3.1.1: cookie, healthcheck, and dashboard fixes#14
Merged
Conversation
Shipped compose files never set SESSION_COOKIE_SECURE, so it defaulted to true. Over the plain HTTP these files serve out of the box, the browser silently discards the Secure-flagged login cookie: setup/login look successful, but every following request is unauthenticated and refreshing always drops back to the login screen. Also warn in the logs when a Secure cookie is issued over plain HTTP, and document that custom healthcheck overrides (e.g. for Traefik/Swarm/ k8s health-aware routing) should be removed rather than copied - the image's own healthcheck already targets the unauthenticated /health endpoint without curl. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
3.1.0 accidentally broke pre-existing custom healthchecks (e.g. for Traefik/Swarm/Kubernetes health-aware routing) in two ways: curl was dropped from the image, and /api/v1/system/health was swept behind the new login requirement along with the rest of the system router. A container using such a healthcheck would never report healthy, and health-aware reverse proxies would silently stop routing to it. Split system.router so /health stays public (matching the intent of a health-check endpoint) while /info and /logs stay behind login, and re-add curl so any existing curl-based override keeps working as-is. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
CodeQL flagged both jobs in test.yml for having no permissions block, which leaves GITHUB_TOKEN at its default (broader-than-needed) scope. Neither job needs more than checkout access. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
processor.py's per-entry except blocks never rolled back the session, so a failed enter_giveaway (IntegrityError, "database is locked") would leave it in PendingRollbackError state and silently fail every remaining giveaway in that cycle - the same class of bug fixed earlier in account_service.py. useWebSocket.ts invalidated a "dashboard" query key that no query actually uses (useDashboard keys as ["analytics", "dashboard", id]), so stats_update/scan_complete/entry_success events never refreshed the dashboard - it only ever updated via the 30s poll. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
npm test launches Vitest in watch mode and never exits; use npm run test:run for a one-off pass, matching the rest of the docs. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See CHANGELOG.md [3.1.1] for full details.