11 files changed, 493 insertions, 0 deletions
diff --git a/src/lib/Utility/anilistOauth.ts b/src/lib/Utility/anilistOauth.ts
new file mode 100644
index 00000000..9bb570fb
--- /dev/null
+++ b/src/lib/Utility/anilistOauth.ts
@@ -0,0 +1,27 @@
+import { env } from "$env/dynamic/private";
+import { env as publicEnv } from "$env/dynamic/public";
+
+// Exchange a refresh token for a fresh access token WITHOUT touching the auth
+// cookie — used by the RSS feed, which is polled by an unattended reader that
+// has no session, so there is no cookie to re-set.
+export const refreshAniListToken = async (
+	refreshToken: string,
+): Promise<string | null> => {
+	const formData = new FormData();
+
+	formData.append("grant_type", "refresh_token");
+	formData.append("client_id", publicEnv.PUBLIC_ANILIST_CLIENT_ID as string);
+	formData.append("client_secret", env.ANILIST_CLIENT_SECRET as string);
+	formData.append("refresh_token", refreshToken);
+
+	const response = await fetch("https://anilist.co/api/v2/oauth/token", {
+		method: "POST",
+		body: formData,
+	});
+
+	if (!response.ok) return null;
+
+	const payload = (await response.json()) as { access_token?: string };
+
+	return payload.access_token ?? null;
+};
diff --git a/src/lib/Utility/authorisation.test.ts b/src/lib/Utility/authorisation.test.ts
new file mode 100644
index 00000000..0027782b
--- /dev/null
+++ b/src/lib/Utility/authorisation.test.ts
@@ -0,0 +1,20 @@
+import { describe, expect, it } from "vitest";
+import { isOwnerOrPrivileged } from "./authorisation";
+
+describe("isOwnerOrPrivileged", () => {
+	it("allows the owner to act on their own resources", () => {
+		expect(isOwnerOrPrivileged(7, 7, false)).toBe(true);
+	});
+
+	it("allows a privileged user to act on anyone", () => {
+		expect(isOwnerOrPrivileged(7, 999, true)).toBe(true);
+	});
+
+	it("blocks a non-privileged user acting on someone else (the IDOR case)", () => {
+		expect(isOwnerOrPrivileged(7, 999, false)).toBe(false);
+	});
+
+	it("allows a privileged owner (both conditions)", () => {
+		expect(isOwnerOrPrivileged(7, 7, true)).toBe(true);
+	});
+});
diff --git a/src/lib/Utility/authorisation.ts b/src/lib/Utility/authorisation.ts
new file mode 100644
index 00000000..c6b64414
--- /dev/null
+++ b/src/lib/Utility/authorisation.ts
@@ -0,0 +1,9 @@
+/**
+ * Whether a caller may act on resources belonging to `targetUserId`: either the
+ * caller owns them, or the caller is a privileged (allow-listed) user.
+ */
+export const isOwnerOrPrivileged = (
+	callerUserId: number,
+	targetUserId: number,
+	privileged: boolean,
+) => privileged || callerUserId === targetUserId;
diff --git a/src/lib/Utility/feedToken.test.ts b/src/lib/Utility/feedToken.test.ts
new file mode 100644
index 00000000..ffcb5fd7
--- /dev/null
+++ b/src/lib/Utility/feedToken.test.ts
@@ -0,0 +1,44 @@
+import { describe, expect, it } from "vitest";
+import { decryptFeedToken, encryptFeedToken } from "./feedToken";
+
+// Fixed 32-byte keys so the cipher is exercised without the FEED_TOKEN_KEY env
+// var (production omits the key argument and reads it from env).
+const key = new Uint8Array(32).fill(7);
+const otherKey = new Uint8Array(32).fill(9);
+
+describe("feed token", () => {
+	// Behaviour gate: the feed must still resolve to the same refresh token it
+	// was minted from, and the cleartext must never appear in the URL blob.
+	it("round-trips the refresh token without leaking it", async () => {
+		const refreshToken = "anilist-refresh-token-abc123";
+		const sealed = await encryptFeedToken(refreshToken, key);
+
+		expect(sealed).not.toContain(refreshToken);
+		expect(await decryptFeedToken(sealed, key)).toBe(refreshToken);
+	});
+
+	it("produces a fresh ciphertext each time (random IV)", async () => {
+		expect(await encryptFeedToken("same-token", key)).not.toBe(
+			await encryptFeedToken("same-token", key),
+		);
+	});
+
+	it("rejects a token sealed with a different key", async () => {
+		const sealed = await encryptFeedToken("secret", otherKey);
+
+		expect(await decryptFeedToken(sealed, key)).toBeNull();
+	});
+
+	it("rejects a tampered ciphertext", async () => {
+		const sealed = await encryptFeedToken("secret", key);
+		const tampered = `${sealed[0] === "A" ? "B" : "A"}${sealed.slice(1)}`;
+
+		expect(await decryptFeedToken(tampered, key)).toBeNull();
+	});
+
+	it("rejects malformed input", async () => {
+		expect(await decryptFeedToken("", key)).toBeNull();
+		expect(await decryptFeedToken("short", key)).toBeNull();
+		expect(await decryptFeedToken("not valid base64url!!", key)).toBeNull();
+	});
+});
diff --git a/src/lib/Utility/feedToken.ts b/src/lib/Utility/feedToken.ts
new file mode 100644
index 00000000..1d26a443
--- /dev/null
+++ b/src/lib/Utility/feedToken.ts
@@ -0,0 +1,96 @@
+import { env } from "$env/dynamic/private";
+
+// Authenticated encryption (AES-256-GCM) for the RSS feed token. The plaintext
+// is the user's long-lived AniList refresh token; the ciphertext is what travels
+// in the public feed URL (?feed=). Without FEED_TOKEN_KEY (server-only) the blob
+// is opaque and tamper-evident, so a leaked feed URL exposes no usable
+// credential — unlike the old ?token=&refresh= form that carried them in clear.
+//
+// WebCrypto (not node:crypto) so the byte types stay Uint8Array — the repo's
+// bun-types make node's Buffer structurally incompatible with crypto params.
+
+const IV_BYTES = 12;
+const TAG_BYTES = 16;
+const KEY_BYTES = 32;
+
+// WebCrypto's BufferSource requires the non-shared ArrayBuffer variant; the bare
+// Uint8Array generic defaults to ArrayBufferLike, which the crypto types reject.
+type KeyBytes = Uint8Array<ArrayBuffer>;
+
+const bytesFromBase64 = (text: string) =>
+	Uint8Array.from(atob(text), (character) => character.charCodeAt(0));
+
+const base64UrlFromBytes = (bytes: Uint8Array): string =>
+	btoa(String.fromCharCode(...bytes))
+		.replaceAll("+", "-")
+		.replaceAll("/", "_")
+		.replaceAll("=", "");
+
+const bytesFromBase64Url = (text: string) =>
+	bytesFromBase64(text.replaceAll("-", "+").replaceAll("_", "/"));
+
+const requireKeyBytes = (): KeyBytes => {
+	const encoded = env.FEED_TOKEN_KEY;
+
+	if (!encoded) throw new Error("FEED_TOKEN_KEY is not set");
+
+	const bytes = bytesFromBase64(encoded);
+
+	if (bytes.length !== KEY_BYTES)
+		throw new Error(`FEED_TOKEN_KEY must decode to ${KEY_BYTES} bytes`);
+
+	return bytes;
+};
+
+const importKey = (keyBytes: KeyBytes): Promise<CryptoKey> =>
+	crypto.subtle.importKey("raw", keyBytes, "AES-GCM", false, [
+		"encrypt",
+		"decrypt",
+	]);
+
+// The optional keyBytes parameter lets the unit test exercise the cipher with a
+// fixed key; production callers omit it and the env key is loaded.
+export const encryptFeedToken = async (
+	refreshToken: string,
+	keyBytes: KeyBytes = requireKeyBytes(),
+): Promise<string> => {
+	const key = await importKey(keyBytes);
+	const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
+	const ciphertext = new Uint8Array(
+		await crypto.subtle.encrypt(
+			{ name: "AES-GCM", iv },
+			key,
+			new TextEncoder().encode(refreshToken),
+		),
+	);
+	const framed = new Uint8Array(iv.length + ciphertext.length);
+
+	framed.set(iv, 0);
+	framed.set(ciphertext, iv.length);
+
+	return base64UrlFromBytes(framed);
+};
+
+export const decryptFeedToken = async (
+	blob: string,
+	keyBytes: KeyBytes = requireKeyBytes(),
+): Promise<string | null> => {
+	try {
+		const framed = bytesFromBase64Url(blob);
+
+		if (framed.length < IV_BYTES + TAG_BYTES) return null;
+
+		const key = await importKey(keyBytes);
+		const iv = framed.subarray(0, IV_BYTES);
+		const ciphertext = framed.subarray(IV_BYTES);
+		const plaintext = await crypto.subtle.decrypt(
+			{ name: "AES-GCM", iv },
+			key,
+			ciphertext,
+		);
+
+		return new TextDecoder().decode(plaintext);
+	} catch {
+		return null;
+	}
+};
diff --git a/src/lib/Utility/pushEndpoint.test.ts b/src/lib/Utility/pushEndpoint.test.ts
new file mode 100644
index 00000000..5a2e90c8
--- /dev/null
+++ b/src/lib/Utility/pushEndpoint.test.ts
@@ -0,0 +1,49 @@
+import { describe, expect, it } from "vitest";
+import { isAllowedPushEndpoint } from "./pushEndpoint";
+
+describe("isAllowedPushEndpoint", () => {
+	// Behaviour gate: real subscriptions minted by the browser must keep working.
+	it("allows genuine vendor push endpoints", () => {
+		expect(
+			isAllowedPushEndpoint("https://fcm.googleapis.com/fcm/send/abc123"),
+		).toBe(true);
+		expect(
+			isAllowedPushEndpoint(
+				"https://updates.push.services.mozilla.com/wpush/v2/abc",
+			),
+		).toBe(true);
+		expect(isAllowedPushEndpoint("https://web.push.apple.com/QABC/def")).toBe(
+			true,
+		);
+		expect(
+			isAllowedPushEndpoint("https://db5p.notify.windows.com/w/?token=abc"),
+		).toBe(true);
+	});
+
+	// The fix: arbitrary / internal / non-https endpoints must not be reachable.
+	it("blocks SSRF and non-vendor endpoints", () => {
+		expect(isAllowedPushEndpoint("http://fcm.googleapis.com/fcm/send/x")).toBe(
+			false,
+		); // not https
+		expect(isAllowedPushEndpoint("https://evil.example.com/collect")).toBe(
+			false,
+		);
+		expect(
+			isAllowedPushEndpoint("http://169.254.169.254/latest/meta-data"),
+		).toBe(false); // cloud metadata
+		expect(isAllowedPushEndpoint("http://localhost:8080/internal")).toBe(false);
+		expect(isAllowedPushEndpoint("https://127.0.0.1/internal")).toBe(false);
+		expect(isAllowedPushEndpoint("http://10.0.0.5/admin")).toBe(false);
+	});
+
+	it("rejects look-alike hostnames", () => {
+		expect(isAllowedPushEndpoint("https://fcm.googleapis.com.evil.com/x")).toBe(
+			false,
+		);
+		expect(isAllowedPushEndpoint("https://notfcm.googleapis.com/x")).toBe(
+			false,
+		);
+		expect(isAllowedPushEndpoint("not a url")).toBe(false);
+		expect(isAllowedPushEndpoint("")).toBe(false);
+	});
+});
diff --git a/src/lib/Utility/pushEndpoint.ts b/src/lib/Utility/pushEndpoint.ts
new file mode 100644
index 00000000..702164ae
--- /dev/null
+++ b/src/lib/Utility/pushEndpoint.ts
@@ -0,0 +1,26 @@
+/**
+ * Web Push endpoints are minted by the browser's PushManager and always point at
+ * a known vendor push service — the user and the app never choose them. Limiting
+ * outbound delivery to these hosts stops the notifications job from being used as
+ * an SSRF primitive: a stored subscription with an arbitrary `endpoint` would
+ * otherwise have the worker POST to any URL, including internal/metadata hosts.
+ */
+const allowedPushHosts: RegExp[] = [
+	/^fcm\.googleapis\.com$/, // Chrome, Edge, Brave, Opera, Samsung Internet
+	/(^|\.)push\.services\.mozilla\.com$/, // Firefox
+	/^web\.push\.apple\.com$/, // Safari / Apple
+	/(^|\.)notify\.windows\.com$/, // legacy Edge / Windows (WNS)
+];
+
+export const isAllowedPushEndpoint = (endpoint: string): boolean => {
+	try {
+		const url = new URL(endpoint);
+
+		return (
+			url.protocol === "https:" &&
+			allowedPushHosts.some((host) => host.test(url.hostname))
+		);
+	} catch {
+		return false;
+	}
+};
diff --git a/src/lib/Utility/sanitizeCss.test.ts b/src/lib/Utility/sanitizeCss.test.ts
new file mode 100644
index 00000000..f6c22364
--- /dev/null
+++ b/src/lib/Utility/sanitizeCss.test.ts
@@ -0,0 +1,76 @@
+import { describe, expect, it } from "vitest";
+import { sanitizeBadgeWallCss } from "./sanitizeCss";
+
+describe("sanitizeBadgeWallCss", () => {
+	// Behaviour gate: the CSS people actually write for their badge wall survives.
+	it("preserves ordinary rules, declarations and values", () => {
+		const out = sanitizeBadgeWallCss(
+			".badge { color: red; opacity: 0.5; border-radius: 8px; }",
+		);
+
+		expect(out).toContain("color");
+		expect(out).toContain("red");
+		expect(out).toContain("border-radius");
+	});
+
+	it("preserves backdrop-filter, content, url() and at-rules", () => {
+		expect(
+			sanitizeBadgeWallCss(".x { backdrop-filter: blur(4px); }"),
+		).toContain("backdrop-filter");
+		expect(sanitizeBadgeWallCss('.x::before { content: "★"; }')).toContain(
+			"content",
+		);
+		expect(
+			sanitizeBadgeWallCss(
+				".x { background: url(https://cdn.due.moe/a.png); }",
+			),
+		).toContain("url(https://cdn.due.moe/a.png)");
+		expect(
+			sanitizeBadgeWallCss("@media (min-width: 1px) { .x { color: blue; } }"),
+		).toContain("@media");
+		expect(
+			sanitizeBadgeWallCss(
+				"@keyframes spin { from { transform: rotate(0); } to { transform: rotate(360deg); } }",
+			),
+		).toContain("@keyframes");
+	});
+
+	it("returns empty string for nullish input", () => {
+		expect(sanitizeBadgeWallCss("")).toBe("");
+		// @ts-expect-error exercising defensive nullish handling
+		expect(sanitizeBadgeWallCss(undefined)).toBe("");
+	});
+
+	// The fix: dangerous constructs are removed while surrounding CSS is kept.
+	it("strips @import, behavior, -moz-binding, expression and js: urls", () => {
+		const imported = sanitizeBadgeWallCss(
+			"@import url(https://evil.example.com/x.css); .x { color: red; }",
+		);
+		expect(imported).not.toContain("@import");
+		expect(imported).toContain("color");
+
+		expect(
+			sanitizeBadgeWallCss(".x { behavior: url(evil.htc); color: red; }"),
+		).not.toContain("behavior");
+		expect(
+			sanitizeBadgeWallCss(".x { -moz-binding: url(evil.xml#x); }"),
+		).not.toContain("-moz-binding");
+		expect(
+			sanitizeBadgeWallCss(".x { width: expression(alert(1)); }"),
+		).not.toContain("expression");
+		expect(
+			sanitizeBadgeWallCss(".x { background: url(javascript:alert(1)); }"),
+		).not.toContain("javascript:");
+	});
+
+	it("drops <style> break-out attempts entirely", () => {
+		const out = sanitizeBadgeWallCss(
+			".a { color: red; } </style><script>window.x=1</script> .b { color: blue; }",
+		);
+
+		expect(out).not.toContain("<script");
+		expect(out).not.toContain("</style");
+		expect(out).not.toContain("window.x");
+		expect(out).toContain("color");
+	});
+});
diff --git a/src/lib/Utility/sanitizeCss.ts b/src/lib/Utility/sanitizeCss.ts
new file mode 100644
index 00000000..976fa6a1
--- /dev/null
+++ b/src/lib/Utility/sanitizeCss.ts
@@ -0,0 +1,57 @@
+import * as csstree from "css-tree";
+
+const blockedProperties = new Set(["behavior", "-moz-binding"]);
+const dangerousValue = /expression\s*\(|javascript:|vbscript:/i;
+
+/**
+ * Sanitise user-supplied badge-wall CSS at the trust boundary (write time), so
+ * the stored value is safe regardless of how it is later rendered. Parsing with
+ * css-tree (leniently, like a browser) drops anything that isn't valid CSS —
+ * including `</style>` break-out attempts — and we additionally remove the few
+ * constructs that can load resources or (in legacy engines) run code:
+ * `@import`, `behavior`/`-moz-binding`, and `expression()`/`javascript:` values.
+ *
+ * This is defence in depth: rendering goes through `textContent` (no HTML
+ * parsing, so no break-out) and the CSP blocks inline script regardless.
+ */
+export const sanitizeBadgeWallCss = (css: string): string => {
+	if (!css) return "";
+
+	let ast: csstree.CssNode;
+
+	try {
+		ast = csstree.parse(css, { onParseError: () => {} });
+	} catch {
+		return "";
+	}
+
+	csstree.walk(ast, (node, item, list) => {
+		if (!list || !item) return;
+
+		if (node.type === "Atrule" && node.name.toLowerCase() === "import") {
+			list.remove(item);
+		} else if (
+			node.type === "Rule" &&
+			csstree.generate(node.prelude).includes("<")
+		) {
+			// css-tree keeps an unparseable selector as a Raw prelude, so a
+			// `</style><script>…` break-out shows up as a rule whose selector
+			// contains `<` (never valid in a real selector). Drop the rule.
+			list.remove(item);
+		} else if (node.type === "Raw" && /[<>]/.test(node.value)) {
+			list.remove(item);
+		} else if (
+			node.type === "Declaration" &&
+			(blockedProperties.has(node.property.toLowerCase()) ||
+				dangerousValue.test(csstree.generate(node.value)))
+		) {
+			list.remove(item);
+		}
+	});
+
+	try {
+		return csstree.generate(ast);
+	} catch {
+		return "";
+	}
+};
diff --git a/src/lib/Utility/sanitizeHtml.test.ts b/src/lib/Utility/sanitizeHtml.test.ts
new file mode 100644
index 00000000..1094635e
--- /dev/null
+++ b/src/lib/Utility/sanitizeHtml.test.ts
@@ -0,0 +1,57 @@
+// @vitest-environment jsdom
+import { describe, expect, it } from "vitest";
+import { sanitizeFeedHtml } from "./sanitizeHtml";
+
+describe("sanitizeFeedHtml", () => {
+	// Behaviour gate: the formatting real feeds use must survive untouched.
+	it("preserves entities, inline formatting and safe links", () => {
+		expect(sanitizeFeedHtml("Fruits &amp; Vegetables")).toBe(
+			"Fruits &amp; Vegetables",
+		);
+		expect(sanitizeFeedHtml("<i>italic</i> and <b>bold</b>")).toBe(
+			"<i>italic</i> and <b>bold</b>",
+		);
+		expect(sanitizeFeedHtml("Vol. 1 <em>Ch.</em> 5")).toBe(
+			"Vol. 1 <em>Ch.</em> 5",
+		);
+		expect(
+			sanitizeFeedHtml('<a href="https://example.com/x">link</a>'),
+		).toContain('href="https://example.com/x"');
+		expect(sanitizeFeedHtml("line<br>break")).toContain("<br");
+	});
+
+	it("returns empty string for nullish input", () => {
+		expect(sanitizeFeedHtml(undefined)).toBe("");
+		expect(sanitizeFeedHtml(null)).toBe("");
+		expect(sanitizeFeedHtml("")).toBe("");
+	});
+
+	// The fix: scripts, handlers, dangerous tags and URLs must be removed.
+	it("strips scripts, event handlers and dangerous tags/urls", () => {
+		const script = sanitizeFeedHtml("<script>alert(1)</script>safe");
+		expect(script).not.toContain("script");
+		expect(script).toContain("safe");
+
+		const onerror = sanitizeFeedHtml("before<img src=x onerror=alert(1)>after");
+		expect(onerror).not.toContain("onerror");
+		expect(onerror).not.toContain("<img");
+		expect(onerror).toContain("before");
+		expect(onerror).toContain("after");
+
+		expect(
+			sanitizeFeedHtml('<a href="javascript:alert(1)">x</a>'),
+		).not.toContain("javascript:");
+		expect(
+			sanitizeFeedHtml('<iframe src="https://evil.example.com"></iframe>'),
+		).not.toContain("iframe");
+		expect(
+			sanitizeFeedHtml(
+				'<meta http-equiv="refresh" content="0;url=https://evil.example.com">',
+			),
+		).not.toContain("meta");
+		expect(sanitizeFeedHtml("<style>body{display:none}</style>")).not.toContain(
+			"style",
+		);
+		expect(sanitizeFeedHtml('<div onclick="steal()">text</div>')).toBe("text");
+	});
+});
diff --git a/src/lib/Utility/sanitizeHtml.ts b/src/lib/Utility/sanitizeHtml.ts
new file mode 100644
index 00000000..3d0229e4
--- /dev/null
+++ b/src/lib/Utility/sanitizeHtml.ts
@@ -0,0 +1,32 @@
+import DOMPurify from "dompurify";
+
+const feedConfig = {
+	ALLOWED_TAGS: [
+		"a",
+		"b",
+		"i",
+		"em",
+		"strong",
+		"u",
+		"s",
+		"br",
+		"p",
+		"span",
+		"small",
+		"sup",
+		"sub",
+		"code",
+	],
+	ALLOWED_ATTR: ["href", "title"],
+	ALLOWED_URI_REGEXP: /^(?:https?|mailto):/i,
+};
+
+/**
+ * Sanitise HTML coming from third-party RSS feeds before it reaches an `{@html}`
+ * sink. Keeps the light formatting these feeds actually use (HTML entities,
+ * `<i>`/`<b>`/`<a href>`) and strips anything that could inject content or
+ * behaviour: `<script>`, event-handler attributes, `<iframe>`/`<meta>`/`<style>`,
+ * `javascript:` URLs, and so on. Browser-only — call it from client code.
+ */
+export const sanitizeFeedHtml = (html: string | undefined | null): string =>
+	html ? DOMPurify.sanitize(html, feedConfig) : "";