Skip to content

Save permissions#15

Merged
kixelated merged 5 commits intomainfrom
save-permissions
Aug 15, 2025
Merged

Save permissions#15
kixelated merged 5 commits intomainfrom
save-permissions

Conversation

@kixelated
Copy link
Collaborator

@kixelated kixelated commented Aug 15, 2025

No description provided.

@kixelated
OMG
46dda74
@kixelated
So good.
ccd6ac6
@kixelated
ez
15d40c4
@kixelated
Add better a local preview to the join page.
dbf77b1 
- Can enable microphone/webcam.
- Actually performs the same rendering.
- Saves the guest name/avatar/id for rejoining.
@kixelated
Merge remote-tracking branch 'origin/main' into save-permissions
d8d09fa
@claude
Copy link

claude bot commented Aug 15, 2025
edited
Loading

Claude finished @kixelated's task —— View job

Security Review ✅

I've reviewed the PR for bugs and security vulnerabilities. Here are my findings:

Todo List

  • Read CLAUDE.md for repository context
  • Review security-sensitive API files (auth.ts, room.ts, account.ts)
  • Review new local.ts file for potential issues
  • Review frontend changes for security implications
  • Post concise review findings to GitHub comment

Security Issues Found

🟡 Medium: Guest ID Validation Bypass - api/src/room.ts:72-74

const guest = c.req.valid("json").guest;
if (guest?.id.startsWith("guest/")) {
    info = guest;
}

The validation only checks if the ID starts with "guest/" but doesn't validate the full ID format or prevent malicious values in other fields (name, avatar). An attacker could provide arbitrary name or avatar values that might cause issues downstream.

🟡 Medium: Stored XSS via Settings - app/src/settings.tsx:30-40

Settings.guest.set(Api.Account.infoSchema.safeParse(JSON.parse(guestRaw)).data);

Guest account data from localStorage is stored without sanitization and used in UI rendering. If an attacker can control localStorage (e.g., via XSS), they could inject malicious content into the guest name/avatar that gets rendered without escaping.

Clean Areas

  • JWT implementation in auth.ts uses proper validation with jose library
  • File upload validation in account.ts includes size limits and content type checks
  • Media stream access controls appear properly implemented
  • No hardcoded secrets or credentials found

Recommendations

  1. Add validation for guest name/avatar fields beyond just ID prefix checking
  2. Sanitize guest data from localStorage before storing in signals
  3. Ensure all user-provided content is properly escaped when rendered in UI

@kixelated kixelated merged commit c9c6907 into main Aug 15, 2025
1 of 2 checks passed
@kixelated kixelated deleted the save-permissions branch August 15, 2025 18:52
kixelated added a commit that referenced this pull request Oct 14, 2025
@kixelated
Save permissions (#15)
f954ad4 
* OMG

* So good.

* ez

* Add better a local preview to the join page.

- Can enable microphone/webcam.
- Actually performs the same rendering.
- Saves the guest name/avatar/id for rejoining.
kixelated added a commit that referenced this pull request Oct 14, 2025
@kixelated
Save permissions (#15)
92903f6 
* OMG

* So good.

* ez

* Add better a local preview to the join page.

- Can enable microphone/webcam.
- Actually performs the same rendering.
- Saves the guest name/avatar/id for rejoining.


Former-commit-id: f954ad4
kixelated added a commit that referenced this pull request Feb 17, 2026
@kixelated
Save permissions (#15)
2212210 
* OMG

* So good.

* ez

* Add better a local preview to the join page.

- Can enable microphone/webcam.
- Actually performs the same rendering.
- Saves the guest name/avatar/id for rejoining.


Former-commit-id: f954ad4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kixelated