Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-06-29 09:23:16 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
screentinker/server/test
History
screentinker 618a7048c6
fix(server): proxy remote YouTube thumbnails + real version in boot banner (#131) 
* fix(server): proxy remote YouTube thumbnails instead of ENOENT on a local path

YouTube content stores thumbnail_path as a REMOTE URL
(https://img.youtube.com/vi/<id>/hqdefault.jpg), but the thumbnail-serving route
path.resolve'd it into contentDir -> a local file that never existed -> ENOENT logged
a few times a minute (the tester-log spam). Recreating content didn't help (new rows
store the same remote URL).

- GET /api/content/:id/thumbnail now proxies a remote http(s) thumbnail_path
  server-side (same-origin, so dashboard CSP img-src is unaffected) via a non-throwing
  helper: upstream 404 -> 404, other failure/timeout -> 502, image/* only (modest SSRF
  hardening; the URL is server-set at ingest). Local thumbnails keep the sendFile path;
  the playlist/widget/workspace access gating is unchanged for both branches.
- routes/widgets.js inlineUserContent skips the disk read for a remote thumbnail and
  leaves the /api/content/:id/thumbnail reference in place (the proxy serves it).
- routes/content.js ingest unchanged; a comment notes the future download-at-ingest +
  backfill option for CDN independence.
- New test/thumbnail-proxy.test.js: local sendFile still works; a remote thumbnail is
  proxied (mock upstream, no local read, no ENOENT); upstream 404 -> clean 404. Full
  server suite 164/164.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(server): boot banner shows the real version, not a hardcoded v1.2.0

The startup ASCII banner printed "ScreenTinker Server v1.2.0". Use the already-imported
VERSION (require('./version'), the single source of truth that reads the root VERSION
file) in a fixed-width field (VERSION.padEnd(22).slice(0, 22) — the same padEnd
discipline the port line uses) so the fixed-width box border stays aligned for any
version length. No other behavior changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 17:00:24 -05:00
..
admin-users.test.js feat(admin): Delete Organization + Workspace with cascade (#36) 2026-06-09 09:22:21 -05:00
agency-digest.test.js feat(api): batched email digest for agency uploads (#73) 2026-06-14 13:59:37 -05:00
agency-gate.test.js feat(api): agency portal endpoints + router.param target seam (#73) 2026-06-13 22:48:42 -05:00
agency-layouts.test.js feat(api): GET /api/agency/layouts - device-free layout geometry (#73) 2026-06-14 13:53:30 -05:00
agency-list.test.js feat(api): GET /api/agency/playlists - a token's designated targets (#73) 2026-06-14 13:08:07 -05:00
agency-scope.test.js feat(api): agency-token security primitive - off-ladder scope + agencyGate (#73) 2026-06-13 21:30:38 -05:00
agency.test.js feat: full-screen-only guardrail for agency designations (#73) 2026-06-14 17:36:30 -05:00
ai-design.test.js fix(ai): de-overlap generated text + layer shapes behind text (#41) 2026-06-09 12:57:41 -05:00
api.test.js PiP overlay MVP: push image/web overlays to a device or group (#109) (#127) 2026-06-18 14:54:44 -05:00
apitoken-unit.test.js test(api): close #92 follow-up coverage gaps 2026-06-12 20:10:36 -05:00
branding.test.js feat(branding): instance-level default white-label branding (#15) 2026-06-08 16:55:22 -05:00
config-paths.test.js chore(version): single-source VERSION, env-configurable data paths, bump tooling 2026-06-10 12:56:03 -05:00
i18n-tokens.test.js test(api): close #92 follow-up coverage gaps 2026-06-12 20:10:36 -05:00
mute.test.js Fix per-item mute (#129): persist, ship to device, and toggle in real time (#130) 2026-06-18 16:54:23 -05:00
openapi-contract.test.js test(api): fix spec scope drift + guard it in CI; Redoc provenance 2026-06-12 18:45:09 -05:00
operator-permissions.test.js fix(roles): make platform_operator assignable + add deny/assign regression tests 2026-06-05 12:44:39 -05:00
pair-lockout.test.js fix(api): harden device pairing against brute-force (#87) 2026-06-12 20:16:12 -05:00
pip-overlay.test.js PiP overlay MVP: push image/web overlays to a device or group (#109) (#127) 2026-06-18 14:54:44 -05:00
provisioning.test.js fix(api): consolidate device pairing to /pair, remove vestigial bare endpoint (#90) 2026-06-12 20:13:16 -05:00
schedule-eval.test.js feat(scheduling): per-item schedule blocks (#74 dayparting, #75 auto-expire) 2026-06-11 15:46:41 -05:00
schema-check.test.js fix(db): observable migrations + fail-fast schema verification (#37) 2026-06-09 09:31:52 -05:00
security-fixes.test.js fix(security): patch quick-win findings from the codebase review 2026-06-08 19:02:19 -05:00
tenant-cascade-migration.test.js fix(db): cascade tenant resources on workspace/org delete (#18 follow-up) 2026-06-08 16:01:52 -05:00
thumbnail-proxy.test.js fix(server): proxy remote YouTube thumbnails + real version in boot banner (#131) 2026-06-18 17:00:24 -05:00
tizen-eval-drift.test.js feat(scheduling): per-item schedule blocks (#74 dayparting, #75 auto-expire) 2026-06-11 15:46:41 -05:00
totp-keyrotation.test.js test(server): TOTP - bite, lockout, replay, recovery, st_ bypass, key-rotation (#100) 2026-06-13 20:48:55 -05:00
totp-unit.test.js test(server): TOTP - bite, lockout, replay, recovery, st_ bypass, key-rotation (#100) 2026-06-13 20:48:55 -05:00
totp.test.js fix(server): strip totp_secret_enc/totp_last_step from login responses (#100) 2026-06-13 20:48:55 -05:00
user-deletion.test.js feat(admin): Delete Organization + Workspace with cascade (#36) 2026-06-09 09:22:21 -05:00
widget-render-xss.test.js fix(security): sanitize public widget render to close stored XSS 2026-06-08 19:11:14 -05:00