feat: implement 33 nice-to-have features + fix 37 code review bugs
5 SDD batches archived: - Batch 1: UI Polish (10 features, 14 tasks) - Batch 2: Study System (8 features, 23 tasks) - Batch 3: Infrastructure (5 features, 22 tasks) - Batch 4: AI Advanced (5 features, 30 tasks) — RAG with @xenova/transformers - Batch 5: Core Features (5 features, 19 tasks) 37 bugs fixed from comprehensive code review (11 CRITICAL, 12 HIGH, 14 MEDIUM/LOW): - SSE streaming now works (event.token check) - API keys no longer exposed via GET /api/models - FTS5 injection sanitized - DB backup/restore with admin auth - Buddy mode wired (buddy_meta column) - Exam auto-submit stale closure fixed - CSS variables aligned with design tokens - Progress data corruption fixed - WebSocket protocol auto-detection - Tests infrastructure completed (vitest + node:test)
This commit is contained in:
renato97
@@ -1,7 +1,24 @@
|
||||
const express = require('express');
|
||||
const fs = require('fs');
|
||||
const path = require('path');
|
||||
const multer = require('multer');
|
||||
const db = require('../db');
|
||||
const router = express.Router();
|
||||
|
||||
const DB_PATH = path.resolve(__dirname, '..', '..', 'data', 'studyos.db');
|
||||
const SQLITE_MAGIC = Buffer.from('SQLite format 3\0', 'utf8');
|
||||
const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 500 * 1024 * 1024 } });
|
||||
|
||||
function checkAdminKey(req, res) {
|
||||
const adminKey = process.env.ADMIN_KEY || 'studyos-admin';
|
||||
const headerKey = req.headers['x-admin-key'];
|
||||
if (!headerKey || headerKey !== adminKey) {
|
||||
res.status(403).json({ error: 'Forbidden: invalid or missing admin key' });
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
// GET /api/config — all key-value pairs
|
||||
router.get('/', (req, res) => {
|
||||
try {
|
||||
@@ -46,6 +63,13 @@ router.post('/test-vlm', async (req, res) => {
|
||||
return res.status(400).json({ error: 'url is required' });
|
||||
}
|
||||
|
||||
// SSRF protection: only allow URLs matching the configured VLM endpoint
|
||||
const vlmConfig = db.prepare("SELECT value FROM config WHERE key = 'vlm_endpoint'").get();
|
||||
const allowed = (vlmConfig?.value || '').replace(/\/+$/, '');
|
||||
if (!url.startsWith(allowed)) {
|
||||
return res.status(400).json({ error: 'URL must match configured VLM endpoint' });
|
||||
}
|
||||
|
||||
const start = Date.now();
|
||||
try {
|
||||
const resp = await fetch(url, { method: 'HEAD', signal: AbortSignal.timeout(5000) });
|
||||
@@ -63,4 +87,25 @@ router.post('/test-vlm', async (req, res) => {
|
||||
}
|
||||
});
|
||||
|
||||
router.get('/backup', (req, res) => {
|
||||
if (!checkAdminKey(req, res)) return;
|
||||
if (!fs.existsSync(DB_PATH)) return res.status(404).json({ error: 'No database' });
|
||||
res.setHeader('Content-Type', 'application/octet-stream');
|
||||
res.setHeader('Content-Disposition', 'attachment; filename="studyos.db"');
|
||||
fs.createReadStream(DB_PATH).pipe(res);
|
||||
});
|
||||
|
||||
router.post('/restore', upload.single('file'), (req, res) => {
|
||||
if (!checkAdminKey(req, res)) return;
|
||||
if (!req.file) return res.status(400).json({ error: 'No file uploaded' });
|
||||
const buf = req.file.buffer;
|
||||
if (buf.length < 16 || !buf.slice(0, 16).equals(SQLITE_MAGIC)) {
|
||||
return res.status(400).json({ error: 'Not a valid SQLite database' });
|
||||
}
|
||||
const tmpPath = DB_PATH + '.tmp';
|
||||
fs.writeFileSync(tmpPath, buf);
|
||||
fs.renameSync(tmpPath, DB_PATH);
|
||||
res.json({ ok: true, message: 'Restore complete — reload required' });
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
Reference in New Issue
Block a user