yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remaining code issues — TLS, CORS, disconnect safety, cleanup
Some checks failed
Security Checks / dockerfile-lint (push) Successful in 10s
Details
Security Checks / dependency-audit (push) Failing after 19m48s
Details
Security Checks / secret-scanning (push) Failing after 17m18s
Details

Browse Source 
1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from
   5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode).
   All external calls now use default TLS verification.

2. Internal CORS: Removed permissive cors() from inventory and budget.
   Both are internal services accessed only via gateway.

3. App visibility: Documented as cosmetic-only in layout.server.ts.
   Nav hiding is intentional UX, not access control.

4. Disconnect safety: Added confirm() dialog before service disconnect
   in Settings. Prevents accidental disconnects.

5. Inventory cleanup: Removed stale /test startup log message.
   Replaced with API key status indicator.

6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit.
   Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.
This commit is contained in:
Yusuf Suleman
2026-03-29 15:38:42 -05:00
parent ac5c758056
commit 877021ff20
6 changed files with 90 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
services/budget/server.js
View File

@@ -8,7 +8,7 @@ const cors = require('cors');
const api = require('@actual-app/api');
const app = express();
app.use(cors());
// CORS disabled — internal service accessed only via gateway
app.use(express.json());
// Health check (before auth middleware)