pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 06:11:11 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improve security and fix race conditions and memory leaks

Browse Source 
Update environment variables for Supabase and Cloudflare, fix race conditions in hooks, and resolve memory leaks in the upload component.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: cb061c75-702e-4b89-a8d1-77a96cdcdfbb
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/7cdf4e95-3f41-4180-b8e3-8ef56d032c0e/cb061c75-702e-4b89-a8d1-77a96cdcdfbb/ANdRXVZ
This commit is contained in:
pac7
2025-10-07 14:43:14 +00:00
parent 1addcbc0dd
commit 0ebff53b41
1 changed files with 29 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
replit.md
View File

@@ -228,9 +228,10 @@ Preferred communication style: Simple, everyday language.
- `VITE_NOVU_SOCKET_URL`: Novu WebSocket endpoint
- `VITE_NOVU_API_URL`: Novu API endpoint
- `VITE_CLOUDFLARE_ACCOUNT_HASH`: Cloudflare Images account hash for image URL construction
- `VITE_SUPABASE_URL`: Supabase project URL
- Supabase credentials (injected by hosting platform)
- Cloudflare Images API credentials (stored in Supabase secrets)
- `VITE_SUPABASE_URL`: Supabase project URL (required for client initialization)
- `VITE_SUPABASE_ANON_KEY`: Supabase anonymous key (required for client initialization)
- `VITE_TURNSTILE_SITE_KEY`: Cloudflare Turnstile CAPTCHA site key (required for bot protection)
- Cloudflare Images API credentials (stored in Supabase secrets for edge functions)
**Feature Flags:**
- Theme persistence via localStorage
@@ -240,16 +241,31 @@ Preferred communication style: Simple, everyday language.
## Recent Changes
### Security Fixes (October 7, 2025)
### Bug Fixes and Security Improvements (October 7, 2025)
**Environment Variable Migration:**
- Moved hardcoded Cloudflare account hash to `VITE_CLOUDFLARE_ACCOUNT_HASH` environment variable
- Updated 14 components to use environment variable instead of hardcoded values:
- Card components: ParkCard, RideCard, ManufacturerCard, OperatorCard, ParkOwnerCard, RideModelCard
- Detail pages: ParkDetail, RideDetail, ManufacturerDetail, OperatorDetail, PropertyOwnerDetail, DesignerDetail
- Upload component: PhotoUpload (now uses env var for Supabase URL)
- Verified zero hardcoded sensitive values remain in codebase
**Security Fixes:**
- Migrated all hardcoded credentials to environment variables:
- `src/integrations/supabase/client.ts`: Now uses `VITE_SUPABASE_URL` and `VITE_SUPABASE_ANON_KEY` with error handling
- `src/components/auth/TurnstileCaptcha.tsx`: Now uses `VITE_TURNSTILE_SITE_KEY` with warning UI if missing
- Previously migrated: Cloudflare account hash to `VITE_CLOUDFLARE_ACCOUNT_HASH` across 14 components
- All sensitive credentials now properly managed through environment variables
**Race Condition Fixes:**
- `src/hooks/useEntityVersions.ts`: Added lifecycle tracking with mounted ref, channel ref for preventing duplicate subscriptions, comprehensive cleanup on unmount
- `src/hooks/useAuth.tsx`: Added mounted ref, timeout tracking and cleanup, guarded all state updates to prevent updates after unmount, improved error handling with user feedback via toast notifications
**Memory Leak Fixes:**
- `src/components/upload/PhotoUpload.tsx`: Implemented comprehensive object URL tracking with ref-based tracking set, automatic cleanup on unmount, revocation on all success/error paths, prevents memory leaks in all scenarios
**Input Validation Improvements:**
- `supabase/functions/create-novu-subscriber/index.ts`: Added validation for subscriberId and email format with structured 400 error responses
- `supabase/functions/upload-image/index.ts`: Added validation for all request methods (GET/POST/DELETE) with proper error handling
- `supabase/functions/process-selective-approval/index.ts`: Added UUID validation for userId and submissionId, array validation for itemIds, comprehensive error messages
**Error Handling Improvements:**
- Profile fetch failures now show user-friendly toast notifications
- Edge functions return structured error responses (400 for validation, 401 for auth, 500 for server errors)
- All async operations properly handle errors with user feedback
**Import Fixes:**
- Fixed sonner.tsx to import `useTheme` from local `@/components/theme/ThemeProvider` instead of incorrect `next-themes` package
- Ensures proper theme functionality without external dependency issues