pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 10:31:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
9eb5e61d4ab71c5996fa2d78ab4b72a9a24264a3
thrilltrack-explorer/replit.md
pac7 ced8fb6015 Improve security and configuration of multiple web application functions 
Update JWT verification in image upload and email change functions, make geolocation API configurable, and enhance error handling in Supabase Edge Functions.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 364fb426-1d27-49b2-a244-a34e41c335e4
Replit-Commit-Checkpoint-Type: full_checkpoint
2025-10-08 12:33:05 +00:00

7.1 KiB
Raw Blame History

ThrillWiki - Theme Park & Ride Encyclopedia

Overview

ThrillWiki is a community-driven web application for discovering, reviewing, and tracking theme parks, rides, and related entities globally. Its core purpose is to provide a centralized platform for enthusiasts to research attractions and contribute to a collaborative knowledge base through user contributions and reviews, offering a comprehensive encyclopedia for the theme park world.

Recent Changes (October 8, 2025)

Security Enhancements

  • Enabled JWT Verification for Image Upload: Changed upload-image Edge Function to verify_jwt = true in supabase/config.toml. This ensures Supabase validates JWT tokens before the function executes, preventing unauthorized access to image upload/delete operations.
  • Replaced Manual JWT Decoding with Supabase Verification: Updated cancel-email-change Edge Function to use Supabase's built-in auth.getUser(token) method with service role client instead of manual base64 decoding. This approach properly verifies JWT tokens using only runtime-available environment variables (SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY) while maintaining admin privileges for database operations.
  • Made Geolocation API Configurable: Updated detect-location Edge Function to use environment variables for geolocation service configuration. The API URL (GEOLOCATION_API_URL) and fields (GEOLOCATION_API_FIELDS) are now configurable, with sensible defaults (ip-api.com) for easier service switching and testing.
  • Enhanced Error Handling: Added comprehensive error handling to all Supabase Edge Functions with granular try-catch blocks for network requests, JSON parsing, and API responses. Improves reliability and provides detailed error messages for debugging.

Recent Changes (October 7, 2025)

Security Enhancements

  • Fixed Critical Authorization Vulnerability: Updated process-selective-approval Edge Function to properly verify JWT tokens using Supabase's auth verification instead of manual decoding. Now correctly enforces moderator/admin role requirements before allowing content approvals.
  • Enhanced Image Upload Security: Added banned user checks to upload-image Edge Function for both upload (POST) and delete (DELETE) operations to prevent suspended users from managing images.

Code Quality Improvements

  • React Router v7 Compatibility: Added future flags (v7_startTransition, v7_relativeSplatPath) to BrowserRouter to prepare for React Router v7 and eliminate deprecation warnings.

Architecture Changes

  • Moderation API Update: Simplified moderation approval API by removing client-supplied userId parameter. The authenticated user's ID is now extracted from the verified JWT token on the backend for improved security.

User Preferences

Preferred communication style: Simple, everyday language.

System Architecture

Frontend

  • Tech Stack: React + TypeScript with Vite, Radix UI + Tailwind CSS (shadcn/ui), TanStack Query for state management, React Router v6 for routing.
  • Component Structure: Utilizes layout, page-level, reusable UI, and custom domain components.
  • Design System: HSL-based color system, dark/light theme support, custom gradients, Inter font, responsive and mobile-first design.
  • State Management: TanStack Query for server state, React Context for authentication, custom hooks for business logic, and Realtime subscriptions for live updates.

Backend

  • Database (Supabase PostgreSQL): Stores core entities (parks, rides, companies), location data, review/rating systems, user profiles, content submission workflows, and image metadata.
  • Authentication & Authorization: Supabase Auth for user management (magic link, email/password), Cloudflare Turnstile for bot protection, role-based access control (user, moderator, admin, superuser), and Row-Level Security (RLS).
  • Content Moderation: Two-tier submission workflow with dependency tracking, conflict resolution, real-time updates for moderation queues, automated slug generation, and status tracking.
  • Data Access: Security definer functions for privileged operations, complex joins, aggregated data, full-text search, and real-time subscriptions.

Image Management

  • Cloudflare Images Integration: Used for media storage and transformation, with uploads proxied via Supabase Edge Functions. Supports multiple variants for responsive display and stores metadata in Supabase.
  • Upload Workflow: Uppy dashboard for multi-file uploads, image editor integration, progress tracking, and automatic resizing/optimization via Cloudflare.

Notification System (Novu)

  • Architecture: Multi-channel delivery (in-app, email, push), workflow-based templates, per-workflow user preferences, frequency controls, and headless notifications.
  • Features: Supports subscriber management and preference syncing via Supabase Edge Functions.

Search & Discovery

  • Multi-Entity Search: Unified search across parks, rides, and companies with autocomplete, recent history, category/type filtering, and advanced filters.
  • Location Features: Automatic unit conversion, geo-based preferences, and distance/measurement system settings.

User Management

  • Profile System: Customizable usernames, display names, avatars, bios, privacy controls, home park selection, and activity tracking.
  • User Blocking: Functionality to block users and hide their content.
  • Role Management: Hierarchical permission system for superuser, admin, moderator, and user roles, with role-specific UI and routes.

Admin & Moderation

  • Moderation Queue: Real-time monitoring of submissions, item-level approval/rejection, dependency conflict resolution, bulk actions, and status tracking.
  • Admin Settings: System-wide configuration with category-based organization and audit trails.
  • Reports System: Manages user-generated content reports with status workflows.

External Dependencies

Third-Party Services

  • Supabase: PostgreSQL database, authentication, real-time, Edge Functions, storage.
  • Cloudflare: Cloudflare Images for media storage/transformation, Turnstile for CAPTCHA.
  • Novu: Multi-channel notification delivery, workflow management.
  • Uppy: File upload interface and image editor.
  • Google Fonts: For the Inter typeface.
  • Radix UI: For accessible UI components.

API Integrations

  • Supabase Edge Functions:
    • upload-image: Cloudflare Images upload proxy.
    • trigger-novu-notification: Sends Novu notifications.
    • sync-novu-subscriber: Manages Novu subscribers.
    • sync-novu-preferences: Syncs notification preferences.
  • Database Functions (PostgreSQL): For privacy checks, role-based permissions, and automated tasks.

Environment Configuration

  • Requires VITE_NOVU_APPLICATION_IDENTIFIER, VITE_NOVU_SOCKET_URL, VITE_NOVU_API_URL, VITE_CLOUDFLARE_ACCOUNT_HASH, VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY, VITE_TURNSTILE_SITE_KEY, and Cloudflare Images API credentials.
  • Utilizes feature flags for theme persistence, unit preferences, auto-detection for location settings, and notification channel preferences.
Reference in New Issue View Git Blame Copy Permalink