ico
/
pingql
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
258 Commits 1 Branch 0 Tags 3.2 MiB
Commit Graph

24 Commits

Author SHA1 Message Date
nate 96a58233fd fix: flashbang 2026-03-19 10:08:20 +04:00
nate d8d1952304 fix: elysia issues 2 2026-03-19 10:06:14 +04:00
nate 03fe13e707 fix: elysia issues 2026-03-19 10:00:30 +04:00
nate 61560ae521 feat: no-JS support for all core UI — registration, settings, monitor CRUD, logout 2026-03-19 09:55:08 +04:00
nate c89b63bd97 feat: implement free/pro plan system with monitor and interval limits 2026-03-18 22:40:45 +04:00
nate 425bfbfc39 perf: optimize monitor runner, fix SSE leak, deduplicate shared utils 2026-03-18 18:44:08 +04:00
M1 1a7bc4dfa5 fix: sameSite=none for cross-origin cookie (pingql.com → api.pingql.com) 2026-03-18 11:41:00 +04:00
nate 5a0cf5033b fix: harden auth, SSRF, query engine, and cookie security 2026-03-18 11:37:33 +04:00
M1 3df7f4b702 fix: logout properly expires cookie with matching domain/path attributes 2026-03-18 03:08:00 +04:00
M1 e461d73ce3 refactor: drop all hashing, store keys plaintext 2026-03-17 06:47:22 +04:00
M1 54c89a5a11 fix: store key_plain on sub-keys, display always in settings with copy button 2026-03-17 06:40:33 +04:00
M1 c684d96d90 fix: rename API Keys -> Sub-Keys, show key inline on creation, no reload 2026-03-17 06:37:29 +04:00
M1 b80f4673b2 fix: use standard UUID v4 for keys instead of custom 256-bit hex format 2026-03-17 06:26:52 +04:00
M1 bbd5df8c46 fix: 8 groups of 8 chars, not 16 groups of 4 2026-03-17 06:26:14 +04:00
M1 43a1abc2ed fix: format keys as XXXX-XXXX-...-XXXX (8 groups), normalize before hashing 
Keys are now human-readable grouped hex instead of raw 64-char blobs.
resolveKey() strips dashes before sha256/bcrypt so both formats work.
All key creation paths (register, reset-key, sub-keys) hash the
normalized form. Login placeholder and maxlength updated to match.
 2026-03-17 06:25:19 +04:00
M1 6bdd76b4f0 security: auth redesign, SSRF protection, CORS lockdown, and 13 other fixes 
- Auth (#2/#3): UUID PK, 256-bit keys, SHA-256 lookup + bcrypt hash
- SSRF (#1): validate URLs, block private IPs, cloud metadata endpoints
- CORS (#4): lock to pingql.com origins, not wildcard
- SSE limit (#6): 10 connections per monitor max
- ReDoS (#7): cap $regex patterns at 200 chars
- Monitor limit (#8): 100 per account default
- Cookie env config (#9): secure/domain from env vars
- Bearer parsing (#10): case-insensitive RFC 6750
- Pings retention (#11): 90-day pruner, hourly interval
- monitors.enabled index (#12): partial index for /internal/due
- Runner locking (#14): locked_until for horizontal scale safety
- COALESCE nullable bug (#17): dynamic PATCH with explicit undefined checks
- MONITOR_TOKEN null guard (#18): startup validation + middleware hardening
- reset-key cookie fix (#16): sets new cookie in response
 2026-03-17 06:10:10 +04:00
M1 0597c7f6e7 fix: set cookie domain to .pingql.com so it works on both subdomains 2026-03-16 17:26:56 +04:00
M1 ef56b47b09 feat: cookie-based auth, SSR dashboard, JS-optional login 2026-03-16 17:25:59 +04:00
M1 0b69fbfc72 fix: requireAuth uses onBeforeHandle instead of error() in derive 2026-03-16 15:56:33 +04:00
M1 ce155cd338 feat: settings page — email, key rotation, sub-keys 2026-03-16 15:05:39 +04:00
M1 eb3ef7745f fix: emails used for recovery only, not notifications (notifications coming later) 2026-03-16 14:59:17 +04:00
M1 a22112dc77 refactor: merge auth into account prefix (/account/register, /account/email) 2026-03-16 13:37:20 +04:00
M1 692d7eb4f5 feat: post-registration key screen + optional email step 2026-03-16 12:55:52 +04:00
M1 570222c7a9 Initial scaffold: web API (Bun/Elysia) + monitor (Rust/Tokio) 2026-03-16 11:40:24 +04:00