generated from nhcarrigan/template
hikari
6d5b0581a5
## Summary - **Base64 cover image uploads broken for books, shows, manga, and music** — a premature `validateStringLength` check ran before the data URL detection, rejecting all base64 images with a 2,048-char URL limit error. Also fixed the size calculation to extract only the base64 portion after the comma (matching the correct pattern already in `game.service.ts`). - **Audit log flooded with expected 401s on `/api/auth/me`** — these occur during normal token refresh flow and are not genuine security events. Excluded this URL from the global 401/403 audit log handler. - **ChunkLoadError spam after deployments** — when Angular lazy-loaded chunks are missing (stale cache after a redeploy), the global error handler now detects `ChunkLoadError` and silently reloads the page instead of logging the error and sending it to the API/Discord. ## Test plan - [ ] Upload a base64 cover image for a book, show, manga, and music item — should succeed - [ ] Verify `/api/auth/me` 401s no longer appear in the audit log - [ ] Deploy a new build and confirm stale-chunk users are silently reloaded ✨ This PR was created with help from Hikari~ 🌸 Reviewed-on: #69 Co-authored-by: Hikari <hikari@nhcarrigan.com> Co-committed-by: Hikari <hikari@nhcarrigan.com>
70 lines
2.4 KiB
TypeScript
70 lines
2.4 KiB
TypeScript
import * as path from 'path';
|
|
import { FastifyInstance, FastifyError } from 'fastify';
|
|
import AutoLoad from '@fastify/autoload';
|
|
import { AuditService } from './services/audit.service';
|
|
import { AuditAction, AuditCategory } from '@library/shared-types';
|
|
|
|
/* eslint-disable-next-line */
|
|
export interface AppOptions {}
|
|
|
|
export async function app(fastify: FastifyInstance, opts: AppOptions) {
|
|
// Add global error handler for security event logging
|
|
fastify.setErrorHandler(async (error: FastifyError, request, reply) => {
|
|
// Log CSRF validation failures
|
|
if (error.code === 'FST_CSRF_INVALID_TOKEN' || error.code === 'FST_CSRF_MISSING_SECRET') {
|
|
await AuditService.log({
|
|
action: AuditAction.csrfValidationFailed,
|
|
category: AuditCategory.security,
|
|
details: `CSRF validation failed: ${error.message}, URL: ${request.url}`,
|
|
success: false,
|
|
}, request).catch(() => {
|
|
// Ignore logging errors
|
|
});
|
|
}
|
|
|
|
// Log unauthorized access attempts (exclude /api/auth/me as 401s there are expected during token refresh)
|
|
if ((error.statusCode === 401 || error.statusCode === 403) && request.url !== '/api/auth/me') {
|
|
await AuditService.log({
|
|
action: AuditAction.unauthorizedAccess,
|
|
category: AuditCategory.security,
|
|
details: `Unauthorized access attempt: ${error.message}, URL: ${request.url}`,
|
|
success: false,
|
|
}, request).catch(() => {
|
|
// Ignore logging errors
|
|
});
|
|
}
|
|
|
|
// Send the error response (don't leak internal details for server errors)
|
|
const statusCode = error.statusCode ?? 500;
|
|
|
|
reply.status(statusCode).send({
|
|
statusCode,
|
|
error: statusCode >= 500 ? "Internal Server Error" : error.name,
|
|
message: statusCode >= 500 ? "An unexpected error occurred" : error.message,
|
|
});
|
|
});
|
|
|
|
// This loads all plugins defined in plugins
|
|
// those should be support plugins that are reused
|
|
// through your application
|
|
fastify.register(AutoLoad, {
|
|
dir: path.join(__dirname, 'plugins'),
|
|
options: { ...opts },
|
|
});
|
|
|
|
// This loads all plugins defined in routes
|
|
// define your routes in one of these
|
|
fastify.register(AutoLoad, {
|
|
dir: path.join(__dirname, 'routes'),
|
|
options: { ...opts, prefix: '/api' },
|
|
ignorePattern: /root\.ts$/,
|
|
});
|
|
|
|
// Register root route without prefix
|
|
fastify.register(AutoLoad, {
|
|
dir: path.join(__dirname, 'routes'),
|
|
options: { ...opts },
|
|
matchFilter: /root\.ts$/,
|
|
});
|
|
}
|