Update vnext

[tankerkiller125]

Just updating the vnext branch with the latest main changes.

Summary by CodeRabbit

Release Notes

• New Features

  • Updated navigation to include an internal link to API documentation labeled "API Docs."
  • Introduced a new API documentation page with dynamic loading of web components and theme support.

• Bug Fixes

  • Enhanced security by integrating DOMPurify for sanitizing HTML content in the tools page.

• Style

  • Simplified styling on the 404 error page by removing specific background color and text color classes.
  • Added a "Return Home" link on the 404 error page for improved navigation.

[coderabbitai]

Walkthrough

The pull request introduces several changes focused on enhancing the navigation and user experience of the application. Key modifications include updating the API documentation link in the VitePress configuration to point to an internal resource, creating a new API documentation page, and making adjustments to the styling of the 404 error page. Additionally, the tools.vue page has been updated to incorporate DOMPurify for sanitizing HTML content, improving security against XSS attacks.

Changes

File Path	Change Summary
docs/.vitepress/config.mts	Updated API link from an external URL to an internal link labeled "API Docs" pointing to '/en/api'.
docs/en/api.md	New file created for API documentation with a layout that includes dynamic loading of web components and styling.
frontend/layouts/404.vue	Removed bg-blue-100 class from <main> element, simplifying background styling.
frontend/pages/[...all].vue	Modified <h1> element by removing text-blue-500 class and added a <NuxtLink> for navigation to home.
frontend/pages/tools.vue	Integrated DOMPurify for sanitizing HTML content in v-html directives to prevent XSS attacks.

Possibly related PRs

• Improve 404 page #312: The changes in the 404 page layout and styling are related to the main PR's focus on enhancing navigation and user experience, as both involve improving how users interact with the application when encountering errors or navigating to different sections.
• Sanitise translations when using v-html #313: Although primarily focused on security, the changes in sanitizing HTML content in the tools.vue file relate to the overall user experience and safety when accessing different parts of the application, including the API documentation linked in the main PR.

Security Recommendations

• Ensure that all user-generated content is sanitized using DOMPurify or similar libraries to prevent XSS vulnerabilities.
• Regularly review and update dependencies to mitigate security risks associated with outdated libraries.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 56316ca and d5e66f2.

📒 Files selected for processing (5)

• docs/.vitepress/config.mts (1 hunks)
• docs/en/api.md (1 hunks)
• frontend/layouts/404.vue (1 hunks)
• frontend/pages/[...all].vue (1 hunks)
• frontend/pages/tools.vue (4 hunks)

✅ Files skipped from review due to trivial changes (1)

• frontend/layouts/404.vue

🔇 Additional comments (7)

frontend/pages/[...all].vue (1)

11-15: LGTM! Template changes look secure.

The implementation follows security best practices by:

• Using NuxtLink for safe navigation
• Avoiding exposure of system information
• Providing clear user guidance

docs/en/api.md (4)

1-4: LGTM: Frontmatter configuration is appropriate.

The page configuration is correctly set up for a full-width API documentation page.

---

25-29: LGTM: Style configuration is appropriate.

Hiding the TryItPanel is a reasonable security measure to prevent unauthorized API testing in documentation.

---

9-16: ⚠️ Potential issue

Security: Add integrity checks for external resources.

Loading external resources from CDN without Subresource Integrity (SRI) checks poses a security risk. If the CDN is compromised, malicious code could be injected.

Apply this diff to add integrity checks and error handling:

 const elementScript = document.createElement('script');
 elementScript.src = 'https://unpkg.com/@stoplight/elements/web-components.min.js';
+elementScript.integrity = 'sha384-[Replace with actual hash]';
+elementScript.crossOrigin = 'anonymous';
+elementScript.onerror = () => console.error('Failed to load Stoplight Elements script');
 document.head.appendChild(elementScript);

 const elementStyle = document.createElement('link');
 elementStyle.rel = 'stylesheet';
 elementStyle.href = 'https://unpkg.com/@stoplight/elements/styles.min.css';
+elementStyle.integrity = 'sha384-[Replace with actual hash]';
+elementStyle.crossOrigin = 'anonymous';
+elementStyle.onerror = () => console.error('Failed to load Stoplight Elements styles');
 document.head.appendChild(elementStyle);

Consider also:

1. Self-hosting these resources to avoid CDN dependencies
2. Implementing a fallback CDN
3. Adding version pinning to prevent automatic updates

Run this script to check if the resources are available and get their SRI hashes:

---

31-37: Security: Review API specification exposure and versioning.

The current configuration loads the API specification directly from the main branch through a CDN, which presents several security considerations:

1. The API spec is always loaded from the latest main branch, which could expose unreleased changes
2. No version pinning could lead to unexpected documentation changes
3. Public CDN exposure of API specifications might reveal sensitive endpoints

Run this script to check the API spec for sensitive information:

Consider:

1. Using a specific version tag instead of main branch
2. Self-hosting the API specification
3. Implementing API documentation versioning to match your releases

✅ Verification successful

Let me analyze the local codebase first to understand the API documentation structure and potential sensitive information exposure. The previous curl command showed that the remote API spec does contain authentication-related endpoints (/v1/users/login and /v1/users/change-password), but we should verify the local state and overall API documentation setup to provide accurate recommendations.

---

I want to analyze the actual API specification content and authentication configuration to provide accurate security recommendations regarding the CDN-hosted API spec.

---

Security: API specification exposure is acceptable with recommended improvements

After analyzing the API specification, I can confirm that:

1. The exposed endpoints are standard authentication and user management endpoints that don't reveal sensitive implementation details
2. All sensitive operations require Bearer token authentication
3. The API spec doesn't contain any internal endpoints or sensitive configuration data

However, to improve security and maintainability:

• Use a specific version tag instead of main in the CDN URL: @v1.0.0 instead of @main
• Consider adding a content security policy (CSP) to restrict the CDN source
• Add a version parameter to the API spec URL to help with cache busting when updates are needed

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check API spec for potential sensitive information

echo "Analyzing API spec for sensitive patterns..."
curl -s "https://cdn.jsdelivr.net/gh/sysadminsmedia/homebox@main/docs/docs/api/openapi-2.0.json" | \
  jq -r '.paths | keys[]' | \
  grep -iE '(admin|internal|private|secret|auth|login|password)'

Length of output: 516

---

Script:

#!/bin/bash
# Let's verify if the API spec file exists locally and analyze its contents
fd "openapi-2.0.json" --type f

# Check if we have any API documentation files that might contain sensitive info
fd -e json -e yaml -e yml --type f . docs | grep -i "api"

# Look for any authentication or sensitive endpoint definitions in the codebase
rg -i "auth|login|password|secret|internal|private" --type json --type yaml -C 2

Length of output: 74924

---

Script:

#!/bin/bash
# Let's check if there are any sensitive endpoints or data in the API spec
cat docs/docs/api/openapi-2.0.json | jq '.'

# Check if there are any environment variables or configuration files that might contain sensitive info
fd -e env -e yaml -e yml -e json . | grep -i "config\|env"

# Look for any authentication-related code
rg -g "!{dist,build,node_modules}/*" -i "auth.\{0,20\}provider|login.\{0,20\}provider" -A 2 -B 2

Length of output: 65967

docs/.vitepress/config.mts (2)

Line range hint 1-58: LGTM! Configuration follows security best practices.

The configuration demonstrates good security practices:

• All external links use HTTPS
• Proper meta tags configuration
• No sensitive information exposure
• Dead link handling is properly scoped

---

44-44: Consider access controls for API documentation.

While moving the API documentation internally is a good practice, ensure that sensitive API details (if any) are properly protected. Consider implementing authentication for the API documentation if it contains sensitive endpoints or implementation details.

✅ Verification successful

API documentation is publicly accessible and properly configured

The API documentation is using Stoplight Elements to render an OpenAPI specification from a public CDN. The implementation:

• Uses HTTPS for all external resources (unpkg.com and jsdelivr.net)
• Disables the "Try It" panel, preventing direct API interactions from docs
• Loads OpenAPI spec from a public repository
• Contains no sensitive information or credentials

Since this is a public documentation site and the API specification is intentionally public, no additional access controls are necessary. The current implementation follows security best practices for public API documentation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any authentication mechanisms in place for the API docs
rg -l "auth|protect|secure" docs/en/api.md || echo "No authentication mechanisms found in API docs"

# Check for potential sensitive information in API docs
rg -i "secret|key|token|password|credential" docs/en/api.md || echo "No obvious sensitive information found in API docs"

Length of output: 320

---

Script:

#!/bin/bash
# Let's check the content of the API documentation to understand its nature
cat docs/en/api.md || echo "API documentation file not found"

# Check if there are any other API-related files
fd -e md -e mdx "api" docs/

# Look for any configuration related to API docs security
rg -i "api.*security|security.*api" .

Length of output: 1003

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

frontend/pages/[...all].vue (1)

Line range hint 1-17: Consider enhancing 404 error monitoring.

While the implementation is secure, consider adding monitoring capabilities to detect potential security scanning attempts through 404 hits.

Recommendations:

1. Implement rate limiting for 404 requests
2. Add logging for security analysis
3. Consider implementing a WAF rule to monitor suspicious 404 patterns

Would you like assistance in implementing any of these security enhancements?

frontend/pages/tools.vue (2)

Line range hint 134-144: Improve error handling and user feedback mechanisms.

The current error handling could be enhanced for better security and user experience:

1. Add specific error codes and messages instead of generic "Failed to..." messages
2. Implement error recovery mechanisms
3. Consider logging failed attempts for security monitoring

Example implementation:

 if (result.error) {
-  notify.error("Failed to ensure asset IDs.");
+  const errorMessage = `Operation failed: ${result.error.code}. Please contact support if this persists.`;
+  console.error('[Asset IDs Update]', result.error);
+  notify.error(errorMessage);
+  // Log to security monitoring
+  await api.security.logFailedOperation({
+    operation: 'ensureAssetIDs',
+    error: result.error,
+    timestamp: new Date()
+  });
   return;
 }

Also applies to: 156-166, 178-188, 200-210

---

Based on the findings from the codebase analysis, I can now provide a final response:

🔐 Security measures need enhancement for bulk administrative operations

While Bearer token authentication is properly implemented for these endpoints, additional security measures are recommended:

• Add rate limiting for these bulk operations to prevent resource exhaustion
• Implement audit logging to track who performed these sensitive operations and when
• Consider adding pagination or batch processing for large datasets to prevent timeouts
• Add admin-specific role checks in addition to the current authentication

These bulk operations can significantly impact the system and should have additional safeguards beyond the current authentication mechanism.

🔗 Analysis chain

Line range hint 124-201: Enhance security measures for sensitive administrative operations.

The administrative functions contain sensitive bulk operations that could benefit from additional security measures:

1. Consider implementing rate limiting or pagination for bulk operations
2. Add audit logging for these administrative actions
3. Consider adding a secondary confirmation for critical operations (e.g., requiring admin password re-entry)

Let's verify if audit logging exists in the API calls:

---

Let me check the API implementation to verify if there's any audit logging or rate limiting in place.

---

Let me check the backend implementation for these actions to see if there are any security measures in place.

---

Let me check the middleware implementation to understand the authentication and authorization controls.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for audit logging implementations in API-related files
rg -g "!node_modules" -g "!dist" -A 5 "api.actions.(ensureAssetIDs|ensureImportRefs|resetItemDateTimes|setPrimaryPhotos)"

Length of output: 1358

---

Script:

#!/bin/bash
# Search for API actions implementation
rg -g "!node_modules" -g "!dist" "class.*Actions" -A 10

# Search for audit logging related code
rg -g "!node_modules" -g "!dist" "(audit|log|track).*action" -A 5

Length of output: 1352

---

Script:

#!/bin/bash
# Search for backend action handlers
rg -g "!node_modules" -g "!dist" -A 15 "/actions/(ensure-asset-ids|zero-item-time-fields|set-primary-photos|ensure-import-refs)"

# Search for middleware or authentication checks
rg -g "!node_modules" -g "!dist" -B 5 "func.*actions.*Handler"

Length of output: 24474

---

Script:

#!/bin/bash
# Search for middleware implementation
rg -g "!node_modules" -g "!dist" -B 10 "var userMW" 

# Search for any rate limiting implementation
rg -g "!node_modules" -g "!dist" "(rate.*limit|throttle)"

Length of output: 517

🛑 Comments failed to post (1)

frontend/pages/tools.vue (1)

43-43: 🛠️ Refactor suggestion

Consider enhancing DOMPurify configuration for stronger XSS protection.

While the implementation of DOMPurify is a good security measure, consider adding specific configuration options to further strengthen the XSS protection:

-import DOMPurify from "dompurify";
+import DOMPurify from "dompurify";
+
+const sanitizeConfig = {
+  ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
+  ALLOWED_ATTR: ['href', 'target'],
+  RETURN_DOM_FRAGMENT: false,
+  RETURN_DOM: false,
+  SANITIZE_DOM: true
+};
+
+const sanitizeHTML = (html: string) => DOMPurify.sanitize(html, sanitizeConfig);

Then update the v-html directives:

-v-html="DOMPurify.sanitize($t('tools.import_export_set.import_sub'))"
+v-html="sanitizeHTML($t('tools.import_export_set.import_sub'))"

Also applies to: 60-60, 78-78, 84-84, 94-94