Skip to content

Dev#12

Merged
koishi510 merged 5 commits into
mainfrom
dev
Jan 26, 2026
Merged

Dev#12
koishi510 merged 5 commits into
mainfrom
dev

Conversation

@koishi510
Copy link
Copy Markdown
Owner

@koishi510 koishi510 commented Jan 26, 2026

关联 Issue

变更概述

变更类型

  • 新功能 (New Feature)
  • 缺陷修复 (Bug Fix)
  • 代码重构 (Refactor)
  • 性能优化 (Performance)
  • 文档更新 (Documentation)
  • 依赖或配置调整 (Dependency / Configuration)

自测清单

  • 代码已在本地环境运行测试,功能逻辑符合预期。
  • 已执行格式化与静态检查:uv run ruff format .uv run ruff check . --fix
  • 已执行类型检查:uv run mypy .
  • (如涉及依赖变更) 已运行 uv sync 并提交了更新后的 uv.lock 文件。
  • 提交的代码已移除所有临时的调试输出 (print/log)。
  • 本次变更已包含必要的单元测试或文档更新。

测试步骤

  1. 拉取分支并同步环境: uv sync
  2. 运行指令: ...
  3. 操作步骤: ...

@koishi510 koishi510 requested a review from 4rthurCai as a code owner January 26, 2026 12:49
@koishi510 koishi510 closed this Jan 26, 2026
@koishi510 koishi510 reopened this Jan 26, 2026
@koishi510 koishi510 merged commit 0df2da8 into main Jan 26, 2026
6 checks passed
4rthurCai added a commit that referenced this pull request Mar 15, 2026
@4rthurCai
fix(backend): security hardening and PR #167 review fixes
3228472 
- CORS: disable credentials when origins is wildcard (#1)
- Token blacklist: evict expired entries before dropping new tokens (#3)
- Static files: add security headers, block dangerous file types (#5)
- HSTS: add Strict-Transport-Security header (#6)
- HTML sanitization: escape user content in community service (#10)
- Security logging: log auth failures, admin ops, JWT errors (#12)
- Guest sessions: HMAC-sign session IDs to prevent spoofing (#15)
- AI credentials: read from env vars instead of hardcoding (#16)
- Cache-Control: add no-store for API responses (#17)
- URL validation: reject non-HTTP(S) URLs in chat search (#19)
- Like endpoints: split POST/DELETE into idempotent AddLike/RemoveLike (PR #167)
koishi510 pushed a commit that referenced this pull request Mar 15, 2026
@4rthurCai @koishi510
fix(backend): security hardening and PR #167 review fixes
9b53756 
- CORS: disable credentials when origins is wildcard (#1)
- Token blacklist: evict expired entries before dropping new tokens (#3)
- Static files: add security headers, block dangerous file types (#5)
- HSTS: add Strict-Transport-Security header (#6)
- HTML sanitization: escape user content in community service (#10)
- Security logging: log auth failures, admin ops, JWT errors (#12)
- Guest sessions: HMAC-sign session IDs to prevent spoofing (#15)
- AI credentials: read from env vars instead of hardcoding (#16)
- Cache-Control: add no-store for API responses (#17)
- URL validation: reject non-HTTP(S) URLs in chat search (#19)
- Like endpoints: split POST/DELETE into idempotent AddLike/RemoveLike (PR #167)
koishi510 pushed a commit that referenced this pull request Mar 15, 2026
@4rthurCai @koishi510
fix(backend): security hardening and PR #167 review fixes
639a103 
- CORS: disable credentials when origins is wildcard (#1)
- Token blacklist: evict expired entries before dropping new tokens (#3)
- Static files: add security headers, block dangerous file types (#5)
- HSTS: add Strict-Transport-Security header (#6)
- HTML sanitization: escape user content in community service (#10)
- Security logging: log auth failures, admin ops, JWT errors (#12)
- Guest sessions: HMAC-sign session IDs to prevent spoofing (#15)
- AI credentials: read from env vars instead of hardcoding (#16)
- Cache-Control: add no-store for API responses (#17)
- URL validation: reject non-HTTP(S) URLs in chat search (#19)
- Like endpoints: split POST/DELETE into idempotent AddLike/RemoveLike (PR #167)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@4rthurCai 4rthurCai Awaiting requested review from 4rthurCai 4rthurCai is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@koishi510