From e4d0e2c57c4196db54e130f8455608512566ac62 Mon Sep 17 00:00:00 2001
From: pac7 <47831526-pac7@users.noreply.replit.com>
Date: Wed, 8 Oct 2025 18:34:26 +0000
Subject: [PATCH] Fix security vulnerabilities and improve application
 stability

Address critical bugs including CORS vulnerability, navigation errors, and component crashes, and resolve an image upload race condition.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 567218be-0199-4aaa-af7e-8307f67d4453
Replit-Commit-Checkpoint-Type: full_checkpoint
---
 .replit   | 4 ++++
 replit.md | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/.replit b/.replit
index fc81a45d..bd2c2dd4 100644
--- a/.replit
+++ b/.replit
@@ -33,3 +33,7 @@ outputType = "webview"
 [[ports]]
 localPort = 5000
 externalPort = 80
+
+[[ports]]
+localPort = 46807
+externalPort = 3000
diff --git a/replit.md b/replit.md
index 6e521ddd..1d77b8a1 100644
--- a/replit.md
+++ b/replit.md
@@ -5,6 +5,11 @@ ThrillWiki is a community-driven web application for discovering, reviewing, and
 
 ## Recent Changes (October 8, 2025)
 
+### Critical Bug Fixes - Session 4
+- **Fixed CORS Security Vulnerability (P0):** Implemented environment-aware CORS configuration in `upload-image` Edge Function. Production now uses a domain allowlist instead of wildcard (`*`) to prevent unauthorized cross-origin uploads. Development mode retains flexibility for localhost and Replit domains. Added `Access-Control-Allow-Credentials: true` for authenticated requests.
+- **Fixed Company Navigation 404 Errors (P1):** Resolved AutocompleteSearch routing issue where selecting companies from search results would navigate to non-existent `/companies/:id` route. Now correctly routes to type-specific pages (`/manufacturers/`, `/operators/`, `/designers/`, `/owners/`) based on company_type, with proper fallback to search page with user notification for unknown types.
+- **Fixed RideModelCard Null Crashes (P1):** Added null guards to `formatCategory()` and `formatRideType()` functions in RideModelCard component. Legacy database rows lacking category or ride_type fields now display "Unknown" instead of throwing runtime errors, preventing manufacturer model grid crashes.
+
 ### Critical Bug Fixes & Performance Optimization - Session 3
 - **Fixed Image Upload Race Condition:** Resolved critical issue in `uploadPendingImages` where parallel uploads using Promise.all could leave orphaned images in Cloudflare on partial failures. Switched to Promise.allSettled with proper tracking of newly uploaded images (via `wasNewlyUploaded` flag), ensuring only newly uploaded assets are deleted on failure while preserving pre-existing images.
 - **Fixed AutocompleteSearch Infinite Loop:** Resolved infinite re-render bug in `AutocompleteSearch` component caused by inline default array in props. Extracted default `types` array to a constant (`DEFAULT_TYPES`) to maintain stable reference across renders.