yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remaining code issues — TLS, CORS, disconnect safety, cleanup
Some checks failed
Security Checks / dockerfile-lint (push) Successful in 10s
Details
Security Checks / dependency-audit (push) Failing after 19m48s
Details
Security Checks / secret-scanning (push) Failing after 17m18s
Details

Browse Source 
1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from
   5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode).
   All external calls now use default TLS verification.

2. Internal CORS: Removed permissive cors() from inventory and budget.
   Both are internal services accessed only via gateway.

3. App visibility: Documented as cosmetic-only in layout.server.ts.
   Nav hiding is intentional UX, not access control.

4. Disconnect safety: Added confirm() dialog before service disconnect
   in Settings. Prevents accidental disconnects.

5. Inventory cleanup: Removed stale /test startup log message.
   Replaced with API key status indicator.

6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit.
   Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.
This commit is contained in:
Yusuf Suleman
2026-03-29 15:38:42 -05:00
parent ac5c758056
commit 877021ff20
6 changed files with 90 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
frontend-v2/src/routes/(app)/+layout.server.ts
View File

@@ -18,8 +18,10 @@ export const load: LayoutServerLoad = async ({ cookies, url }) => {
if (res.ok) {
const data = await res.json();
if (data.authenticated) {
// Per-user nav visibility — hide apps not relevant to this user
// Apps not in this list are hidden from nav (but still accessible via URL)
// Per-user nav visibility — COSMETIC ONLY.
// Hides nav items but does NOT block direct URL access.
// This is intentional: all shared services are accessible to all authenticated users.
// Hiding reduces clutter for users who don't need certain apps day-to-day.
const allApps = ['trips', 'fitness', 'inventory', 'budget', 'reader', 'media'];
const hiddenByUser: Record<string, string[]> = {
'madiha': ['inventory', 'reader'],

2
frontend-v2/src/routes/(app)/settings/+page.svelte
View File

@@ -110,6 +110,8 @@
}
async function disconnectService(serviceId: string) {
const appName = apps.find(a => a.id === serviceId)?.name || serviceId;
if (!confirm(`Disconnect ${appName}? You will need to reconnect it to use this service again.`)) return;
await fetch('/api/me/connections', {
method: 'POST', credentials: 'include',
headers: { 'Content-Type': 'application/json' },