Address code review feedback: authorization, error handling, and cleanup optimization#20
Merged
Conversation
Merged
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Copilot
AI
changed the title
[WIP] Refactor anonymous user authentication system
Address code review feedback: authorization, error handling, and cleanup optimization
Feb 4, 2026
carnach
added a commit
that referenced
this pull request
Feb 4, 2026
* add anonymous account * feat: implement database-backed sessions and improve group management Add database-backed session storage to fix session expiration on server restart - Create AnonymousSession table with token, userId, expiresAt, and challenge fields - Replace in-memory Map with Prisma queries in SessionStore - Sessions now persist across server restarts and deployments Fix group recovery and sign-out behavior - Fix naming conflict between setRecentGroups state setter and helper function - Groups now properly save to localStorage when logging in - Sign-out only clears localStorage, preserving groups in database for recovery - Groups restore automatically when logging back in with same account Improve UI for logged-in users - Move Restore from backup and Import from JSON to account dropdown menu - Hide restore/import options from groups page for logged-in users - Better organization of account management features Add server-side authorization to group deletion - Validate user session before allowing group deletion - Verify group ownership through anonymousUserGroup table - Return appropriate error codes (401 UNAUTHORIZED, 403 FORBIDDEN) - Prevents unauthorized deletion even if UI is bypassed * update sigin UI * feat: support multiple passkeys per account with names Add ability to register multiple passkeys per anonymous account with custom names - Create new Passkey table with name, credentialId, publicKey, counter, lastUsedAt fields - Migrate from single passkey storage on AnonymousUser to separate Passkey table - Add passkey name input dialog when registering new passkeys - Display list of all registered passkeys with creation dates - Add individual passkey deletion with confirmation dialog - Update lastUsedAt timestamp when passkey is used for authentication - Add /api/anonymous-users/passkey/list endpoint to fetch user's passkeys - Maintain backward compatibility with deprecated passkey fields on AnonymousUser UI improvements: - Show passkey list with name and creation date in account dialog - Add 'Add passkey' button that opens name input dialog - Individual remove button for each passkey - Better UX with 'New account' button highlighted when generating username - Changed 'Recover account' to 'Existing account' for clarity * fix: update auth-options to use new Passkey table - Change auth-options endpoint to fetch credentials from Passkey table - Support multiple passkeys by returning all credential IDs for allowCredentials - Fixes 'No passkey registered' error when authenticating * fix: ensure user exists before creating passkey auth session - Add upsert to create AnonymousUser if not exists before session creation - Prevents foreign key constraint violation in AnonymousSession table - Handle both authenticated and discoverable credential flows * feat: enforce passphrase security requirements and separate change/reset flows - Always require current passphrase for normal passphrase change - Add separate reset flow for passkey-authenticated users - Reset with passkey only requires new passphrase (no current) - Add hasPassphrase flag to groups API response - Update UI to conditionally show options based on passphrase state - Add passkeyResetMode state to differentiate between change and reset - Server-side validation enforces security requirements * Address code review feedback: authorization, error handling, and cleanup optimization (#20) * Initial plan * Address code review comments: fix security and reliability issues Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Refactor: extract session retrieval helper and add temp user cleanup Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve error messages and add error logging for debugging Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Polish error message for clarity Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR implements security hardening, error handling improvements, and performance optimizations based on code review feedback. The changes focus on authorization enforcement, proper error handling with loading state cleanup, and optimizations for database operations.
Changes:
- Added authorization checks to group update and delete procedures to verify user ownership before allowing modifications
- Extracted session retrieval logic into reusable
getSessionFromHeaders()helper with proper URL derivation from request headers - Wrapped all fetch calls in try-catch-finally blocks with consistent error logging and user-friendly error messages
- Fixed race conditions in passkey deletion using database transactions and optimized temporary user cleanup with batch operations
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/trpc/routers/groups/update.procedure.ts | Adds session-based authorization to verify user has associated with group before allowing updates |
| src/trpc/routers/groups/delete.procedure.ts | Refactors to use new getSessionFromHeaders() helper for cleaner session retrieval |
| src/lib/session.ts | Adds getSessionFromHeaders() helper, fixes hardcoded localhost URL, implements batch cleanup for temporary users |
| src/components/anonymous-auth-menu.tsx | Wraps fetch calls in try-catch-finally for proper error handling and loading state cleanup, removes unnecessary open dependency from useMemo |
| src/app/groups/recent-group-list.tsx | Adds SSR guard for localStorage access to prevent hydration errors |
| src/app/api/anonymous-users/passkey/delete/route.ts | Wraps passkey deletion and passkeysEnabled update in transaction to prevent race conditions |
| src/app/api/anonymous-users/passkey/auth-options/route.ts | Validates user existence before creating auth session instead of creating incomplete user records |
| prisma/schema.prisma | Removes redundant credentialId index (unique constraint already provides indexing) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+18
to
+43
| // Get session from request headers | ||
| const session = await getSessionFromHeaders() | ||
|
|
||
| if (!session) { | ||
| throw new TRPCError({ | ||
| code: 'UNAUTHORIZED', | ||
| message: 'You must be logged in to update a group', | ||
| }) | ||
| } | ||
|
|
||
| // Check if user has this group in their associated groups | ||
| const userGroup = await prisma.anonymousUserGroup.findUnique({ | ||
| where: { | ||
| anonymousUserId_groupId: { | ||
| anonymousUserId: session.userId, | ||
| groupId: groupId, | ||
| }, | ||
| }, | ||
| }) | ||
|
|
||
| if (!userGroup) { | ||
| throw new TRPCError({ | ||
| code: 'FORBIDDEN', | ||
| message: 'You are not authorized to update this group', | ||
| }) | ||
| } |
There was a problem hiding this comment.
Authorization checks have been added to update and delete group procedures, but similar mutating operations like creating groups and creating/updating/deleting expenses lack authorization checks. This creates an inconsistency in security enforcement across the API surface.
Consider adding similar authorization checks to:
createGroupProcedureinsrc/trpc/routers/groups/create.procedure.tscreateGroupExpenseProcedureinsrc/trpc/routers/groups/expenses/create.procedure.tsupdateGroupExpenseProcedureinsrc/trpc/routers/groups/expenses/update.procedure.tsdeleteGroupExpenseProcedureinsrc/trpc/routers/groups/expenses/delete.procedure.ts
These procedures should verify that the user has access to the group before allowing mutations.
carnach
added a commit
that referenced
this pull request
Feb 6, 2026
* add anonymous account * feat: implement database-backed sessions and improve group management Add database-backed session storage to fix session expiration on server restart - Create AnonymousSession table with token, userId, expiresAt, and challenge fields - Replace in-memory Map with Prisma queries in SessionStore - Sessions now persist across server restarts and deployments Fix group recovery and sign-out behavior - Fix naming conflict between setRecentGroups state setter and helper function - Groups now properly save to localStorage when logging in - Sign-out only clears localStorage, preserving groups in database for recovery - Groups restore automatically when logging back in with same account Improve UI for logged-in users - Move Restore from backup and Import from JSON to account dropdown menu - Hide restore/import options from groups page for logged-in users - Better organization of account management features Add server-side authorization to group deletion - Validate user session before allowing group deletion - Verify group ownership through anonymousUserGroup table - Return appropriate error codes (401 UNAUTHORIZED, 403 FORBIDDEN) - Prevents unauthorized deletion even if UI is bypassed * update sigin UI * feat: support multiple passkeys per account with names Add ability to register multiple passkeys per anonymous account with custom names - Create new Passkey table with name, credentialId, publicKey, counter, lastUsedAt fields - Migrate from single passkey storage on AnonymousUser to separate Passkey table - Add passkey name input dialog when registering new passkeys - Display list of all registered passkeys with creation dates - Add individual passkey deletion with confirmation dialog - Update lastUsedAt timestamp when passkey is used for authentication - Add /api/anonymous-users/passkey/list endpoint to fetch user's passkeys - Maintain backward compatibility with deprecated passkey fields on AnonymousUser UI improvements: - Show passkey list with name and creation date in account dialog - Add 'Add passkey' button that opens name input dialog - Individual remove button for each passkey - Better UX with 'New account' button highlighted when generating username - Changed 'Recover account' to 'Existing account' for clarity * fix: update auth-options to use new Passkey table - Change auth-options endpoint to fetch credentials from Passkey table - Support multiple passkeys by returning all credential IDs for allowCredentials - Fixes 'No passkey registered' error when authenticating * fix: ensure user exists before creating passkey auth session - Add upsert to create AnonymousUser if not exists before session creation - Prevents foreign key constraint violation in AnonymousSession table - Handle both authenticated and discoverable credential flows * feat: enforce passphrase security requirements and separate change/reset flows - Always require current passphrase for normal passphrase change - Add separate reset flow for passkey-authenticated users - Reset with passkey only requires new passphrase (no current) - Add hasPassphrase flag to groups API response - Update UI to conditionally show options based on passphrase state - Add passkeyResetMode state to differentiate between change and reset - Server-side validation enforces security requirements * Address code review feedback: authorization, error handling, and cleanup optimization (#20) * Initial plan * Address code review comments: fix security and reliability issues Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Refactor: extract session retrieval helper and add temp user cleanup Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve error messages and add error logging for debugging Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Polish error message for clarity Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * test passkey fix * try no username first * test IOS * update ux * update UI remove import button * finalise permissions * additional permissoins * Add remote JSON import flow with auto-association and iOS icon fixes * Address security vulnerabilities and translations in remote JSON import (#22) * Initial plan * Add security improvements to remote JSON import route - Add rate limiting to prevent SSRF abuse - Add timeout (30s) to fetch operations - Add groupId validation to prevent injection/path traversal - Add SSRF protection (block private IPs, localhost, metadata endpoints) - Add response size limit (10MB) and max expenses limit (10k) - Add error handling to normalizeDate function - Improve error logging in import-json-button.tsx - Extract ASSOCIATED_GROUPS_KEY constant to shared file Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Translate import success messages to all supported languages - pt-BR: Portuguese (Brazil) - ru-RU: Russian - ko: Korean - id: Indonesian - fr-FR: French - zh-TW: Chinese Traditional - ro: Romanian - ja-JP: Japanese - eu: Basque - zh-CN: Chinese Simplified - nl-NL: Dutch - he: Hebrew - cs-CZ: Czech - uk-UA: Ukrainian - tr-TR: Turkish - pt: Portuguese - pl-PL: Polish - es: Spanish - de-DE: German - ca: Catalan - fi: Finnish - it-IT: Italian Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Address code review feedback on security improvements - Fix IP validation to properly handle octets and validate ranges - Remove redundant cloud metadata endpoint check (covered by link-local) - Fix normalizeDate to throw error instead of using epoch as default - Filter out expenses with invalid dates instead of setting to epoch - Sanitize logging to avoid exposing sensitive data Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix log injection vulnerability in normalizeDate Use template literal instead of string concatenation to prevent potential log injection when logging the type of invalid date values. Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * fix json --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
carnach
added a commit
that referenced
this pull request
Feb 7, 2026
* add anonymous account * feat: implement database-backed sessions and improve group management Add database-backed session storage to fix session expiration on server restart - Create AnonymousSession table with token, userId, expiresAt, and challenge fields - Replace in-memory Map with Prisma queries in SessionStore - Sessions now persist across server restarts and deployments Fix group recovery and sign-out behavior - Fix naming conflict between setRecentGroups state setter and helper function - Groups now properly save to localStorage when logging in - Sign-out only clears localStorage, preserving groups in database for recovery - Groups restore automatically when logging back in with same account Improve UI for logged-in users - Move Restore from backup and Import from JSON to account dropdown menu - Hide restore/import options from groups page for logged-in users - Better organization of account management features Add server-side authorization to group deletion - Validate user session before allowing group deletion - Verify group ownership through anonymousUserGroup table - Return appropriate error codes (401 UNAUTHORIZED, 403 FORBIDDEN) - Prevents unauthorized deletion even if UI is bypassed * update sigin UI * feat: support multiple passkeys per account with names Add ability to register multiple passkeys per anonymous account with custom names - Create new Passkey table with name, credentialId, publicKey, counter, lastUsedAt fields - Migrate from single passkey storage on AnonymousUser to separate Passkey table - Add passkey name input dialog when registering new passkeys - Display list of all registered passkeys with creation dates - Add individual passkey deletion with confirmation dialog - Update lastUsedAt timestamp when passkey is used for authentication - Add /api/anonymous-users/passkey/list endpoint to fetch user's passkeys - Maintain backward compatibility with deprecated passkey fields on AnonymousUser UI improvements: - Show passkey list with name and creation date in account dialog - Add 'Add passkey' button that opens name input dialog - Individual remove button for each passkey - Better UX with 'New account' button highlighted when generating username - Changed 'Recover account' to 'Existing account' for clarity * fix: update auth-options to use new Passkey table - Change auth-options endpoint to fetch credentials from Passkey table - Support multiple passkeys by returning all credential IDs for allowCredentials - Fixes 'No passkey registered' error when authenticating * fix: ensure user exists before creating passkey auth session - Add upsert to create AnonymousUser if not exists before session creation - Prevents foreign key constraint violation in AnonymousSession table - Handle both authenticated and discoverable credential flows * feat: enforce passphrase security requirements and separate change/reset flows - Always require current passphrase for normal passphrase change - Add separate reset flow for passkey-authenticated users - Reset with passkey only requires new passphrase (no current) - Add hasPassphrase flag to groups API response - Update UI to conditionally show options based on passphrase state - Add passkeyResetMode state to differentiate between change and reset - Server-side validation enforces security requirements * Address code review feedback: authorization, error handling, and cleanup optimization (#20) * Initial plan * Address code review comments: fix security and reliability issues Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Refactor: extract session retrieval helper and add temp user cleanup Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve error messages and add error logging for debugging Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Polish error message for clarity Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * test passkey fix * try no username first * test IOS * update ux * update UI remove import button * finalise permissions * additional permissoins * Add remote JSON import flow with auto-association and iOS icon fixes * Address security vulnerabilities and translations in remote JSON import (#22) * Initial plan * Add security improvements to remote JSON import route - Add rate limiting to prevent SSRF abuse - Add timeout (30s) to fetch operations - Add groupId validation to prevent injection/path traversal - Add SSRF protection (block private IPs, localhost, metadata endpoints) - Add response size limit (10MB) and max expenses limit (10k) - Add error handling to normalizeDate function - Improve error logging in import-json-button.tsx - Extract ASSOCIATED_GROUPS_KEY constant to shared file Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Translate import success messages to all supported languages - pt-BR: Portuguese (Brazil) - ru-RU: Russian - ko: Korean - id: Indonesian - fr-FR: French - zh-TW: Chinese Traditional - ro: Romanian - ja-JP: Japanese - eu: Basque - zh-CN: Chinese Simplified - nl-NL: Dutch - he: Hebrew - cs-CZ: Czech - uk-UA: Ukrainian - tr-TR: Turkish - pt: Portuguese - pl-PL: Polish - es: Spanish - de-DE: German - ca: Catalan - fi: Finnish - it-IT: Italian Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Address code review feedback on security improvements - Fix IP validation to properly handle octets and validate ranges - Remove redundant cloud metadata endpoint check (covered by link-local) - Fix normalizeDate to throw error instead of using epoch as default - Filter out expenses with invalid dates instead of setting to epoch - Sanitize logging to avoid exposing sensitive data Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix log injection vulnerability in normalizeDate Use template literal instead of string concatenation to prevent potential log injection when logging the type of invalid date values. Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * fix json * empty username when accessing the login screen * Address security vulnerabilities and localization gaps in remote JSON import (#24) * Initial plan * Address code review feedback: SSRF protection, translations, and error handling - Add protocol validation (http/https only) to validateRemoteUrl - Enforce hard byte limit while reading response in fetchTrpcJson - Prevent redirect-based SSRF by setting redirect: 'manual' - Add all missing translation keys for hardcoded UI strings - Change placeholder URL from spliit.app to neutral example.com - Wrap syncAssociatedGroups in try/catch for best-effort handling - Improve passkey error handling to differentiate error types (rate limit, not found, user cancel) - Run prettier to fix inconsistent indentation Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix duplicate imports causing build failure in import-json-button.tsx (#25) * Initial plan * Fix duplicate imports in import-json-button.tsx Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
carnach
added a commit
that referenced
this pull request
Feb 7, 2026
* add anonymous account * feat: implement database-backed sessions and improve group management Add database-backed session storage to fix session expiration on server restart - Create AnonymousSession table with token, userId, expiresAt, and challenge fields - Replace in-memory Map with Prisma queries in SessionStore - Sessions now persist across server restarts and deployments Fix group recovery and sign-out behavior - Fix naming conflict between setRecentGroups state setter and helper function - Groups now properly save to localStorage when logging in - Sign-out only clears localStorage, preserving groups in database for recovery - Groups restore automatically when logging back in with same account Improve UI for logged-in users - Move Restore from backup and Import from JSON to account dropdown menu - Hide restore/import options from groups page for logged-in users - Better organization of account management features Add server-side authorization to group deletion - Validate user session before allowing group deletion - Verify group ownership through anonymousUserGroup table - Return appropriate error codes (401 UNAUTHORIZED, 403 FORBIDDEN) - Prevents unauthorized deletion even if UI is bypassed * update sigin UI * feat: support multiple passkeys per account with names Add ability to register multiple passkeys per anonymous account with custom names - Create new Passkey table with name, credentialId, publicKey, counter, lastUsedAt fields - Migrate from single passkey storage on AnonymousUser to separate Passkey table - Add passkey name input dialog when registering new passkeys - Display list of all registered passkeys with creation dates - Add individual passkey deletion with confirmation dialog - Update lastUsedAt timestamp when passkey is used for authentication - Add /api/anonymous-users/passkey/list endpoint to fetch user's passkeys - Maintain backward compatibility with deprecated passkey fields on AnonymousUser UI improvements: - Show passkey list with name and creation date in account dialog - Add 'Add passkey' button that opens name input dialog - Individual remove button for each passkey - Better UX with 'New account' button highlighted when generating username - Changed 'Recover account' to 'Existing account' for clarity * fix: update auth-options to use new Passkey table - Change auth-options endpoint to fetch credentials from Passkey table - Support multiple passkeys by returning all credential IDs for allowCredentials - Fixes 'No passkey registered' error when authenticating * fix: ensure user exists before creating passkey auth session - Add upsert to create AnonymousUser if not exists before session creation - Prevents foreign key constraint violation in AnonymousSession table - Handle both authenticated and discoverable credential flows * feat: enforce passphrase security requirements and separate change/reset flows - Always require current passphrase for normal passphrase change - Add separate reset flow for passkey-authenticated users - Reset with passkey only requires new passphrase (no current) - Add hasPassphrase flag to groups API response - Update UI to conditionally show options based on passphrase state - Add passkeyResetMode state to differentiate between change and reset - Server-side validation enforces security requirements * Address code review feedback: authorization, error handling, and cleanup optimization (#20) * Initial plan * Address code review comments: fix security and reliability issues Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Refactor: extract session retrieval helper and add temp user cleanup Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve error messages and add error logging for debugging Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Polish error message for clarity Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * test passkey fix * try no username first * test IOS * update ux * update UI remove import button * finalise permissions * additional permissoins * Add remote JSON import flow with auto-association and iOS icon fixes * Address security vulnerabilities and translations in remote JSON import (#22) * Initial plan * Add security improvements to remote JSON import route - Add rate limiting to prevent SSRF abuse - Add timeout (30s) to fetch operations - Add groupId validation to prevent injection/path traversal - Add SSRF protection (block private IPs, localhost, metadata endpoints) - Add response size limit (10MB) and max expenses limit (10k) - Add error handling to normalizeDate function - Improve error logging in import-json-button.tsx - Extract ASSOCIATED_GROUPS_KEY constant to shared file Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Translate import success messages to all supported languages - pt-BR: Portuguese (Brazil) - ru-RU: Russian - ko: Korean - id: Indonesian - fr-FR: French - zh-TW: Chinese Traditional - ro: Romanian - ja-JP: Japanese - eu: Basque - zh-CN: Chinese Simplified - nl-NL: Dutch - he: Hebrew - cs-CZ: Czech - uk-UA: Ukrainian - tr-TR: Turkish - pt: Portuguese - pl-PL: Polish - es: Spanish - de-DE: German - ca: Catalan - fi: Finnish - it-IT: Italian Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Address code review feedback on security improvements - Fix IP validation to properly handle octets and validate ranges - Remove redundant cloud metadata endpoint check (covered by link-local) - Fix normalizeDate to throw error instead of using epoch as default - Filter out expenses with invalid dates instead of setting to epoch - Sanitize logging to avoid exposing sensitive data Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix log injection vulnerability in normalizeDate Use template literal instead of string concatenation to prevent potential log injection when logging the type of invalid date values. Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * fix json * empty username when accessing the login screen * Address security vulnerabilities and localization gaps in remote JSON import (#24) * Initial plan * Address code review feedback: SSRF protection, translations, and error handling - Add protocol validation (http/https only) to validateRemoteUrl - Enforce hard byte limit while reading response in fetchTrpcJson - Prevent redirect-based SSRF by setting redirect: 'manual' - Add all missing translation keys for hardcoded UI strings - Change placeholder URL from spliit.app to neutral example.com - Wrap syncAssociatedGroups in try/catch for best-effort handling - Improve passkey error handling to differentiate error types (rate limit, not found, user cancel) - Run prettier to fix inconsistent indentation Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix duplicate imports causing build failure in import-json-button.tsx (#25) * Initial plan * Fix duplicate imports in import-json-button.tsx Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * add whats new * add whats new * [WIP] Add end-user documentation and UX improvements (#27) * Initial plan * Address PR review comments: fix unused imports, update links, improve security and error handling Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve icon choice and clarify HTML stripping behavior Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
carnach
added a commit
that referenced
this pull request
Feb 9, 2026
* add anonymous account * feat: implement database-backed sessions and improve group management Add database-backed session storage to fix session expiration on server restart - Create AnonymousSession table with token, userId, expiresAt, and challenge fields - Replace in-memory Map with Prisma queries in SessionStore - Sessions now persist across server restarts and deployments Fix group recovery and sign-out behavior - Fix naming conflict between setRecentGroups state setter and helper function - Groups now properly save to localStorage when logging in - Sign-out only clears localStorage, preserving groups in database for recovery - Groups restore automatically when logging back in with same account Improve UI for logged-in users - Move Restore from backup and Import from JSON to account dropdown menu - Hide restore/import options from groups page for logged-in users - Better organization of account management features Add server-side authorization to group deletion - Validate user session before allowing group deletion - Verify group ownership through anonymousUserGroup table - Return appropriate error codes (401 UNAUTHORIZED, 403 FORBIDDEN) - Prevents unauthorized deletion even if UI is bypassed * update sigin UI * feat: support multiple passkeys per account with names Add ability to register multiple passkeys per anonymous account with custom names - Create new Passkey table with name, credentialId, publicKey, counter, lastUsedAt fields - Migrate from single passkey storage on AnonymousUser to separate Passkey table - Add passkey name input dialog when registering new passkeys - Display list of all registered passkeys with creation dates - Add individual passkey deletion with confirmation dialog - Update lastUsedAt timestamp when passkey is used for authentication - Add /api/anonymous-users/passkey/list endpoint to fetch user's passkeys - Maintain backward compatibility with deprecated passkey fields on AnonymousUser UI improvements: - Show passkey list with name and creation date in account dialog - Add 'Add passkey' button that opens name input dialog - Individual remove button for each passkey - Better UX with 'New account' button highlighted when generating username - Changed 'Recover account' to 'Existing account' for clarity * fix: update auth-options to use new Passkey table - Change auth-options endpoint to fetch credentials from Passkey table - Support multiple passkeys by returning all credential IDs for allowCredentials - Fixes 'No passkey registered' error when authenticating * fix: ensure user exists before creating passkey auth session - Add upsert to create AnonymousUser if not exists before session creation - Prevents foreign key constraint violation in AnonymousSession table - Handle both authenticated and discoverable credential flows * feat: enforce passphrase security requirements and separate change/reset flows - Always require current passphrase for normal passphrase change - Add separate reset flow for passkey-authenticated users - Reset with passkey only requires new passphrase (no current) - Add hasPassphrase flag to groups API response - Update UI to conditionally show options based on passphrase state - Add passkeyResetMode state to differentiate between change and reset - Server-side validation enforces security requirements * Address code review feedback: authorization, error handling, and cleanup optimization (#20) * Initial plan * Address code review comments: fix security and reliability issues Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Refactor: extract session retrieval helper and add temp user cleanup Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve error messages and add error logging for debugging Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Polish error message for clarity Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * test passkey fix * try no username first * test IOS * update ux * update UI remove import button * finalise permissions * additional permissoins * Add remote JSON import flow with auto-association and iOS icon fixes * Address security vulnerabilities and translations in remote JSON import (#22) * Initial plan * Add security improvements to remote JSON import route - Add rate limiting to prevent SSRF abuse - Add timeout (30s) to fetch operations - Add groupId validation to prevent injection/path traversal - Add SSRF protection (block private IPs, localhost, metadata endpoints) - Add response size limit (10MB) and max expenses limit (10k) - Add error handling to normalizeDate function - Improve error logging in import-json-button.tsx - Extract ASSOCIATED_GROUPS_KEY constant to shared file Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Translate import success messages to all supported languages - pt-BR: Portuguese (Brazil) - ru-RU: Russian - ko: Korean - id: Indonesian - fr-FR: French - zh-TW: Chinese Traditional - ro: Romanian - ja-JP: Japanese - eu: Basque - zh-CN: Chinese Simplified - nl-NL: Dutch - he: Hebrew - cs-CZ: Czech - uk-UA: Ukrainian - tr-TR: Turkish - pt: Portuguese - pl-PL: Polish - es: Spanish - de-DE: German - ca: Catalan - fi: Finnish - it-IT: Italian Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Address code review feedback on security improvements - Fix IP validation to properly handle octets and validate ranges - Remove redundant cloud metadata endpoint check (covered by link-local) - Fix normalizeDate to throw error instead of using epoch as default - Filter out expenses with invalid dates instead of setting to epoch - Sanitize logging to avoid exposing sensitive data Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix log injection vulnerability in normalizeDate Use template literal instead of string concatenation to prevent potential log injection when logging the type of invalid date values. Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * fix json * empty username when accessing the login screen * Address security vulnerabilities and localization gaps in remote JSON import (#24) * Initial plan * Address code review feedback: SSRF protection, translations, and error handling - Add protocol validation (http/https only) to validateRemoteUrl - Enforce hard byte limit while reading response in fetchTrpcJson - Prevent redirect-based SSRF by setting redirect: 'manual' - Add all missing translation keys for hardcoded UI strings - Change placeholder URL from spliit.app to neutral example.com - Wrap syncAssociatedGroups in try/catch for best-effort handling - Improve passkey error handling to differentiate error types (rate limit, not found, user cancel) - Run prettier to fix inconsistent indentation Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix duplicate imports causing build failure in import-json-button.tsx (#25) * Initial plan * Fix duplicate imports in import-json-button.tsx Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * add whats new * add whats new * [WIP] Add end-user documentation and UX improvements (#27) * Initial plan * Address PR review comments: fix unused imports, update links, improve security and error handling Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve icon choice and clarify HTML stripping behavior Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * change icon * update update with links to forked instance --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements fixes for security, reliability, and performance issues identified in code review feedback.
Authorization & Security
update.procedure.tsto prevent unauthorized group modificationsError Handling
Code Quality
getSessionFromHeaders()helpercredentialIdindex (unique constraint already provides indexing)opendependency from useMemoCleanup Optimization
deleteMany)✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.