platform

yusiboyz/platform

Fork 0

Commit Graph

Author	SHA1	Message	Date
Yusuf Suleman	7c05ef14c7	fix(gateway): remove no-verify SSL context from proxy (#7 ) Some checks failed Security Checks / dependency-audit (push) Has been cancelled Details Security Checks / secret-scanning (push) Has been cancelled Details Security Checks / dockerfile-lint (push) Has been cancelled Details All internal services use plain HTTP (Docker network). The _internal_ssl_ctx with disabled cert verification was a no-op for HTTP URLs but suggested TLS bypass was in use. - Removed _internal_ssl_ctx from config.py - Removed ssl import from config.py - proxy.py now calls urlopen() without context parameter - External calls (OpenAI, SMTP2GO, Open Library) already use default TLS verification Verified: dashboard, trips, fitness, budget, inventory all respond correctly.	2026-03-29 13:46:11 -05:00
Yusuf Suleman	72747668f9	fix: remaining security and deployment hardening (#6 #7 #10 ) #7 Transport Security: - Removed legacy _ssl_ctx alias from config.py - proxy.py now uses _internal_ssl_ctx directly (explicitly scoped) - No global TLS bypass remains #10 Deployment Hardening: - Inventory Dockerfile: non-root (node user), health check, production deps - Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready - Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check - Added /health endpoints to inventory and budget (before auth middleware) - All 6 containers now run as non-root with health checks All services verified: gateway, trips, fitness, inventory, budget, frontend	2026-03-29 09:35:39 -05:00
Yusuf Suleman	7cd81181ed	Refactor gateway into modular architecture Split 1878-line server.py into 15 focused modules: - config.py: all env vars and constants - database.py: schema, init, seed logic - sessions.py: session/token CRUD - proxy.py: proxy_request, SERVICE_MAP, resolve_service - responses.py: ResponseMixin for handler helpers - auth.py: login/logout/register handlers - dashboard.py: dashboard, apps, connections, pinning - command.py: AI command bar - integrations/booklore.py: auth, books, cover, import - integrations/kindle.py: send-to-kindle, file finder - integrations/karakeep.py: save/delete bookmarks - integrations/qbittorrent.py: download status - integrations/image_proxy.py: external image proxy server.py is now thin routing only (~344 lines). All routes, methods, status codes, and responses preserved exactly. Added PYTHONUNBUFFERED=1 to Dockerfile for live logging.	2026-03-29 00:14:46 -05:00

Author

SHA1

Message

Date

Yusuf Suleman

7c05ef14c7

fix(gateway): remove no-verify SSL context from proxy (#7 )

Security Checks / dependency-audit (push) Has been cancelled

Details

Security Checks / secret-scanning (push) Has been cancelled

Details

Security Checks / dockerfile-lint (push) Has been cancelled

Details

All internal services use plain HTTP (Docker network). The
_internal_ssl_ctx with disabled cert verification was a no-op
for HTTP URLs but suggested TLS bypass was in use.

- Removed _internal_ssl_ctx from config.py
- Removed ssl import from config.py
- proxy.py now calls urlopen() without context parameter
- External calls (OpenAI, SMTP2GO, Open Library) already use
  default TLS verification

Verified: dashboard, trips, fitness, budget, inventory all respond correctly.

2026-03-29 13:46:11 -05:00

Yusuf Suleman

72747668f9

fix: remaining security and deployment hardening (#6 #7 #10 )

#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains

#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks

All services verified: gateway, trips, fitness, inventory, budget, frontend

2026-03-29 09:35:39 -05:00

Yusuf Suleman

7cd81181ed

Refactor gateway into modular architecture

Split 1878-line server.py into 15 focused modules:
- config.py: all env vars and constants
- database.py: schema, init, seed logic
- sessions.py: session/token CRUD
- proxy.py: proxy_request, SERVICE_MAP, resolve_service
- responses.py: ResponseMixin for handler helpers
- auth.py: login/logout/register handlers
- dashboard.py: dashboard, apps, connections, pinning
- command.py: AI command bar
- integrations/booklore.py: auth, books, cover, import
- integrations/kindle.py: send-to-kindle, file finder
- integrations/karakeep.py: save/delete bookmarks
- integrations/qbittorrent.py: download status
- integrations/image_proxy.py: external image proxy

server.py is now thin routing only (~344 lines).
All routes, methods, status codes, and responses preserved exactly.
Added PYTHONUNBUFFERED=1 to Dockerfile for live logging.

2026-03-29 00:14:46 -05:00

3 Commits