chore: release v0.3.1

CSRF token validation failing behind nginx proxy (#38 )
Express was not configured to trust proxy headers, causing req.ip to return nginx's internal container IP instead of the actual client IP. In Docker environments, nginx can appear with different internal IPs between requests, causing the CSRF clientId to change and token validation to fail.
2026-01-20 13:41:22 -08:00 · 2026-01-20 13:39:33 -08:00
6 changed files with 21 additions and 30 deletions
@@ -1 +1 @@
-0.3.0
+0.3.1
@@ -1,6 +1,6 @@
 {
  "name": "backend",
-  "version": "0.3.0",
+  "version": "0.3.1",
  "description": "",
  "main": "index.js",
  "scripts": {
@@ -129,6 +129,12 @@ const initializeUploadDir = async () => {
 };

 const app = express();
+
+// Trust proxy headers (X-Forwarded-For, X-Real-IP) from nginx
+// Required for correct client IP detection when running behind a reverse proxy
+// This fixes CSRF token validation failures in Docker/K8s environments
+app.set("trust proxy", 1);
+
 const httpServer = createServer(app);
 const io = new Server(httpServer, {
  cors: {
@@ -30,9 +30,7 @@ let activeConfig: SecurityConfig = { ...defaultConfig };
 * Configure security settings
 * @param config Partial configuration to merge with defaults
 */
-export const configureSecuritySettings = (
-  config: Partial<SecurityConfig>
-): void => {
+export const configureSecuritySettings = (config: Partial<SecurityConfig>): void => {
  activeConfig = { ...activeConfig, ...config };
 };

@@ -320,13 +318,10 @@ export const appStateSchema = z
      .optional()
      .nullable(),
    currentItemRoundness: z
-      .union([
-        z.enum(["sharp", "round"]),
-        z.object({
-          type: z.enum(["round", "sharp"]),
-          value: z.number().finite().min(0).max(1),
-        }),
-      ])
+      .object({
+        type: z.enum(["round", "sharp"]),
+        value: z.number().finite().min(0).max(1),
+      })
      .optional()
      .nullable(),
    currentItemFontSize: z
@@ -432,19 +427,10 @@ export const sanitizeDrawingData = (data: {
      ];

      // Dangerous URL protocols to block entirely
-      const dangerousProtocols = [
-        /^javascript:/i,
-        /^vbscript:/i,
-        /^data:text\/html/i,
-      ];
+      const dangerousProtocols = [/^javascript:/i, /^vbscript:/i, /^data:text\/html/i];

      // Suspicious patterns for security validation within data URLs
-      const suspiciousPatterns = [
-        /<script/i,
-        /javascript:/i,
-        /on\w+\s*=/i,
-        /<iframe/i,
-      ];
+      const suspiciousPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i, /<iframe/i];

      // Maximum size for dataURL (configurable, default 10MB to prevent DoS)
      const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize;
@@ -462,8 +448,8 @@ export const sanitizeDrawingData = (data: {
                const normalizedValue = value.toLowerCase();

                // First, check for dangerous protocols - block these entirely
-                const hasDangerousProtocol = dangerousProtocols.some(
-                  (pattern) => pattern.test(value)
+                const hasDangerousProtocol = dangerousProtocols.some((pattern) =>
+                  pattern.test(value)
                );

                if (hasDangerousProtocol) {
@@ -479,8 +465,8 @@ export const sanitizeDrawingData = (data: {

                if (isSafeImageType) {
                  // Check for suspicious content and size limits
-                  const hasSuspiciousContent = suspiciousPatterns.some(
-                    (pattern) => pattern.test(value)
+                  const hasSuspiciousContent = suspiciousPatterns.some((pattern) =>
+                    pattern.test(value)
                  );
                  const isTooLarge = value.length > MAX_DATAURL_SIZE;

@@ -584,7 +570,7 @@ const getCsrfSecret = (): Buffer => {
  const envLabel = process.env.NODE_ENV ? ` (${process.env.NODE_ENV})` : "";
  console.warn(
    `[security] CSRF_SECRET is not set${envLabel}. Using an ephemeral per-process secret. ` +
-      "For horizontal scaling (k8s), set CSRF_SECRET to the same value on all instances."
+    "For horizontal scaling (k8s), set CSRF_SECRET to the same value on all instances."
  );
  return cachedCsrfSecret;
 };
@@ -1,7 +1,7 @@
 {
  "name": "frontend",
  "private": true,
-  "version": "0.3.0",
+  "version": "0.3.1",
  "type": "module",
  "scripts": {
    "dev": "vite",
@@ -301,7 +301,6 @@ export const Editor: React.FC = () => {

    try {
      const persistableAppState = {
-        ...appState,
        viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff',
        gridSize: appState?.gridSize || null,
      };
@@ -1 +1 @@
 .3.0
 .3.1