@qwickapps/server 1.8.2 → 1.10.0

package/src/utils/url.test.ts

@@ -0,0 +1,43 @@
+import { sanitizeUrl } from './url.js';
+
+describe('sanitizeUrl', () => {
+  it('allows https URLs', () => {
+    expect(sanitizeUrl('https://example.com')).toBe('https://example.com');
+  });
+
+  it('allows http URLs', () => {
+    expect(sanitizeUrl('http://example.com/path')).toBe('http://example.com/path');
+  });
+
+  it('allows relative URLs starting with /', () => {
+    expect(sanitizeUrl('/relative/path')).toBe('/relative/path');
+  });
+
+  it('blocks javascript: protocol', () => {
+    expect(sanitizeUrl('javascript:alert(document.cookie)')).toBe('#');
+  });
+
+  it('blocks javascript: with uppercase', () => {
+    expect(sanitizeUrl('JavaScript:alert(1)')).toBe('#');
+  });
+
+  it('blocks data: protocol', () => {
+    expect(sanitizeUrl('data:text/html,<h1>test</h1>')).toBe('#');
+  });
+
+  it('blocks vbscript: protocol', () => {
+    expect(sanitizeUrl('vbscript:msgbox(1)')).toBe('#');
+  });
+
+  it('returns fallback for empty string', () => {
+    expect(sanitizeUrl('')).toBe('#');
+  });
+
+  it('returns custom fallback when provided', () => {
+    expect(sanitizeUrl('javascript:alert(1)', '/safe')).toBe('/safe');
+  });
+
+  it('returns fallback for malformed URLs', () => {
+    expect(sanitizeUrl('not a url at all')).toBe('#');
+  });
+});

package/src/utils/url.ts

@@ -0,0 +1,21 @@
+/**
+ * Sanitizes a URL to prevent javascript: and other dangerous protocol injections
+ * when interpolating user-supplied URLs into HTML href attributes.
+ *
+ * Allows: http:, https:, and relative URLs (starting with /).
+ * Returns fallback for any other protocol (e.g., javascript:, data:, vbscript:).
+ */
+export function sanitizeUrl(url: string, fallback = '#'): string {
+  if (!url) return fallback;
+  // Allow relative URLs
+  if (url.startsWith('/')) return url;
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+      return url;
+    }
+    return fallback;
+  } catch {
+    return fallback;
+  }
+}

package/ui/src/dashboard/widgets/AuthStatusWidget.tsx

@@ -12,14 +12,9 @@ import { Box, Typography, Chip, CircularProgress, Alert } from '@mui/material';
 import CheckCircleIcon from '@mui/icons-material/CheckCircle';
 import ErrorIcon from '@mui/icons-material/Error';
 import BlockIcon from '@mui/icons-material/Block';
-import { api } from '../../api/controlPanelApi';
+import { api, type AuthConfigStatus } from '../../api/controlPanelApi';
 
-interface AuthStatus {
-  state: 'enabled' | 'disabled' | 'error';
-  adapter: string | null;
-  error?: string;
-  missingVars?: string[];
-}
+type AuthStatus = AuthConfigStatus;
 
 const adapterLabels: Record<string, string> = {
   supertokens: 'SuperTokens',
@@ -36,7 +31,7 @@ export function AuthStatusWidget() {
   useEffect(() => {
     const fetchStatus = async () => {
       try {
-        const data = await api.fetch<AuthStatus>('/auth/config/status');
+        const data = await api.getAuthConfigStatus();
         setStatus(data);
       } catch (err) {
         setError(err instanceof Error ? err.message : 'Failed to fetch auth status');

package/ui/src/dashboard/widgets/DatabaseOperationsWidget.tsx

@@ -33,6 +33,7 @@ interface DatabaseStatus {
   user?: string;
   host?: string;
   port?: number;
+  managed?: boolean;
   errorMessage?: string;
   autoInitializeEnabled: boolean;
   adminCredentialsProvided: boolean;
@@ -360,6 +361,12 @@ export const DatabaseOperationsWidget: React.FC<DatabaseOperationsWidgetProps> =
             </Typography>
           </Box>
 
+          {status.managed && (
+            <Alert severity="info" sx={{ mt: 2 }}>
+              Managed database (Neon / Supabase). Delete and recreate is disabled — manage your database through the provider dashboard.
+            </Alert>
+          )}
+
           {!status.connected && !operating && (
             <Box sx={{ display: 'flex', gap: 1, mt: 2 }}>
               <Button
@@ -370,14 +377,16 @@ export const DatabaseOperationsWidget: React.FC<DatabaseOperationsWidgetProps> =
               >
                 Initialize Database
               </Button>
-              <Button
-                variant="contained"
-                color="error"
-                onClick={() => startOperation('recreate')}
-                size="small"
-              >
-                Recreate Database
-              </Button>
+              {!status.managed && (
+                <Button
+                  variant="contained"
+                  color="error"
+                  onClick={() => startOperation('recreate')}
+                  size="small"
+                >
+                  Recreate Database
+                </Button>
+              )}
             </Box>
           )}
         </CardContent>