security hygiene pass from audit
Created by: jedmund
First slice of fixes from the recent codebase audit — the three critical/security items. Architecture, styling, and minor fixes will follow in separate branches.
Changes
-
Remove Redis URL log leak —
console.log(process.env.REDIS_URL)at boot was dumping the connection string (creds included) into production logs. Also deleted three leftover scratch files at repo root (test-db.ts,test-form-loading.js,SVG_ANALYSIS_REPORT.md). -
Require
ADMIN_SESSION_SECRET— dropped the'dev-session-secret'fallback so the secret must be set in every environment. Also removed theGEThandler from/admin/logoutso a<img src>on another page can't CSRF you out. -
Sanitize editor HTML — all
{@html}output fromrenderEdraContent()now passes throughisomorphic-dompurify. YouTube iframes and audio-player data attributes are still allowed; scripts /onerror/javascript:URLs are stripped.
Deploy notes
- Railway already has
ADMIN_SESSION_SECRETset — no env changes needed there. - Local dev now requires
ADMIN_SESSION_SECRETin.env.local(already in.env.example).
Test plan
-
pnpm dev— admin login still works; confirm noREDIS_URLline in terminal at boot -
GET /admin/logoutreturns 405, not a redirect that clears the cookie -
POST /admin/logoutstill logs you out -
Garden / album pages with normal content render unchanged -
Inject <script>/onerrorpayload via editor JSON → confirm stripped on render -
YouTube embed still renders