posimai
09ebd18b1e
feat: add Google and GitHub OAuth login endpoints
2026-04-04 17:25:26 +09:00
posimai
9e6a2987ed
fix: security hardening - XSS, SSRF, proxy auth, Syncthing config
...
- server.js: add escapeHtml() and apply to meta.title / error messages (XSS)
- server.js: add startup error log when JWT_SECRET uses insecure default
- posimai-dev/server.js: add URL validation to /api/check to block SSRF
(blocks cloud metadata IPs, non-http/https protocols)
- ponshu_room_lite/tools/proxy/server.js: remove auth bypass when
PROXY_AUTH_TOKEN is unset; server now exits on startup if token missing
- .gitignore: add *.sync-conflict-* to prevent Syncthing conflict files
- .stignore: create Syncthing ignore file to exclude .git, node_modules,
.env from sync (fixes root cause of .git directory sync-conflict files)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 08:15:45 +09:00
posimai
8d9f4e22b0
feat: extend /health endpoint with OS metrics for Station cockpit
2026-04-02 19:18:14 +09:00
posimai
b61831d3a2
feat: posimai-dev — aurora terminal, systemd service, atlas sync, master-architecture update
2026-03-31 00:25:44 +09:00
posimai
8902828a5d
fix: update public URL log to api.soar-enrich.com
2026-03-26 23:06:06 +09:00
posimai
7454b0eda5
feat: add Magic Link + Passkey (WebAuthn) authentication to server.js
...
- Add JWT session auth (jsonwebtoken v9) alongside legacy API key auth
- Magic Link: POST /auth/magic-link/send + GET /auth/magic-link/verify
- Passkey: register/begin+finish, login/begin+finish endpoints
- Session: GET /auth/session/verify, DELETE /auth/session
- Passkey management: GET/DELETE /auth/passkeys
- New DB tables: magic_link_tokens, passkey_credentials, auth_sessions,
magic_link_rate_limit, webauthn_user_handles
- Users table: add email + email_verified columns (migration)
- Rate limiting on magic link sends (3 per 10min per email)
- Resend email integration (stubbed until DNS verified)
- SimpleWebAuthn v13 (ESM) loaded via dynamic import
- authMiddleware: JWT-first, fallback to API key (backward compat)
- WEBAUTHN_RP_ID/ORIGINS/JWT_SECRET configurable via env vars
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-26 08:31:11 +09:00
posimai
db4674df36
fix: update public URL to posimai.soar-enrich.com in server.js log
2026-03-25 23:23:02 +09:00
posimai
df0e1b66ad
fix: TTS pre-warm — prioritize user requests, fix cache key mismatch
...
- Split preWarmBusy from ttsBusy so user requests are never blocked by pre-warm
- /tts endpoint waits up to 6s for pre-warm synthesis then proceeds
- Pre-warm skips articles when user is actively using TTS
- Fix text format to match Brief exactly (remove substring(60), fix source fallback)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 18:23:29 +09:00
posimai
c73f4f3180
feat: add /feed/media CRUD endpoints to server.js
...
Adds GET/POST/PATCH/DELETE for feed_media table, bringing git in sync
with the deployed Synology version. Safe to deploy-server.sh after this.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 17:06:14 +09:00
posimai
e7ccd829f6
fix: Pulse UPSERT COALESCE — prevent partial POST from wiping other metrics
...
ON CONFLICT DO UPDATE now uses COALESCE($3, pulse_log.mood) etc.
so sending only {mood:3} no longer sets energy/focus to NULL.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 23:01:18 +09:00
posimai
b8b26373dd
chore: update claude-settings.json (memory-push hook) and server.js backup
2026-03-18 00:07:40 +09:00
posimai
9c892e723a
chore: remove emoji from server.js comments and startup log
2026-03-17 18:10:55 +09:00
posimai
a60dda9528
fix: add URL protocol validation and reaction type validation
2026-03-17 17:26:59 +09:00
posimai
9e1a817ed6
chore: initial backup of root config, templates, and server source
...
Backs up CLAUDE.md, _template/, deploy-server.sh, scripts/, server.js
to posimai-root repository for disaster recovery.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 17:19:20 +09:00
posimai