Skip to content

3.1.1: cookie, healthcheck, and dashboard fixes#14

Merged
Sjeff merged 7 commits into
masterfrom
update-3.1.1
Jul 5, 2026
Merged

3.1.1: cookie, healthcheck, and dashboard fixes#14
Sjeff merged 7 commits into
masterfrom
update-3.1.1

Conversation

@Sjeff

@Sjeff Sjeff commented Jul 5, 2026

Copy link
Copy Markdown
Owner

See CHANGELOG.md [3.1.1] for full details.

Sjeff and others added 7 commits July 4, 2026 20:26
Shipped compose files never set SESSION_COOKIE_SECURE, so it defaulted
to true. Over the plain HTTP these files serve out of the box, the
browser silently discards the Secure-flagged login cookie: setup/login
look successful, but every following request is unauthenticated and
refreshing always drops back to the login screen.

Also warn in the logs when a Secure cookie is issued over plain HTTP,
and document that custom healthcheck overrides (e.g. for Traefik/Swarm/
k8s health-aware routing) should be removed rather than copied - the
image's own healthcheck already targets the unauthenticated /health
endpoint without curl.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
3.1.0 accidentally broke pre-existing custom healthchecks (e.g. for
Traefik/Swarm/Kubernetes health-aware routing) in two ways: curl was
dropped from the image, and /api/v1/system/health was swept behind
the new login requirement along with the rest of the system router.
A container using such a healthcheck would never report healthy, and
health-aware reverse proxies would silently stop routing to it.

Split system.router so /health stays public (matching the intent of
a health-check endpoint) while /info and /logs stay behind login, and
re-add curl so any existing curl-based override keeps working as-is.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
CodeQL flagged both jobs in test.yml for having no permissions block,
which leaves GITHUB_TOKEN at its default (broader-than-needed) scope.
Neither job needs more than checkout access.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
processor.py's per-entry except blocks never rolled back the session,
so a failed enter_giveaway (IntegrityError, "database is locked")
would leave it in PendingRollbackError state and silently fail every
remaining giveaway in that cycle - the same class of bug fixed
earlier in account_service.py.

useWebSocket.ts invalidated a "dashboard" query key that no query
actually uses (useDashboard keys as ["analytics", "dashboard", id]),
so stats_update/scan_complete/entry_success events never refreshed
the dashboard - it only ever updated via the 30s poll.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
npm test launches Vitest in watch mode and never exits; use
npm run test:run for a one-off pass, matching the rest of the docs.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@Sjeff Sjeff changed the title Update 3.1.1 3.1.1: cookie, healthcheck, and dashboard fixes Jul 5, 2026
@Sjeff
Sjeff merged commit 5c562a7 into master Jul 5, 2026
6 checks passed
@Sjeff
Sjeff deleted the update-3.1.1 branch July 5, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant