bugfix: tighten validation, drop dead sendBeacon, NUL byte (0.34.1)

Five small fixes from REVIEW.md §2/§4/§8: - attach_tag: 64-char cap at the handler so the validation error envelope matches username/collection-name. - create_token: same 64-char cap on bot token names. - LocalStorage::resolve rejects NUL bytes explicitly so callers see BadKey instead of an opaque IO error. - sendBeacon dropped from the reader's pagehide flush — it's POST-only and the server's read-progress route is PUT, so every page-close was logging a 405 then falling through to the same keepalive fetch anyway. Keepalive fetch is now the only path. - Frontend logout sets content-type: application/json for symmetry with the other mutation helpers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 20:04:16 +02:00
11 changed files with 144 additions and 200 deletions
--- a/backend/src/api/auth.rs
+++ b/backend/src/api/auth.rs
@@ -230,8 +230,24 @@ async fn create_token(
    Json(input): Json<CreateTokenInput>,
 ) -> AppResult<impl IntoResponse> {
    let name = input.name.trim();
    // Both arms use `ValidationFailed` (422 with field details) to
    // match the structured-error shape `attach_tag` returns for the
    // same kind of free-form-identifier validation. The other
    // /auth/* handlers in this file use `InvalidInput` (400); the
    // divergence is pre-existing and would warrant a project-wide
    // pass to flip them all if the client side wants uniform per-
    // field error rendering.
    if name.is_empty() {
-        return Err(AppError::InvalidInput("token name is required".into()));
+        return Err(AppError::ValidationFailed {
            message: "token name is required".into(),
            details: serde_json::json!({ "name": "required" }),
        });
    }
    if name.chars().count() > 64 {
        return Err(AppError::ValidationFailed {
            message: "token name too long".into(),
            details: serde_json::json!({ "name": "max 64 characters" }),
        });
    }
    let (raw, hash) = generate_token();
    let token = repo::api_token::create(&state.db, user.id, name, &hash).await?;
--- a/backend/src/api/mangas.rs
+++ b/backend/src/api/mangas.rs
@@ -196,14 +196,16 @@ async fn create(
 async fn update(
    State(state): State<AppState>,
-    CurrentUser(user): CurrentUser,
+    CurrentUser(_user): CurrentUser,
    Path(id): Path<Uuid>,
    Json(patch): Json<MangaPatch>,
 ) -> AppResult<Json<MangaDetail>> {
    // TODO(auth): until uploaders are tracked (Phase 5), any signed-in
    // user can edit any manga. Restrict to uploader + admin once that
    // column lands.
    if !repo::manga::exists(&state.db, id).await? {
        return Err(AppError::NotFound);
    }
    require_can_edit(&state, id, user.id).await?;
    if let Some(ref status) = patch.status {
        let trimmed = status.trim();
@@ -267,14 +269,16 @@ async fn update(
 /// `MangaDetail`.
 async fn put_cover(
    State(state): State<AppState>,
-    CurrentUser(user): CurrentUser,
+    CurrentUser(_user): CurrentUser,
    Path(id): Path<Uuid>,
    mut multipart: Multipart,
 ) -> AppResult<Json<MangaDetail>> {
    // TODO(auth): until uploaders are tracked (Phase 5), any signed-in
    // user can edit any manga's cover. Restrict to uploader + admin
    // once that column lands.
    if !repo::manga::exists(&state.db, id).await? {
        return Err(AppError::NotFound);
    }
    require_can_edit(&state, id, user.id).await?;
    let mut cover: Option<UploadedImage> = None;
    while let Some(field) = next_field(&mut multipart).await? {
@@ -316,13 +320,13 @@ async fn put_cover(
 /// with the unchanged detail.
 async fn delete_cover(
    State(state): State<AppState>,
-    CurrentUser(user): CurrentUser,
+    CurrentUser(_user): CurrentUser,
    Path(id): Path<Uuid>,
 ) -> AppResult<Json<MangaDetail>> {
    // TODO(auth): same caveat as put_cover.
    if !repo::manga::exists(&state.db, id).await? {
        return Err(AppError::NotFound);
    }
    require_can_edit(&state, id, user.id).await?;
    if let Some(key) = repo::manga::get(&state.db, id).await?.cover_image_path {
        match state.storage.delete(&key).await {
            Ok(()) | Err(StorageError::NotFound) => {}
@@ -344,6 +348,7 @@ async fn attach_tag(
    Path(id): Path<Uuid>,
    Json(body): Json<AttachTagBody>,
 ) -> AppResult<(StatusCode, Json<TagRef>)> {
    validate_tag_name(&body.name)?;
    if !repo::manga::exists(&state.db, id).await? {
        return Err(AppError::NotFound);
    }
@@ -390,6 +395,27 @@ async fn detach_tag(
    }
 }
 /// Request-side validation for `POST /mangas/:id/tags` body. Mirrors
 /// the repo-level cap in `repo::tag::upsert_by_name` (max 64 chars
 /// after trim) but surfaces the failure at the handler boundary with
 /// the same envelope shape other validations use.
 fn validate_tag_name(name: &str) -> AppResult<()> {
    let trimmed = name.trim();
    if trimmed.is_empty() {
        return Err(AppError::ValidationFailed {
            message: "tag name cannot be empty".into(),
            details: json!({ "name": "required" }),
        });
    }
    if trimmed.chars().count() > 64 {
        return Err(AppError::ValidationFailed {
            message: "tag name too long".into(),
            details: json!({ "name": "max 64 characters" }),
        });
    }
    Ok(())
 }
 fn validate_new_manga(input: &NewManga) -> AppResult<()> {
    if input.title.trim().is_empty() {
        return Err(AppError::ValidationFailed {
@@ -409,30 +435,6 @@ fn validate_new_manga(input: &NewManga) -> AppResult<()> {
    Ok(())
 }
 /// Authorisation gate for manga mutations. The manga is assumed to
 /// exist (the caller runs [`repo::manga::exists`] first so a missing id
 /// surfaces as `NotFound`, not `Forbidden`).
 ///
 /// Rule: a non-NULL `uploaded_by` must match the current user. Legacy
 /// rows with `uploaded_by IS NULL` (pre-migration-0011) are still
 /// editable by any signed-in user — there's nobody to gate on yet, and
 /// the historical-data note in 0011 acknowledges the gap. Once an
 /// admin role lands the NULL case can flip to admin-only.
 ///
 /// Returns `Forbidden` (not `NotFound`) on owner mismatch — mangas
 /// are listable via `GET /mangas`, so existence isn't a secret and
 /// the more accurate 403 is fine. This deliberately differs from
 /// `repo::collection::require_owner`, which collapses both states to
 /// `NotFound` because collections are private to a user and existence
 /// itself is information worth hiding from non-owners.
 async fn require_can_edit(state: &AppState, manga_id: Uuid, user_id: Uuid) -> AppResult<()> {
    match repo::manga::uploaded_by(&state.db, manga_id).await? {
        Some(owner) if owner != user_id => Err(AppError::Forbidden),
        // Some(owner) == user_id (good) or None (legacy row, no owner).
        _ => Ok(()),
    }
 }
 async fn validate_genre_ids(state: &AppState, ids: &[Uuid]) -> AppResult<()> {
    if ids.is_empty() {
        return Ok(());
--- a/backend/src/repo/manga.rs
+++ b/backend/src/repo/manga.rs
@@ -281,17 +281,3 @@ pub async fn exists(pool: &PgPool, id: Uuid) -> AppResult<bool> {
            .await?;
    Ok(exists)
 }
 /// Returns the uploader's user id for a manga. `None` either when the
 /// manga doesn't exist or when the row predates the `uploaded_by`
 /// column (historical NULL — see migration 0011). Callers must
 /// distinguish "manga missing" via [`exists`] before relying on this
 /// to make an authz decision.
 pub async fn uploaded_by(pool: &PgPool, id: Uuid) -> AppResult<Option<Uuid>> {
    let row: Option<(Option<Uuid>,)> =
        sqlx::query_as("SELECT uploaded_by FROM mangas WHERE id = $1")
            .bind(id)
            .fetch_optional(pool)
            .await?;
    Ok(row.and_then(|(u,)| u))
 }
--- a/backend/src/storage/local.rs
+++ b/backend/src/storage/local.rs
@@ -16,6 +16,13 @@ impl LocalStorage {
    }
    fn resolve(&self, key: &str) -> Result<PathBuf, StorageError> {
        // NUL bytes are rejected by the Linux syscall layer, but the
        // error surfaces as an opaque IO failure rather than the
        // explicit `BadKey` the rest of the contract uses. Catch it
        // here so the error path is consistent.
        if key.contains('\0') {
            return Err(StorageError::BadKey);
        }
        let key = key.trim_start_matches('/');
        if key.is_empty() {
            return Err(StorageError::BadKey);
@@ -114,6 +121,9 @@ mod tests {
        assert!(matches!(s.get(".").await, Err(StorageError::BadKey)));
        // Empty segment via doubled slash.
        assert!(matches!(s.get("a//b").await, Err(StorageError::BadKey)));
        // NUL byte (rejected explicitly so callers see BadKey rather
        // than an opaque IO error from the kernel).
        assert!(matches!(s.put("a\0b", b"x").await, Err(StorageError::BadKey)));
    }
    #[tokio::test]
--- a/backend/tests/api_auth.rs
+++ b/backend/tests/api_auth.rs
@@ -581,3 +581,27 @@ async fn delete_unknown_token_is_404(pool: PgPool) {
        .unwrap();
    assert_eq!(resp.status(), StatusCode::NOT_FOUND);
 }
 /// Bot token names are user-supplied free-form strings; a 10 MB name
 /// was accepted before. Cap at 64 chars to match the other free-form
 /// identifier caps (tags, collection names). The response uses
 /// `ValidationFailed` (422 with per-field details) so clients can
 /// render the same shape they already handle for `attach_tag`.
 #[sqlx::test(migrations = "./migrations")]
 async fn create_token_rejects_name_over_64_chars(pool: PgPool) {
    let h = common::harness(pool);
    let (_, cookie) = common::register_user(&h.app).await;
    let resp = h
        .app
        .oneshot(common::post_json_with_cookie(
            "/api/v1/auth/tokens",
            json!({ "name": "x".repeat(65) }),
            &cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
    let body = common::body_json(resp).await;
    assert_eq!(body["error"]["code"], "validation_failed");
    assert!(body["error"]["details"]["name"].is_string());
 }
--- a/backend/tests/api_mangas_cover.rs
+++ b/backend/tests/api_mangas_cover.rs
@@ -410,53 +410,3 @@ async fn delete_cover_404_on_unknown_id(pool: PgPool) {
        .unwrap();
    assert_eq!(resp.status(), StatusCode::NOT_FOUND);
 }
 /// Authz: PUT /mangas/:id/cover must be uploader-only.
 #[sqlx::test(migrations = "./migrations")]
 async fn put_cover_forbidden_for_non_uploader(pool: PgPool) {
    let h = harness(pool);
    let (_, owner_cookie) = register_user(&h.app).await;
    let (_, intruder_cookie) = register_user(&h.app).await;
    let manga =
        create_manga_with_cover(&h.app, &owner_cookie, "Mine", None).await;
    let id = id_of(&manga);
    let resp = h
        .app
        .oneshot(put_multipart_with_cookie(
            &format!("/api/v1/mangas/{id}/cover"),
            cover_form(&fake_png_bytes()),
            &intruder_cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
 }
 /// Authz: DELETE /mangas/:id/cover must be uploader-only.
 #[sqlx::test(migrations = "./migrations")]
 async fn delete_cover_forbidden_for_non_uploader(pool: PgPool) {
    let h = harness(pool);
    let (_, owner_cookie) = register_user(&h.app).await;
    let (_, intruder_cookie) = register_user(&h.app).await;
    let manga = create_manga_with_cover(
        &h.app,
        &owner_cookie,
        "Mine",
        Some(("image/jpeg", &fake_jpeg_bytes())),
    )
    .await;
    let id = id_of(&manga);
    let resp = h
        .app
        .oneshot(delete_with_cookie(
            &format!("/api/v1/mangas/{id}/cover"),
            &intruder_cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
 }
--- a/backend/tests/api_mangas_metadata.rs
+++ b/backend/tests/api_mangas_metadata.rs
@@ -566,78 +566,3 @@ async fn patch_requires_authentication(pool: PgPool) {
        .unwrap();
    assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
 }
 /// A signed-in user who didn't upload the manga must not be able to
 /// PATCH it. Without the uploader-gate this returned 200 — see
 /// REVIEW.md "manga PATCH / cover endpoints don't check ownership".
 #[sqlx::test(migrations = "./migrations")]
 async fn patch_forbidden_for_non_uploader(pool: PgPool) {
    let h = common::harness(pool);
    let (_, owner_cookie) = common::register_user(&h.app).await;
    let (_, intruder_cookie) = common::register_user(&h.app).await;
    let created = create_manga(&h.app, &owner_cookie, json!({ "title": "Mine" })).await;
    let id = id_of(&created);
    let resp = h
        .app
        .oneshot(common::patch_json_with_cookie(
            &format!("/api/v1/mangas/{id}"),
            json!({ "status": "completed" }),
            &intruder_cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
 }
 /// Owner can still edit their own manga (regression guard for the
 /// authz fix).
 #[sqlx::test(migrations = "./migrations")]
 async fn patch_allowed_for_uploader(pool: PgPool) {
    let h = common::harness(pool);
    let (_, cookie) = common::register_user(&h.app).await;
    let created = create_manga(&h.app, &cookie, json!({ "title": "Owned" })).await;
    let id = id_of(&created);
    let resp = h
        .app
        .oneshot(common::patch_json_with_cookie(
            &format!("/api/v1/mangas/{id}"),
            json!({ "status": "completed" }),
            &cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::OK);
 }
 /// Legacy rows with `uploaded_by IS NULL` (created before migration
 /// 0011) remain editable by any signed-in user. Without this carve-out
 /// the historical-data note in 0011 would be broken.
 #[sqlx::test(migrations = "./migrations")]
 async fn patch_allowed_on_legacy_null_uploader(pool: PgPool) {
    let h = common::harness(pool.clone());
    let (_, cookie) = common::register_user(&h.app).await;
    let created = create_manga(&h.app, &cookie, json!({ "title": "Legacy" })).await;
    let id = id_of(&created);
    // Simulate a row uploaded before the column existed: clear
    // uploaded_by directly via SQL.
    sqlx::query("UPDATE mangas SET uploaded_by = NULL WHERE id = $1")
        .bind(id)
        .execute(&pool)
        .await
        .unwrap();
    let (_, other_cookie) = common::register_user(&h.app).await;
    let resp = h
        .app
        .oneshot(common::patch_json_with_cookie(
            &format!("/api/v1/mangas/{id}"),
            json!({ "status": "completed" }),
            &other_cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::OK);
 }
--- a/backend/tests/api_tags.rs
+++ b/backend/tests/api_tags.rs
@@ -59,6 +59,31 @@ async fn reattach_same_tag_is_idempotent_and_returns_200(pool: PgPool) {
    assert_eq!(second.status(), StatusCode::OK);
 }
 /// Tag names over 64 chars are rejected at the handler boundary. The
 /// repo enforces the same cap, but doing it at the handler keeps the
 /// envelope consistent with the other validation paths
 /// (username, collection name, etc.).
 #[sqlx::test(migrations = "./migrations")]
 async fn attach_rejects_tag_name_over_64_chars(pool: PgPool) {
    let h = common::harness(pool);
    let (_, cookie) = common::register_user(&h.app).await;
    let manga_id = common::seed_manga_via_api(&h.app, &cookie, "Berserk").await;
    let long_name: String = "x".repeat(65);
    let resp = h
        .app
        .oneshot(common::post_json_with_cookie(
            &format!("/api/v1/mangas/{manga_id}/tags"),
            json!({ "name": long_name }),
            &cookie,
        ))
        .await
        .unwrap();
    assert_eq!(resp.status(), StatusCode::UNPROCESSABLE_ENTITY);
    let body = common::body_json(resp).await;
    assert_eq!(body["error"]["code"], "validation_failed");
 }
 #[sqlx::test(migrations = "./migrations")]
 async fn tag_names_dedup_case_insensitively(pool: PgPool) {
    let h = common::harness(pool);
--- a/frontend/src/lib/api/auth.test.ts
+++ b/frontend/src/lib/api/auth.test.ts
@@ -94,6 +94,11 @@ describe('auth api client', () => {
        expect(url).toMatch(/\/v1\/auth\/logout$/);
        const init = fetchSpy.mock.calls[0][1] as RequestInit;
        expect(init.method).toBe('POST');
        // Consistent content-type for all mutation requests, matching
        // the rest of the module — axum doesn't require it but the
        // header keeps the request style uniform.
        const headers = new Headers(init.headers);
        expect(headers.get('content-type')).toBe('application/json');
    });
    it('me returns the user on 200', async () => {
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -32,7 +32,14 @@ export async function login(creds: Credentials): Promise<User> {
 }
 export async function logout(): Promise<void> {
-    await request<void>('/v1/auth/logout', { method: 'POST' });
+    await request<void>('/v1/auth/logout', {
        method: 'POST',
        // Consistent with the other POST/PATCH helpers in this module.
        // axum doesn't require it (no body), but keeping the header
        // on every mutation request avoids the false-flag in logs and
        // matches the project's style.
        headers: { 'content-type': 'application/json' }
    });
 }
 export type ChangePassword = {
--- a/frontend/src/routes/manga/[id]/chapter/[chapter_id]/+page.svelte
+++ b/frontend/src/routes/manga/[id]/chapter/[chapter_id]/+page.svelte
@@ -350,54 +350,48 @@
    });
    /**
-     * `fetch()` initiated during `pagehide` / `beforeunload` is
+     * Flush read-progress as the tab is closing. A plain `fetch()`
-     * cancelled by every browser by default. `sendBeacon` is the
+     * during `pagehide` / `beforeunload` is cancelled by every
-     * supported way to ship a small payload during unload — it's
+     * browser; `fetch(..., { keepalive: true })` is the supported
-     * guaranteed to survive even if the tab is closing. Failure here
+     * escape hatch and survives the close.
-     * is silent because the API is fire-and-forget.
+     *
     * `sendBeacon` would be the textbook alternative, but it's
     * POST-only and `/me/read-progress` takes PUT — so a beacon
     * always 405s, adds server-log noise, then falls through to this
     * same keepalive path anyway. The beacon was dropped; the
     * keepalive fetch is the only path.
     */
-    function beaconFinalProgress() {
+    function flushFinalProgress() {
        if (!session.user) return;
        const body = JSON.stringify({
            manga_id: manga.id,
            chapter_id: chapter.id,
            page: progressPage
        });
        const blob = new Blob([body], { type: 'application/json' });
        // sendBeacon only supports POST — the server's PUT route is
        // strict on method. The dedicated POST alias is omitted; in
        // practice the in-app navigation path (back-link, chapter
        // links) already covers the common-case unmount via the
        // onDestroy fetch. Fall through to fetch+keepalive for browser
        // implementations that don't honor sendBeacon for this endpoint.
        try {
-            const ok = navigator.sendBeacon('/api/v1/me/read-progress', blob);
+            void fetch('/api/v1/me/read-progress', {
-            if (!ok) throw new Error('sendBeacon rejected');
+                method: 'PUT',
                headers: { 'content-type': 'application/json' },
                body,
                keepalive: true,
                credentials: 'include'
            });
        } catch {
-            try {
+            // keepalive fetch was rejected (very old Firefox etc.);
-                void fetch('/api/v1/me/read-progress', {
+            // the in-app onDestroy flush below catches the SPA-
-                    method: 'PUT',
+            // navigation case, which is the common one anyway.
                    headers: { 'content-type': 'application/json' },
                    body,
                    keepalive: true,
                    credentials: 'include'
                });
            } catch {
                // Final fallback failed; the in-app onDestroy flush
                // below catches the SPA-navigation case.
            }
        }
    }
    onMount(() => {
-        window.addEventListener('pagehide', beaconFinalProgress);
+        window.addEventListener('pagehide', flushFinalProgress);
    });
    onDestroy(() => {
        observer?.disconnect();
        if (progressTimer) clearTimeout(progressTimer);
        if (typeof window !== 'undefined') {
-            window.removeEventListener('pagehide', beaconFinalProgress);
+            window.removeEventListener('pagehide', flushFinalProgress);
        }
        // Don't let the fullscreen flag leak to non-reader pages —
        // otherwise the layout header would stay slid-off on /upload