Development#28
Merged
Merged
Conversation
Add database-backed session storage to fix session expiration on server restart - Create AnonymousSession table with token, userId, expiresAt, and challenge fields - Replace in-memory Map with Prisma queries in SessionStore - Sessions now persist across server restarts and deployments Fix group recovery and sign-out behavior - Fix naming conflict between setRecentGroups state setter and helper function - Groups now properly save to localStorage when logging in - Sign-out only clears localStorage, preserving groups in database for recovery - Groups restore automatically when logging back in with same account Improve UI for logged-in users - Move Restore from backup and Import from JSON to account dropdown menu - Hide restore/import options from groups page for logged-in users - Better organization of account management features Add server-side authorization to group deletion - Validate user session before allowing group deletion - Verify group ownership through anonymousUserGroup table - Return appropriate error codes (401 UNAUTHORIZED, 403 FORBIDDEN) - Prevents unauthorized deletion even if UI is bypassed
Add ability to register multiple passkeys per anonymous account with custom names - Create new Passkey table with name, credentialId, publicKey, counter, lastUsedAt fields - Migrate from single passkey storage on AnonymousUser to separate Passkey table - Add passkey name input dialog when registering new passkeys - Display list of all registered passkeys with creation dates - Add individual passkey deletion with confirmation dialog - Update lastUsedAt timestamp when passkey is used for authentication - Add /api/anonymous-users/passkey/list endpoint to fetch user's passkeys - Maintain backward compatibility with deprecated passkey fields on AnonymousUser UI improvements: - Show passkey list with name and creation date in account dialog - Add 'Add passkey' button that opens name input dialog - Individual remove button for each passkey - Better UX with 'New account' button highlighted when generating username - Changed 'Recover account' to 'Existing account' for clarity
- Change auth-options endpoint to fetch credentials from Passkey table - Support multiple passkeys by returning all credential IDs for allowCredentials - Fixes 'No passkey registered' error when authenticating
- Add upsert to create AnonymousUser if not exists before session creation - Prevents foreign key constraint violation in AnonymousSession table - Handle both authenticated and discoverable credential flows
…set flows - Always require current passphrase for normal passphrase change - Add separate reset flow for passkey-authenticated users - Reset with passkey only requires new passphrase (no current) - Add hasPassphrase flag to groups API response - Update UI to conditionally show options based on passphrase state - Add passkeyResetMode state to differentiate between change and reset - Server-side validation enforces security requirements
…nup optimization (#20) * Initial plan * Address code review comments: fix security and reliability issues Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Refactor: extract session retrieval helper and add temp user cleanup Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve error messages and add error logging for debugging Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Polish error message for clarity Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
…rt (#22) * Initial plan * Add security improvements to remote JSON import route - Add rate limiting to prevent SSRF abuse - Add timeout (30s) to fetch operations - Add groupId validation to prevent injection/path traversal - Add SSRF protection (block private IPs, localhost, metadata endpoints) - Add response size limit (10MB) and max expenses limit (10k) - Add error handling to normalizeDate function - Improve error logging in import-json-button.tsx - Extract ASSOCIATED_GROUPS_KEY constant to shared file Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Translate import success messages to all supported languages - pt-BR: Portuguese (Brazil) - ru-RU: Russian - ko: Korean - id: Indonesian - fr-FR: French - zh-TW: Chinese Traditional - ro: Romanian - ja-JP: Japanese - eu: Basque - zh-CN: Chinese Simplified - nl-NL: Dutch - he: Hebrew - cs-CZ: Czech - uk-UA: Ukrainian - tr-TR: Turkish - pt: Portuguese - pl-PL: Polish - es: Spanish - de-DE: German - ca: Catalan - fi: Finnish - it-IT: Italian Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Address code review feedback on security improvements - Fix IP validation to properly handle octets and validate ranges - Remove redundant cloud metadata endpoint check (covered by link-local) - Fix normalizeDate to throw error instead of using epoch as default - Filter out expenses with invalid dates instead of setting to epoch - Sanitize logging to avoid exposing sensitive data Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Fix log injection vulnerability in normalizeDate Use template literal instead of string concatenation to prevent potential log injection when logging the type of invalid date values. Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
… import (#24) * Initial plan * Address code review feedback: SSRF protection, translations, and error handling - Add protocol validation (http/https only) to validateRemoteUrl - Enforce hard byte limit while reading response in fetchTrpcJson - Prevent redirect-based SSRF by setting redirect: 'manual' - Add all missing translation keys for hardcoded UI strings - Change placeholder URL from spliit.app to neutral example.com - Wrap syncAssociatedGroups in try/catch for best-effort handling - Improve passkey error handling to differentiate error types (rate limit, not found, user cancel) - Run prettier to fix inconsistent indentation Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
…#25) * Initial plan * Fix duplicate imports in import-json-button.tsx Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
* Initial plan * Address PR review comments: fix unused imports, update links, improve security and error handling Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> * Improve icon choice and clarify HTML stripping behavior Co-authored-by: carnach <26198260+carnach@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: carnach <26198260+carnach@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds a Node-based icon generation script and wires it into the project tooling to (re)generate PWA/logo assets while archiving previous outputs.
Changes:
- Added
scripts/generate-icons.mjsto generate PNG icons (viapwa-asset-generatorwith asharpfallback) and create an archived snapshot of prior assets. - Added an npm script (
generate-icons) and thepwa-asset-generatordependency. - Committed two archived
logo.svgsnapshots underpublic/logo-archive/....
Reviewed changes
Copilot reviewed 2 out of 44 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| scripts/generate-icons.mjs | Implements icon generation, fallback resizing, and asset archiving. |
| package.json | Adds generate-icons script and pwa-asset-generator dependency. |
| public/logo-archive/2026-02-09T11-57-04-189Z/logo.svg | Adds an archived SVG version of the logo. |
| public/logo-archive/2026-02-09T11-47-13-777Z/logo.svg | Adds another archived SVG snapshot of the prior logo. |
Comments suppressed due to low confidence (2)
scripts/generate-icons.mjs:1
- Falling back to
npxwithout--no-installcan unexpectedly download/execute packages from the registry if the local binary is missing, which is risky and can make builds non-reproducible. Prefer either (a) failing fast with an actionable error whenlocalBinis missing, or (b) usingnpx --no-install pwa-asset-generator ...so only locally installed dependencies are used.
scripts/generate-icons.mjs:1 - The warning drops the underlying failure reason, which will make diagnosing CI/local issues harder (e.g., missing binary vs runtime error). Include the caught
errormessage/exit code in the warning (or rethrow after fallback if certain failures should be fatal).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.