'fetch');
|
||||
});
|
||||
afterEach(() => {
|
||||
vi.restoreAllMocks();
|
||||
// Critical: reset the module-level hook between tests so a
|
||||
// hook installed by one test doesn't leak into the next.
|
||||
setOn401Hook(null);
|
||||
});
|
||||
|
||||
it('invokes the hook exactly once on a 401 response and re-throws', async () => {
|
||||
const hook = vi.fn();
|
||||
setOn401Hook(hook);
|
||||
fetchSpy.mockResolvedValueOnce(
|
||||
new Response(
|
||||
JSON.stringify({ error: { code: 'unauthenticated', message: 'no auth' } }),
|
||||
{ status: 401, headers: { 'content-type': 'application/json' } }
|
||||
)
|
||||
);
|
||||
await expect(getManga('x')).rejects.toMatchObject({
|
||||
status: 401,
|
||||
code: 'unauthenticated'
|
||||
});
|
||||
expect(hook).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
|
||||
it('does not invoke the hook on non-401 errors', async () => {
|
||||
const hook = vi.fn();
|
||||
setOn401Hook(hook);
|
||||
fetchSpy.mockResolvedValueOnce(
|
||||
new Response(
|
||||
JSON.stringify({ error: { code: 'not_found', message: 'no' } }),
|
||||
{ status: 404, headers: { 'content-type': 'application/json' } }
|
||||
)
|
||||
);
|
||||
await expect(getManga('x')).rejects.toMatchObject({ status: 404 });
|
||||
expect(hook).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('does not invoke the hook on successful responses', async () => {
|
||||
const hook = vi.fn();
|
||||
setOn401Hook(hook);
|
||||
fetchSpy.mockResolvedValueOnce(
|
||||
new Response(
|
||||
JSON.stringify({
|
||||
id: 'm1',
|
||||
title: 't',
|
||||
status: 'ongoing',
|
||||
alt_titles: [],
|
||||
description: null,
|
||||
cover_image_path: null,
|
||||
created_at: '2026-01-01T00:00:00Z',
|
||||
updated_at: '2026-01-01T00:00:00Z',
|
||||
authors: [],
|
||||
genres: [],
|
||||
tags: []
|
||||
}),
|
||||
{ status: 200, headers: { 'content-type': 'application/json' } }
|
||||
)
|
||||
);
|
||||
await getManga('m1');
|
||||
expect(hook).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('swallows hook exceptions so the original ApiError still propagates', async () => {
|
||||
const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
setOn401Hook(() => {
|
||||
throw new Error('hook boom');
|
||||
});
|
||||
fetchSpy.mockResolvedValueOnce(
|
||||
new Response(
|
||||
JSON.stringify({ error: { code: 'unauthenticated', message: 'x' } }),
|
||||
{ status: 401, headers: { 'content-type': 'application/json' } }
|
||||
)
|
||||
);
|
||||
await expect(getManga('x')).rejects.toMatchObject({ status: 401 });
|
||||
// The original ApiError won — the hook's panic was logged but
|
||||
// didn't replace the API error.
|
||||
expect(consoleSpy).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
@@ -25,6 +25,21 @@ export class ApiError extends Error {
|
||||
|
||||
type ErrorEnvelope = { error?: { code?: unknown; message?: unknown } };
|
||||
|
||||
/**
|
||||
* Optional hook fired the first moment `request()` observes a 401 on
|
||||
* any endpoint. Used by the session store to clear the cached user
|
||||
* when the server reports the session is no longer valid (expired
|
||||
* cookie, rotated server-side, password changed on another device).
|
||||
*
|
||||
* Set to `null` (or `undefined`) to disable. Tests that don't want
|
||||
* the side effect should leave it unset.
|
||||
*/
|
||||
let on401Hook: (() => void) | null = null;
|
||||
|
||||
export function setOn401Hook(handler: (() => void) | null): void {
|
||||
on401Hook = handler;
|
||||
}
|
||||
|
||||
export async function request<T>(path: string, init?: RequestInit): Promise<T> {
|
||||
// Forward credentials (session cookie) explicitly so cross-origin
|
||||
// deployments — those configured via CORS_ALLOWED_ORIGINS — keep
|
||||
@@ -54,6 +69,16 @@ export async function request<T>(path: string, init?: RequestInit): Promise<T> {
|
||||
} catch {
|
||||
// Body wasn't parseable; keep the http_error fallback.
|
||||
}
|
||||
if (res.status === 401 && on401Hook) {
|
||||
// Fire before throwing so the session store updates even
|
||||
// if the caller swallows the ApiError (e.g. the *OrEmpty
|
||||
// wrappers used by guest-rendering pages).
|
||||
try {
|
||||
on401Hook();
|
||||
} catch (e) {
|
||||
console.error('on401 hook threw:', e);
|
||||
}
|
||||
}
|
||||
throw new ApiError(res.status, code, message);
|
||||
}
|
||||
// Any empty body (not just 204) returns undefined — the manga-add
|
||||
|
||||
Reference in New Issue
Block a user