Merge pull request #3 from bytevet/dev

feat: result viewer CSP, system perf, templates & docker improvements

Author: SYM01

server/api/files.ts

@@ -1,12 +1,14 @@
 import { Hono } from "hono";
 import { z } from "zod";
 import { zValidator } from "@hono/zod-validator";
-import { db } from "../db/index.js";
-import * as schema from "../db/schema.js";
-import { eq } from "drizzle-orm";
 import { getDockerClient } from "../lib/docker.js";
 import type { AuthEnv } from "../middleware/auth.js";
 import { authMiddleware } from "../middleware/auth.js";
+import {
+  requireSessionAccess,
+  SessionAccessError,
+  handleSessionAccessError,
+} from "../lib/session.js";
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -41,19 +43,13 @@ async function execInContainer(
   });
 }
 
-async function requireSessionOwnership(
+async function requireSessionWithContainer(
   sessionId: string,
-  session: { user: { id: string; role?: string | null } },
+  user: { id: string; role?: string | null },
 ) {
-  const [codingSession] = await db
-    .select()
-    .from(schema.codingSessions)
-    .where(eq(schema.codingSessions.id, sessionId))
-    .limit(1);
-  if (!codingSession) throw new Error("Session not found");
-  if (!codingSession.containerId) throw new Error("Session has no container");
-  if (codingSession.userId !== session.user.id && session.user.role !== "admin") {
-    throw new Error("Forbidden");
+  const codingSession = await requireSessionAccess(sessionId, user);
+  if (!codingSession.containerId) {
+    throw new SessionAccessError("Session has no container", 400);
   }
   return codingSession as typeof codingSession & { containerId: string };
 }
@@ -121,12 +117,13 @@ const pathParam = z.object({
 // ---------------------------------------------------------------------------
 
 const app = new Hono<AuthEnv>()
+  .onError(handleSessionAccessError)
   // GET /api/files/list — list files in directory
   .get("/list", authMiddleware, zValidator("query", pathParam), async (c) => {
     const { sessionId, path: dirPath } = c.req.valid("query");
     const session = c.get("session");
 
-    const codingSession = await requireSessionOwnership(sessionId, session);
+    const codingSession = await requireSessionWithContainer(sessionId, session.user);
     const output = await execInContainer(codingSession.containerId, [
       "ls",
       "-la",
@@ -190,7 +187,7 @@ const app = new Hono<AuthEnv>()
     const { sessionId, path: filePath } = c.req.valid("query");
     const session = c.get("session");
 
-    const codingSession = await requireSessionOwnership(sessionId, session);
+    const codingSession = await requireSessionWithContainer(sessionId, session.user);
     const content = await execInContainer(codingSession.containerId, ["cat", filePath]);
     return c.text(content);
   })
@@ -204,7 +201,7 @@ const app = new Hono<AuthEnv>()
       const { sessionId } = c.req.valid("query");
       const session = c.get("session");
 
-      const codingSession = await requireSessionOwnership(sessionId, session);
+      const codingSession = await requireSessionWithContainer(sessionId, session.user);
       const output = await execInContainer(
         codingSession.containerId,
         ["git", "-C", "/workspace", "diff", "--stat"],
@@ -219,7 +216,7 @@ const app = new Hono<AuthEnv>()
     const { sessionId, path: filePath } = c.req.valid("query");
     const session = c.get("session");
 
-    const codingSession = await requireSessionOwnership(sessionId, session);
+    const codingSession = await requireSessionWithContainer(sessionId, session.user);
 
     let gitRoot: string;
     try {

server/api/sessions.ts

@@ -4,13 +4,37 @@ import { zValidator } from "@hono/zod-validator";
 import { randomBytes } from "node:crypto";
 import { db } from "../db/index.js";
 import * as schema from "../db/schema.js";
-import { eq, desc, count, and, isNotNull, isNull, type SQL } from "drizzle-orm";
+import {
+  eq,
+  desc,
+  count,
+  and,
+  isNotNull,
+  isNull,
+  sql,
+  getTableColumns,
+  type SQL,
+} from "drizzle-orm";
 import { getDockerClient } from "../lib/docker.js";
 import type { AuthEnv } from "../middleware/auth.js";
 import { authMiddleware } from "../middleware/auth.js";
 import { paginationQuery } from "../lib/pagination.js";
+import { requireSessionAccess, handleSessionAccessError } from "../lib/session.js";
+
+/** Session columns without the potentially-large resultHtml blob. */
+const { resultHtml: _resultHtml, ...sessionColumns } = getTableColumns(schema.codingSessions);
+const sessionSummary = {
+  ...sessionColumns,
+  hasResult: sql<boolean>`${schema.codingSessions.resultHtml} is not null`.as("has_result"),
+};
+
+/** Strip resultHtml from a raw DB row and add hasResult boolean. */
+function toSessionSummary<T extends { resultHtml?: string | null }>({ resultHtml, ...rest }: T) {
+  return { ...rest, hasResult: resultHtml != null };
+}
 
 const app = new Hono<AuthEnv>()
+  .onError(handleSessionAccessError)
   // ---------------------------------------------------------------------------
   // GET /api/sessions — list sessions
   // ---------------------------------------------------------------------------
@@ -55,7 +79,7 @@ const app = new Hono<AuthEnv>()
 
         const rows = await db
           .select({
-            session: schema.codingSessions,
+            ...sessionSummary,
             userName: schema.user.name,
             userEmail: schema.user.email,
           })
@@ -67,9 +91,9 @@ const app = new Hono<AuthEnv>()
           .offset(offset);
 
         return c.json({
-          data: rows.map((r) => ({
-            ...r.session,
-            user: { name: r.userName, email: r.userEmail },
+          data: rows.map(({ userName, userEmail, ...s }) => ({
+            ...s,
+            user: { name: userName, email: userEmail },
           })),
           total,
           page,
@@ -86,7 +110,7 @@ const app = new Hono<AuthEnv>()
         .where(where);
 
       const rows = await db
-        .select()
+        .select(sessionSummary)
         .from(schema.codingSessions)
         .where(where)
         .orderBy(desc(schema.codingSessions.createdAt))
@@ -105,7 +129,7 @@ const app = new Hono<AuthEnv>()
     const id = c.req.param("id");
 
     const [codingSession] = await db
-      .select()
+      .select(sessionSummary)
       .from(schema.codingSessions)
       .where(eq(schema.codingSessions.id, id))
       .limit(1);
@@ -325,7 +349,7 @@ const app = new Hono<AuthEnv>()
           .where(eq(schema.codingSessions.id, codingSession.id))
           .returning();
 
-        return c.json(updated[0]);
+        return c.json(toSessionSummary(updated[0]));
       } catch (err) {
         await db
           .update(schema.codingSessions)
@@ -349,19 +373,8 @@ const app = new Hono<AuthEnv>()
   // PUT /api/sessions/:id/stop
   // ---------------------------------------------------------------------------
   .put("/:id/stop", authMiddleware, async (c) => {
-    const session = c.get("session");
     const id = c.req.param("id");
-
-    const [codingSession] = await db
-      .select()
-      .from(schema.codingSessions)
-      .where(eq(schema.codingSessions.id, id))
-      .limit(1);
-
-    if (!codingSession) return c.json({ error: "Session not found" }, 404);
-    if (codingSession.userId !== session.user.id && session.user.role !== "admin") {
-      return c.json({ error: "Forbidden" }, 403);
-    }
+    const codingSession = await requireSessionAccess(id, c.get("session").user);
 
     if (!codingSession.containerId) {
       return c.json({ error: "No container associated with this session" }, 400);
@@ -384,26 +397,15 @@ const app = new Hono<AuthEnv>()
       .where(eq(schema.codingSessions.id, id))
       .returning();
 
-    return c.json(updated[0]);
+    return c.json(toSessionSummary(updated[0]));
   })
 
   // ---------------------------------------------------------------------------
   // DELETE /api/sessions/:id — destroy session + container
   // ---------------------------------------------------------------------------
   .delete("/:id", authMiddleware, async (c) => {
-    const session = c.get("session");
     const id = c.req.param("id");
-
-    const [codingSession] = await db
-      .select()
-      .from(schema.codingSessions)
-      .where(eq(schema.codingSessions.id, id))
-      .limit(1);
-
-    if (!codingSession) return c.json({ error: "Session not found" }, 404);
-    if (codingSession.userId !== session.user.id && session.user.role !== "admin") {
-      return c.json({ error: "Forbidden" }, 403);
-    }
+    const codingSession = await requireSessionAccess(id, c.get("session").user);
 
     if (codingSession.containerId) {
       try {
@@ -427,19 +429,8 @@ const app = new Hono<AuthEnv>()
   // PUT /api/sessions/:id/restart
   // ---------------------------------------------------------------------------
   .put("/:id/restart", authMiddleware, async (c) => {
-    const session = c.get("session");
     const id = c.req.param("id");
-
-    const [codingSession] = await db
-      .select()
-      .from(schema.codingSessions)
-      .where(eq(schema.codingSessions.id, id))
-      .limit(1);
-
-    if (!codingSession) return c.json({ error: "Session not found" }, 404);
-    if (codingSession.userId !== session.user.id && session.user.role !== "admin") {
-      return c.json({ error: "Forbidden" }, 403);
-    }
+    const codingSession = await requireSessionAccess(id, c.get("session").user);
 
     if (!codingSession.containerId) {
       return c.json({ error: "No container associated with this session" }, 400);
@@ -515,26 +506,15 @@ const app = new Hono<AuthEnv>()
       .where(eq(schema.codingSessions.id, id))
       .returning();
 
-    return c.json(updated[0]);
+    return c.json(toSessionSummary(updated[0]));
   })
 
   // ---------------------------------------------------------------------------
   // GET /api/sessions/:id/recreate-params
   // ---------------------------------------------------------------------------
   .get("/:id/recreate-params", authMiddleware, async (c) => {
-    const session = c.get("session");
     const id = c.req.param("id");
-
-    const [original] = await db
-      .select()
-      .from(schema.codingSessions)
-      .where(eq(schema.codingSessions.id, id))
-      .limit(1);
-
-    if (!original) return c.json({ error: "Session not found" }, 404);
-    if (original.userId !== session.user.id && session.user.role !== "admin") {
-      return c.json({ error: "Forbidden" }, 403);
-    }
+    const original = await requireSessionAccess(id, c.get("session").user);
 
     return c.json({
       name: original.name,
@@ -546,23 +526,28 @@ const app = new Hono<AuthEnv>()
     });
   })
 
+  // ---------------------------------------------------------------------------
+  // GET /api/sessions/:id/results/latest — serve raw result HTML with CSP
+  // ---------------------------------------------------------------------------
+  .get("/:id/results/latest", authMiddleware, async (c) => {
+    const id = c.req.param("id");
+    const codingSession = await requireSessionAccess(id, c.get("session").user);
+    if (!codingSession.resultHtml) return c.text("No result", 404);
+
+    c.header(
+      "Content-Security-Policy",
+      "default-src 'none'; style-src 'unsafe-inline' *; img-src * data: blob:; font-src * data:; script-src 'unsafe-inline' * blob:; connect-src 'none'; form-action 'none'; frame-src 'none'",
+    );
+    c.header("X-Content-Type-Options", "nosniff");
+    return c.html(codingSession.resultHtml);
+  })
+
   // ---------------------------------------------------------------------------
   // DELETE /api/sessions/:id/result
   // ---------------------------------------------------------------------------
   .delete("/:id/result", authMiddleware, async (c) => {
-    const session = c.get("session");
     const id = c.req.param("id");
-
-    const [codingSession] = await db
-      .select()
-      .from(schema.codingSessions)
-      .where(eq(schema.codingSessions.id, id))
-      .limit(1);
-
-    if (!codingSession) return c.json({ error: "Session not found" }, 404);
-    if (codingSession.userId !== session.user.id && session.user.role !== "admin") {
-      return c.json({ error: "Forbidden" }, 403);
-    }
+    await requireSessionAccess(id, c.get("session").user);
 
     await db
       .update(schema.codingSessions)

server/lib/session.ts

@@ -0,0 +1,44 @@
+import type { Context } from "hono";
+import { db } from "../db/index.js";
+import * as schema from "../db/schema.js";
+import { eq } from "drizzle-orm";
+
+type AuthUser = { id: string; role?: string | null };
+
+/**
+ * Fetch a coding session by ID and verify the requesting user
+ * is either the owner or an admin. Returns the full session row.
+ */
+export async function requireSessionAccess(sessionId: string, user: AuthUser) {
+  const [row] = await db
+    .select()
+    .from(schema.codingSessions)
+    .where(eq(schema.codingSessions.id, sessionId))
+    .limit(1);
+
+  if (!row) throw new SessionAccessError("Session not found", 404);
+  if (row.userId !== user.id && user.role !== "admin") {
+    throw new SessionAccessError("Forbidden", 403);
+  }
+  return row;
+}
+
+type ErrorStatus = 400 | 403 | 404;
+
+export class SessionAccessError extends Error {
+  constructor(
+    message: string,
+    public status: ErrorStatus,
+  ) {
+    super(message);
+    this.name = "SessionAccessError";
+  }
+}
+
+/** Shared Hono onError handler for SessionAccessError. */
+export function handleSessionAccessError(err: Error, c: Context) {
+  if (err instanceof SessionAccessError) {
+    return c.json({ error: err.message }, err.status);
+  }
+  throw err;
+}