Skip to content

v1.3.3 β€” Security, Performance & Quality

Latest

Choose a tag to compare

@cmadzz cmadzz released this 11 Jul 18:15

v1.3.3 β€” Security, Performance & Quality Release

Security

Critical Fixes

  • Auth middleware hardened β€” invalid/expired JWT tokens now return 401 instead of silently passing through. Missing tokens still allowed in open mode.
  • WebSocket authentication β€” server verifies JWT token on connection (/ws?token=<jwt>), rejects invalid tokens with code 4001. Mobile client now sends token on connect.
  • ALLOW_ANONYMOUS env var β€” anonymous access is now explicit opt-in (ALLOW_ANONYMOUS=true by default for backward compatibility). Set to false to require auth on all routes.
  • Path traversal fix β€” scanId in Terry Vision upload is sanitized to alphanumeric characters only.

Hardening

  • Helmet security headers β€” X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc.
  • Auth rate limiting β€” 10 requests/minute on /api/auth/login and /api/auth/register to prevent brute-force.
  • Input length validation β€” recipe title (200 chars), description (2000), notes (2000), ingredients (100 items), steps (100 items), tags (20 items).
  • Email format validation on registration endpoint.
  • Gemini model list cached server-side (1-hour TTL) β€” API key no longer sent to clients via proxy.

Database

Performance

  • 11 new indexes added (from 2 β†’ 13 total):
    • recipes(user_id), recipes(user_id, updated_at DESC)
    • recipe_images(recipe_id)
    • meal_plans(user_id, date)
    • scanned_items(user_id, consumed, expires_at)
    • push_tokens(user_id), cookbook_entries(user_id)
    • chat_history(user_id, timestamp DESC)
    • dietary_profiles(user_id), terry_vision_scans(user_id), shopping_list(user_id)

Data Integrity

  • 9 functions wrapped in transactions: clearStats, addRecipeImage, deleteRecipeImage, deleteCookbookEntry, clearCookbookEntries, deleteTerryVisionScan, clearTerryVisionScans, recordCook, registerPushToken, upsertNotificationSubscription.
  • user_id added to UPDATE WHERE clauses in updateRecipe and updateCollection for defense-in-depth.
  • Migration system β€” server/migrations/ directory with migrate.js runner, schema_migrations tracking table, and baseline migration.

Server

Performance

  • Async image writes β€” saveBase64Image converted from writeFileSync to fs.promises.writeFile, no longer blocks the event loop.
  • Graceful shutdown β€” SIGTERM/SIGINT handlers close HTTP server, WebSocket server, and database cleanly.
  • WebSocket ping interval .unref()'d so it doesn't prevent process exit.

Architecture

  • Shared utilities β€” isPrivateIP extracted to server/utils.js (was duplicated in index.js and ai.js).
  • Config module β€” magic numbers extracted to server/config.js (rate limits, timeouts, body parser limits, WS ping interval).
  • Prompt module β€” AI prompts extracted to server/prompts.js for easy tuning.
  • Request ID middleware β€” UUID per request attached to req.requestId for log correlation.
  • Structured logging β€” server/logger.js with JSON format in production, pretty in dev, log levels (error/warn/info/debug).
  • Enhanced health check β€” /api/health/detailed reports uptime, DB status, WebSocket connections, memory usage.

Mobile

Stability

  • Error boundaries β€” reusable ErrorBoundary component wraps root navigator and all screen groups. Catches render errors, shows fallback UI with "Try Again" button.
  • 42+ empty catch blocks replaced with __DEV__-gated console.warn with context-specific messages.
  • 123 console calls gated behind __DEV__ check (no more logs in production builds).

Accessibility

  • Accessibility labels added to all interactive elements across 6+ screens: RecipeListScreen, RecipeDetailScreen, EditRecipeScreen, ShoppingListScreen, MealPlannerScreen, CookModeScreen, SettingsScreen, CookbookScreen, BottomNav.
  • Includes accessibilityLabel, accessibilityHint, accessibilityRole, and accessibilityState for tabs/checkboxes.

Code Quality

  • Deduplicated utilities β€” splitLines, parseTimerMins, findAllTimers, buildRecipeObject extracted to shared modules.
  • expo-image replaces react-native Image in AssistantScreen and SettingsScreen.
  • Pressable replaces TouchableOpacity in SwipeableRow for consistency.
  • Hardcoded colors in Markdown.js, SwipeableRow.js, VersionBanner.js replaced with theme values.
  • Lazy screen loading β€” heavy screens (TerryVisionScreen, ScanRecipeScreen) use dynamic imports.
  • GlobalTimerBar β€” 1-second interval only runs when active timers exist.
  • WebSocket auth β€” mobile client passes JWT token in connection URL.

DevOps

  • GitHub Actions CI/CD β€” ci.yml (syntax + tests on push/PR), docker.yml (build + push on tag), mobile.yml (expo-doctor on tag).
  • Docker β€” healthcheck fixed, log rotation configured, non-root user, resource limits.

Documentation

  • README.md β€” rewritten with features, tech stack, quick start, architecture overview.
  • docs/API.md β€” all 59 REST API endpoints documented.
  • ARCHITECTURE.md β€” system diagrams, data flows, auth flow, offline strategy, DB schema, security model.
  • 22 review reports in reviews/ directory covering code quality, security, database, frontend, DevOps, and performance.

Download: Cegin-v1.3.3.apk (or from GitHub releases)