v1.3.3 β Security, Performance & Quality Release
Security
Critical Fixes
- Auth middleware hardened β invalid/expired JWT tokens now return 401 instead of silently passing through. Missing tokens still allowed in open mode.
- WebSocket authentication β server verifies JWT token on connection (
/ws?token=<jwt>), rejects invalid tokens with code 4001. Mobile client now sends token on connect. - ALLOW_ANONYMOUS env var β anonymous access is now explicit opt-in (
ALLOW_ANONYMOUS=trueby default for backward compatibility). Set tofalseto require auth on all routes. - Path traversal fix β
scanIdin Terry Vision upload is sanitized to alphanumeric characters only.
Hardening
- Helmet security headers β X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc.
- Auth rate limiting β 10 requests/minute on
/api/auth/loginand/api/auth/registerto prevent brute-force. - Input length validation β recipe title (200 chars), description (2000), notes (2000), ingredients (100 items), steps (100 items), tags (20 items).
- Email format validation on registration endpoint.
- Gemini model list cached server-side (1-hour TTL) β API key no longer sent to clients via proxy.
Database
Performance
- 11 new indexes added (from 2 β 13 total):
recipes(user_id),recipes(user_id, updated_at DESC)recipe_images(recipe_id)meal_plans(user_id, date)scanned_items(user_id, consumed, expires_at)push_tokens(user_id),cookbook_entries(user_id)chat_history(user_id, timestamp DESC)dietary_profiles(user_id),terry_vision_scans(user_id),shopping_list(user_id)
Data Integrity
- 9 functions wrapped in transactions:
clearStats,addRecipeImage,deleteRecipeImage,deleteCookbookEntry,clearCookbookEntries,deleteTerryVisionScan,clearTerryVisionScans,recordCook,registerPushToken,upsertNotificationSubscription. - user_id added to UPDATE WHERE clauses in
updateRecipeandupdateCollectionfor defense-in-depth. - Migration system β
server/migrations/directory withmigrate.jsrunner,schema_migrationstracking table, and baseline migration.
Server
Performance
- Async image writes β
saveBase64Imageconverted fromwriteFileSynctofs.promises.writeFile, no longer blocks the event loop. - Graceful shutdown β SIGTERM/SIGINT handlers close HTTP server, WebSocket server, and database cleanly.
- WebSocket ping interval
.unref()'d so it doesn't prevent process exit.
Architecture
- Shared utilities β
isPrivateIPextracted toserver/utils.js(was duplicated in index.js and ai.js). - Config module β magic numbers extracted to
server/config.js(rate limits, timeouts, body parser limits, WS ping interval). - Prompt module β AI prompts extracted to
server/prompts.jsfor easy tuning. - Request ID middleware β UUID per request attached to
req.requestIdfor log correlation. - Structured logging β
server/logger.jswith JSON format in production, pretty in dev, log levels (error/warn/info/debug). - Enhanced health check β
/api/health/detailedreports uptime, DB status, WebSocket connections, memory usage.
Mobile
Stability
- Error boundaries β reusable
ErrorBoundarycomponent wraps root navigator and all screen groups. Catches render errors, shows fallback UI with "Try Again" button. - 42+ empty catch blocks replaced with
__DEV__-gatedconsole.warnwith context-specific messages. - 123 console calls gated behind
__DEV__check (no more logs in production builds).
Accessibility
- Accessibility labels added to all interactive elements across 6+ screens: RecipeListScreen, RecipeDetailScreen, EditRecipeScreen, ShoppingListScreen, MealPlannerScreen, CookModeScreen, SettingsScreen, CookbookScreen, BottomNav.
- Includes
accessibilityLabel,accessibilityHint,accessibilityRole, andaccessibilityStatefor tabs/checkboxes.
Code Quality
- Deduplicated utilities β
splitLines,parseTimerMins,findAllTimers,buildRecipeObjectextracted to shared modules. - expo-image replaces
react-nativeImage in AssistantScreen and SettingsScreen. - Pressable replaces TouchableOpacity in SwipeableRow for consistency.
- Hardcoded colors in Markdown.js, SwipeableRow.js, VersionBanner.js replaced with theme values.
- Lazy screen loading β heavy screens (TerryVisionScreen, ScanRecipeScreen) use dynamic imports.
- GlobalTimerBar β 1-second interval only runs when active timers exist.
- WebSocket auth β mobile client passes JWT token in connection URL.
DevOps
- GitHub Actions CI/CD β
ci.yml(syntax + tests on push/PR),docker.yml(build + push on tag),mobile.yml(expo-doctor on tag). - Docker β healthcheck fixed, log rotation configured, non-root user, resource limits.
Documentation
- README.md β rewritten with features, tech stack, quick start, architecture overview.
- docs/API.md β all 59 REST API endpoints documented.
- ARCHITECTURE.md β system diagrams, data flows, auth flow, offline strategy, DB schema, security model.
- 22 review reports in
reviews/directory covering code quality, security, database, frontend, DevOps, and performance.
Download: Cegin-v1.3.3.apk (or from GitHub releases)