| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
The user and logout cookies were set with secure:false, so the AniList
tokens the user cookie carries could traverse plaintext HTTP. Drop the
override and let SvelteKit's default apply (Secure everywhere except
http://localhost), giving Secure in production and on https://due.localhost
while keeping plain-http local dev working. httpOnly is unchanged (the
client reads the token from layout data; tightening that is tracked
separately as the architectural part of C2).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Auto-fixed cosmetic findings (import ordering, obj["k"]->obj.k, optional
chaining, template literals, Date.now, parseInt radix, useless ternaries/
switch cases). Resolved the non-autofixable rest by hand:
- Senpy: static-only class -> object literal (no this/static reliance).
- app.html: var global shim -> window.global = window (keeps the shim,
drops the unused-var flag).
- biome-ignore with rationale for the logout document.cookie clear and the
holodule scrape non-null assertion.
Verified: biome check 0 diagnostics, svelte-check 0/0, 24/24 unit tests.
|
| |
|
|
| |
This reverts commit 13226aaeb7c4dc1ce01074ef1ba1eeb87b53d5f5.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The refresh endpoint accepted a ?redirect query param and, when
present, called redirect(303, "/") instead of returning the refreshed
token as JSON. The target was hardcoded to "/" regardless of the
param's value, so the feature was dead — and the pattern of reading
a "redirect" param invited future open-redirect bugs if someone wired
the value through to redirect() directly.
The sole in-tree caller (feeds/activity-notifications) reads the JSON
response, so always return JSON and drop the redirect import.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|