aboutsummaryrefslogtreecommitdiff
path: root/src/routes
Commit message (Collapse)AuthorAgeFilesLines
* fix(api): drop unused redirect query param from oauth refreshFuwn2026-04-181-3/+1
| | | | | | | | | | | | The refresh endpoint accepted a ?redirect query param and, when present, called redirect(303, "/") instead of returning the refreshed token as JSON. The target was hardcoded to "/" regardless of the param's value, so the feature was dead — and the pattern of reading a "redirect" param invited future open-redirect bugs if someone wired the value through to redirect() directly. The sole in-tree caller (feeds/activity-notifications) reads the JSON response, so always return JSON and drop the redirect import.
* fix(api): gate badge click-count on Origin and fix 401 response reuseFuwn2026-04-181-9/+11
| | | | | | | | | | | | | The PUT ?incrementClickCount path ran before any auth guard, letting unauthenticated callers spam-increment arbitrary badges. Require the request Origin to match appOrigin() so legitimate in-browser clicks (authenticated or not) still count while direct scripted calls are rejected. Also convert the shared `unauthorised` Response singleton into a factory. The singleton's body was consumed on first use, so subsequent 401 paths returned a `Response body is locked` error instead of the intended "Unauthorised" body.
* fix(api): encode subsplease timezone to prevent query-param injectionFuwn2026-04-181-5/+6
| | | | | | | The `tz` query value was interpolated raw into the upstream URL, letting callers append arbitrary query segments (e.g. `tz=foo&f=hax`). Wrap the value in encodeURIComponent and rename the local variable away from the banned `tz` abbreviation.
* fix(ui): balance homepage media panelsFuwn2026-04-121-62/+220
|
* revert(ui): remove april fools executive modeFuwn2026-04-023-99/+22
|
* fix(ui): tune april fools notification copyFuwn2026-04-011-1/+1
|
* fix(ui): simplify april fools controlsFuwn2026-04-011-15/+52
|
* feat(ui): add april fools executive modeFuwn2026-04-013-22/+62
|
* fix(badges): hide outbound link noticeFuwn2026-04-011-1/+1
|
* fix(state): restore persisted list UI stateFuwn2026-03-282-4/+6
|
* fix(cache): preserve hydrated client stateFuwn2026-03-281-1/+2
|
* fix(auth): ignore malformed user cookiesFuwn2026-03-286-24/+54
|
* fix(api): keep preferences publicly readableFuwn2026-03-271-4/+1
|
* fix(profile): restore owner controls for new accountsFuwn2026-03-272-21/+41
|
* refactor(supabase): move app access to service roleFuwn2026-03-272-40/+56
|
* fix(actions): resolve quality and trigger deploy driftFuwn2026-03-221-6/+8
|
* perf: lazy-load authenticated list surfacesFuwn2026-03-222-25/+145
|
* refactor: centralise site origin usageFuwn2026-03-2211-61/+44
|
* refactor(effect): add request body schema decoders to api routesFuwn2026-03-034-5/+36
|
* refactor(effect): migrate api auth cookie decodingFuwn2026-03-034-57/+18
|
* refactor(effect): migrate core auth decode boundariesFuwn2026-03-032-18/+6
|
* chore(cleanup): remove stale eslint directivesFuwn2026-03-012-3/+0
|
* chore(biome): drop formatter style overridesFuwn2026-03-0153-1463/+1597
|
* chore(biome): re-enable noImplicitAnyLet ruleFuwn2026-03-0111-11/+22
|
* chore(biome): enable svelte lintingFuwn2026-03-012-3/+3
|
* chore(biome): enable svelte formattingFuwn2026-03-0121-955/+954
|
* chore(biome): re-enable noDoubleEquals ruleFuwn2026-03-011-1/+1
|
* chore(types): decouple app code from fragile generated route typesFuwn2026-03-011-1/+1
|
* perf: optimise list hot paths and shared timersFuwn2026-03-013-9/+9
|
* fix: Resolve all ESLint errors and warningsFuwn2026-01-298-12/+12
|
* feat(Landing): Update to match LandingHeroFuwn2026-01-281-5/+1
|
* feat: Add hero for landing and welcome pageFuwn2026-01-272-0/+11
|
* feat(+layout.svelte): Add Web AnalyticsFuwn2026-01-261-0/+3
|
* fix: Add null guards and improve error messaging for user lookupsFuwn2026-01-234-6/+27
|
* fix: Resolve unused imports, dead code, and type definitionsFuwn2026-01-231-1/+0
|
* refactor: Migrate event handlers to new Svelte 5 syntaxFuwn2026-01-2310-39/+39
|
* refactor(layout): Replace empty p elements with reusable Spacer componentFuwn2026-01-2312-39/+51
|
* fix(html): Replace self-closing non-void HTML elements with proper closing tagsFuwn2026-01-2311-38/+38
|
* fix(notifications): Replace svelte-notifications with custom store for Svelte 5Fuwn2026-01-221-4/+3
|
* format: Apply Prettier formattingFuwn2026-01-221-7/+21
|
* deps(svelte): Migrate to Svelte 5 with compatibility modeFuwn2026-01-221-3/+8
|
* deps(sveltekit): Migrate to SvelteKit 2Fuwn2026-01-222-2/+2
|
* format: Apply Prettier formattingFuwn2025-12-1511-67/+50
|
* fix(api:birthdays): Update HTML parser for primary sourceFuwn2025-12-071-3/+3
|
* fix: Throw redirectsFuwn2025-12-012-2/+2
|
* feat(badges): Add a no-load query parameterFuwn2025-09-061-8/+15
|
* style(src): Remove self-closing tags with attributesFuwn2025-06-231-2/+2
|
* style(src): Remove self-closing p and div tagsFuwn2025-06-2312-39/+39
|
* refactor(LastActivity): Move display guard to componentFuwn2025-06-141-3/+1
|
* fix(Home): Guard LastActivity component visibilityFuwn2025-06-141-1/+3
|
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-02 23:56:30 +0000