Security fixes:
1. Drawings cache now includes userId in cache key to prevent data leakage
between users making identical queries.
2. Socket.io connections now require JWT authentication when auth is enabled.
3. Socket.io join-room verifies drawing ownership before allowing access.
4. Frontend passes auth token when connecting to Socket.io.
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com>
- Update test utilities for user authentication
- Update Settings page for authenticated export
- Update docker-compose.yml if needed
- Update package-lock.json files
* feat(security): implement CSRF protection
* chore: clean up CSRF implementation
- Remove unused generateCsrfToken export from security.ts
- Remove redundant /csrf-token path check (GET already exempt)
- Restore defineConfig wrapper in vitest.config.ts for type safety
* add K8S note in README, fix broken e2e
* feat/upload-bar (#30)
* feat/upload-bar: add a upload bar when user upload file, indicate the upload process
* feat/save-loading-status: add save status when click back button from editor
* fix: address PR review issues in upload and save features
- Replace deprecated substr() with substring() in UploadContext
- Fix broken error handling that checked stale task status
- Fix missing useEffect dependency in UploadStatus
- Fix CSS class conflict in progress bar styling
- Add error recovery for save state in Editor (reset on failure)
- Use .finally() instead of .then() to ensure refresh on upload failure
- Fix inconsistent indentation in UploadContext
* fix e2e tests
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* chore: pre-release v0.2.1-dev
* Update backend/src/security.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix filename/math random UUID generation
---------
Co-authored-by: AdrianAcala <adrianacala017@gmail.com>
Co-authored-by: adamant368 <60790941+Yiheng-Liu@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* feat: implement comprehensive testing infrastructure
- Fix image dataURL truncation bug in security.ts with configurable size limits
- Add backend integration tests (22 tests) with Vitest for API validation
- Add frontend unit tests (11 tests) for JSON serialization
- Implement browser-based E2E tests (8 tests) with Playwright
- Create Docker setup for repeatable E2E testing environment
- Add GitHub Actions CI workflow for automated testing
- Update .gitignore for test artifacts and temporary files
Testing Infrastructure:
- Backend: Vitest + Supertest for API integration tests
- Frontend: Vitest + Testing Library for component tests
- E2E: Playwright with Chromium for full browser automation
- CI/CD: GitHub Actions with parallel test execution
Security Improvements:
- Make dataURL size limit configurable (default: 10MB)
- Enhanced validation for image dataURLs
- Block malicious content (javascript:, script tags)
All tests pass: 41 total (22 backend + 11 frontend + 8 E2E)
* feat(tests): add comprehensive E2E tests for dashboard workflows and image persistence
chore(env): update environment variables for consistent API URL usage
fix(api): centralize API request helpers for drawing and collection management
style(DrawingCard): enhance accessibility with ARIA attributes and data-testid for testing
* cleanup/revise documentation
* cleanup/revise documentation
* Add end-to-end tests for drawing CRUD, export/import, search/sort, and theme toggle functionalities
- Implemented E2E tests for drawing creation, editing, and deletion in `drawing-crud.spec.ts`.
- Added tests for export and import features, including JSON and SQLite formats in `export-import.spec.ts`.
- Created tests for searching and sorting drawings by name and date in `search-and-sort.spec.ts`.
- Developed tests for theme toggle functionality to ensure persistence across sessions in `theme-toggle.spec.ts`.
* fix: exclude test files from production build to fix Docker build
* feat: implement comprehensive testing infrastructure (#19)
* bump version 0.1.7
* feat: implement comprehensive testing infrastructure
- Fix image dataURL truncation bug in security.ts with configurable size limits
- Add backend integration tests (22 tests) with Vitest for API validation
- Add frontend unit tests (11 tests) for JSON serialization
- Implement browser-based E2E tests (8 tests) with Playwright
- Create Docker setup for repeatable E2E testing environment
- Add GitHub Actions CI workflow for automated testing
- Update .gitignore for test artifacts and temporary files
Testing Infrastructure:
- Backend: Vitest + Supertest for API integration tests
- Frontend: Vitest + Testing Library for component tests
- E2E: Playwright with Chromium for full browser automation
- CI/CD: GitHub Actions with parallel test execution
Security Improvements:
- Make dataURL size limit configurable (default: 10MB)
- Enhanced validation for image dataURLs
- Block malicious content (javascript:, script tags)
All tests pass: 41 total (22 backend + 11 frontend + 8 E2E)
* feat(tests): add comprehensive E2E tests for dashboard workflows and image persistence
chore(env): update environment variables for consistent API URL usage
fix(api): centralize API request helpers for drawing and collection management
style(DrawingCard): enhance accessibility with ARIA attributes and data-testid for testing
* Add end-to-end tests for drawing CRUD, export/import, search/sort, and theme toggle functionalities
- Implemented E2E tests for drawing creation, editing, and deletion in `drawing-crud.spec.ts`.
- Added tests for export and import features, including JSON and SQLite formats in `export-import.spec.ts`.
- Created tests for searching and sorting drawings by name and date in `search-and-sort.spec.ts`.
- Developed tests for theme toggle functionality to ensure persistence across sessions in `theme-toggle.spec.ts`.
* Update backend/src/__tests__/testUtils.ts
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* version bump 0.1.8
* fix(ci): consolidate E2E server startup to prevent shell isolation issues
Background processes started with & in separate GitHub Actions run steps
can terminate when those steps complete because each step creates a new
shell. This caused the backend and frontend servers to die before the
E2E tests could run.
Fixed by consolidating server startup and test execution into a single
shell step with:
- Proper PID tracking for cleanup
- Health check loops instead of fixed sleep times
- All processes run in the same shell session
* fix(ci): use absolute database path for E2E tests
* fix(backend): use resolved DATABASE_URL path for export/import endpoints
---------
Co-authored-by: Adrian Acala <adrianacala017@gmail.com>
copilot-swe-agent[bot]