fix: resolve CVEs, upgrade to Astro v6, and harden API security (#227)

* fix: resolve CVEs, upgrade to Astro v6, and harden API security Docker image CVE fixes: - Install git-lfs v3.7.1 from GitHub releases (Go 1.25) instead of Debian apt (Go 1.23.12), fixing CVE-2025-68121 and 8 other Go stdlib CVEs - Strip build-only packages (esbuild, vite, rollup, svgo, tailwindcss) from production image, eliminating 9 esbuild Go stdlib CVEs Dependency upgrades: - Astro v5 → v6 (includes Vite 7, Zod 4) - Remove legacy content config (src/content/config.ts) - Update HealthResponse type for simplified health endpoint - npm overrides for fast-xml-parser ≥5.3.6, devalue ≥5.6.2, node-forge ≥1.3.2, svgo ≥4.0.1, rollup ≥4.59.0 API security hardening: - /api/auth/debug: dev-only, require auth, remove user-creation POST, strip trustedOrigins/databaseConfig from response - /api/auth/check-users: return boolean hasUsers instead of exact count - /api/cleanup/auto: require authentication, remove per-user details - /api/health: remove OS version, memory, uptime from response - /api/config: validate Gitea URL protocol (http/https only) - BETTER_AUTH_SECRET: log security warning when using insecure defaults - generateRandomString: replace Math.random() with crypto.getRandomValues() - hashValue: add random salt and timing-safe verification * repositories: migrate table to tanstack * Revert "repositories: migrate table to tanstack" This reverts commit a544b29e6d. * fixed lock file
2026-04-12 05:58:53 +03:00 · 2026-03-15 09:19:24 +05:30
parent 6f53a3ed41
commit 299659eca2
13 changed files with 668 additions and 774 deletions
--- a/src/pages/api/auth/check-users.ts
+++ b/src/pages/api/auth/check-users.ts
@@ -7,17 +7,10 @@ export const GET: APIRoute = async () => {
    const userCountResult = await db
      .select({ count: sql<number>`count(*)` })
      .from(users);
-    
-    const userCount = userCountResult[0].count;

-    if (userCount === 0) {
-      return new Response(JSON.stringify({ error: "No users found" }), {
-        status: 404,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
+    const hasUsers = userCountResult[0].count > 0;

-    return new Response(JSON.stringify({ userCount }), {
+    return new Response(JSON.stringify({ hasUsers }), {
      status: 200,
      headers: { "Content-Type": "application/json" },
    });
@@ -27,4 +20,4 @@ export const GET: APIRoute = async () => {
      headers: { "Content-Type": "application/json" },
    });
  }
-};
+};
--- a/src/pages/api/auth/debug.ts
+++ b/src/pages/api/auth/debug.ts
@@ -1,79 +1,42 @@
 import type { APIRoute } from "astro";
 import { auth } from "@/lib/auth";
-import { db } from "@/lib/db";
-import { users } from "@/lib/db/schema";
-import { nanoid } from "nanoid";
+import { ENV } from "@/lib/config";
+import { requireAuthenticatedUserId } from "@/lib/auth-guards";
+
+export const GET: APIRoute = async ({ request, locals }) => {
+  // Only available in development
+  if (ENV.NODE_ENV === "production") {
+    return new Response(JSON.stringify({ error: "Not found" }), {
+      status: 404,
+      headers: { "Content-Type": "application/json" },
+    });
+  }

-export const GET: APIRoute = async ({ request }) => {
  try {
-    // Get Better Auth configuration info
+    const authResult = await requireAuthenticatedUserId({ request, locals });
+    if ("response" in authResult) return authResult.response;
+
    const info = {
      baseURL: auth.options.baseURL,
      basePath: auth.options.basePath,
-      trustedOrigins: auth.options.trustedOrigins,
      emailPasswordEnabled: auth.options.emailAndPassword?.enabled,
-      userFields: auth.options.user?.additionalFields,
-      databaseConfig: {
-        usePlural: true,
-        provider: "sqlite"
-      }
    };
-    
+
    return new Response(JSON.stringify({
      success: true,
-      config: info
+      config: info,
    }), {
      status: 200,
      headers: { "Content-Type": "application/json" },
    });
  } catch (error) {
-    // Log full error details server-side for debugging
    console.error("Debug endpoint error:", error);
-    
-    // Only return safe error information to the client
    return new Response(JSON.stringify({
      success: false,
-      error: error instanceof Error ? error.message : "An unexpected error occurred"
+      error: "An unexpected error occurred",
    }), {
      status: 500,
      headers: { "Content-Type": "application/json" },
    });
  }
 };
-
-export const POST: APIRoute = async ({ request }) => {
-  try {
-    // Test creating a user directly
-    const userId = nanoid();
-    const now = new Date();
-    
-    await db.insert(users).values({
-      id: userId,
-      email: "test2@example.com",
-      emailVerified: false,
-      username: "test2",
-      // Let the database handle timestamps with defaults
-    });
-    
-    return new Response(JSON.stringify({
-      success: true,
-      userId,
-      message: "User created successfully"
-    }), {
-      status: 200,
-      headers: { "Content-Type": "application/json" },
-    });
-  } catch (error) {
-    // Log full error details server-side for debugging
-    console.error("Debug endpoint error:", error);
-    
-    // Only return safe error information to the client
-    return new Response(JSON.stringify({
-      success: false,
-      error: error instanceof Error ? error.message : "An unexpected error occurred"
-    }), {
-      status: 500,
-      headers: { "Content-Type": "application/json" },
-    });
-  }
-};