[PR #3085] [MERGED] Normalize request parameters and update dependencies for Security #34608

Closed
opened 2026-06-17 04:12:32 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/3085
Author: @marcschaeferger
Created: 5/15/2026
Status: Merged
Merged: 5/28/2026
Merged by: @oschwartz10612

Base: devHead: security-updates


📝 Commits (1)

  • 18d380c fix(security): normalize request parameters and update dependencies

📊 Changes

37 files changed (+2728 additions, -3681 deletions)

View changed files

📝 drizzle.sqlite.config.ts (+1 -1)
📝 install/go.mod (+2 -2)
📝 install/go.sum (+4 -4)
📝 next.config.ts (+1 -6)
📝 package-lock.json (+2265 -3475)
📝 package.json (+52 -50)
📝 server/index.ts (+1 -1)
server/lib/requestParams.ts (+11 -0)
📝 server/middlewares/integration/verifyAccessTokenAccess.ts (+8 -1)
📝 server/middlewares/integration/verifyApiKeyApiKeyAccess.ts (+5 -2)
📝 server/middlewares/integration/verifyApiKeyDomainAccess.ts (+11 -2)
📝 server/middlewares/integration/verifyApiKeyIdpAccess.ts (+8 -3)
📝 server/middlewares/integration/verifyApiKeyOrgAccess.ts (+3 -2)
📝 server/middlewares/integration/verifyApiKeySiteResourceAccess.ts (+4 -2)
📝 server/middlewares/integration/verifyApiKeyTargetAccess.ts (+4 -2)
📝 server/middlewares/verifyAccessTokenAccess.ts (+9 -2)
📝 server/middlewares/verifyApiKeyAccess.ts (+20 -7)
📝 server/middlewares/verifyDomainAccess.ts (+4 -7)
📝 server/middlewares/verifyLimits.ts (+5 -1)
📝 server/middlewares/verifyOrgAccess.ts (+2 -1)

...and 17 more files

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description (Description generated by AI/Copilot)

This pull request introduces several dependency updates and refactors how request parameters are handled in API key and access token middleware, improving type safety and error handling. The most significant changes are grouped below.

Dependency Updates:

  • Updated many dependencies and devDependencies in package.json, including major upgrades to next, react, next-intl, @react-email/*, axios, recharts, and others, as well as their corresponding types and build tools. [1] [2] [3] [4]
  • Upgraded Go module dependencies in install/go.mod, notably golang.org/x/term and golang.org/x/sys. [1] [2]

Middleware Refactors and Type Safety:

  • Added a utility function getFirstString in server/lib/requestParams.ts to safely extract the first string from various request parameter sources, handling both string and array types.
  • Refactored all API key and access token middleware (verifyApiKeyApiKeyAccess.ts, verifyApiKeyDomainAccess.ts, verifyApiKeyIdpAccess.ts, verifyApiKeyOrgAccess.ts, verifyApiKeySiteResourceAccess.ts, verifyApiKeyTargetAccess.ts, verifyAccessTokenAccess.ts, and verifyAccessTokenAccess.ts) to use getFirstString for extracting parameters, improving robustness against malformed or unexpected request data. Added explicit checks for missing or invalid IDs, returning appropriate HTTP errors. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

Build and Config Updates:

  • Fixed import paths in drizzle.sqlite.config.ts and server/index.ts for consistency and compatibility. [1] [2]
  • Simplified and updated next.config.ts by moving reactCompiler to the top level and removing the eslint build ignore.

These changes collectively improve the reliability of parameter handling in API endpoints and keep the project dependencies up to date.

How to test?


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/3085 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 5/15/2026 **Status:** ✅ Merged **Merged:** 5/28/2026 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `security-updates` --- ### 📝 Commits (1) - [`18d380c`](https://github.com/fosrl/pangolin/commit/18d380ce30f3331b0b20c83b019e9f40b3eda5ea) fix(security): normalize request parameters and update dependencies ### 📊 Changes **37 files changed** (+2728 additions, -3681 deletions) <details> <summary>View changed files</summary> 📝 `drizzle.sqlite.config.ts` (+1 -1) 📝 `install/go.mod` (+2 -2) 📝 `install/go.sum` (+4 -4) 📝 `next.config.ts` (+1 -6) 📝 `package-lock.json` (+2265 -3475) 📝 `package.json` (+52 -50) 📝 `server/index.ts` (+1 -1) ➕ `server/lib/requestParams.ts` (+11 -0) 📝 `server/middlewares/integration/verifyAccessTokenAccess.ts` (+8 -1) 📝 `server/middlewares/integration/verifyApiKeyApiKeyAccess.ts` (+5 -2) 📝 `server/middlewares/integration/verifyApiKeyDomainAccess.ts` (+11 -2) 📝 `server/middlewares/integration/verifyApiKeyIdpAccess.ts` (+8 -3) 📝 `server/middlewares/integration/verifyApiKeyOrgAccess.ts` (+3 -2) 📝 `server/middlewares/integration/verifyApiKeySiteResourceAccess.ts` (+4 -2) 📝 `server/middlewares/integration/verifyApiKeyTargetAccess.ts` (+4 -2) 📝 `server/middlewares/verifyAccessTokenAccess.ts` (+9 -2) 📝 `server/middlewares/verifyApiKeyAccess.ts` (+20 -7) 📝 `server/middlewares/verifyDomainAccess.ts` (+4 -7) 📝 `server/middlewares/verifyLimits.ts` (+5 -1) 📝 `server/middlewares/verifyOrgAccess.ts` (+2 -1) _...and 17 more files_ </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description (Description generated by AI/Copilot) This pull request introduces several dependency updates and refactors how request parameters are handled in API key and access token middleware, improving type safety and error handling. The most significant changes are grouped below. **Dependency Updates:** * Updated many dependencies and devDependencies in `package.json`, including major upgrades to `next`, `react`, `next-intl`, `@react-email/*`, `axios`, `recharts`, and others, as well as their corresponding types and build tools. [[1]](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L35-R38) [[2]](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L62-R72) [[3]](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L83-R153) [[4]](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L163-R180) * Upgraded Go module dependencies in `install/go.mod`, notably `golang.org/x/term` and `golang.org/x/sys`. [[1]](diffhunk://#diff-bf86f3b3eb5a7758936b7f79c5ac4c40b76c3734d110fe3c4a1ed82fcac0c738L8-R8) [[2]](diffhunk://#diff-bf86f3b3eb5a7758936b7f79c5ac4c40b76c3734d110fe3c4a1ed82fcac0c738L36-R36) **Middleware Refactors and Type Safety:** * Added a utility function `getFirstString` in `server/lib/requestParams.ts` to safely extract the first string from various request parameter sources, handling both string and array types. * Refactored all API key and access token middleware (`verifyApiKeyApiKeyAccess.ts`, `verifyApiKeyDomainAccess.ts`, `verifyApiKeyIdpAccess.ts`, `verifyApiKeyOrgAccess.ts`, `verifyApiKeySiteResourceAccess.ts`, `verifyApiKeyTargetAccess.ts`, `verifyAccessTokenAccess.ts`, and `verifyAccessTokenAccess.ts`) to use `getFirstString` for extracting parameters, improving robustness against malformed or unexpected request data. Added explicit checks for missing or invalid IDs, returning appropriate HTTP errors. [[1]](diffhunk://#diff-7bf758bd61d933c0aaae544b6b7a95fd362194e8e2a1391525013654c055f898R7) [[2]](diffhunk://#diff-7bf758bd61d933c0aaae544b6b7a95fd362194e8e2a1391525013654c055f898L15-R29) [[3]](diffhunk://#diff-25362652a86dfbb2667d4b80a4e99bc90cd078ab183281005f51a5fc3336b19aR7) [[4]](diffhunk://#diff-25362652a86dfbb2667d4b80a4e99bc90cd078ab183281005f51a5fc3336b19aL17-R21) [[5]](diffhunk://#diff-5b88d824352f699bce25fc0bd67ab82ca44d6eb398883c935caaa96aa3b75dd8R6) [[6]](diffhunk://#diff-5b88d824352f699bce25fc0bd67ab82ca44d6eb398883c935caaa96aa3b75dd8L15-R19) [[7]](diffhunk://#diff-5b88d824352f699bce25fc0bd67ab82ca44d6eb398883c935caaa96aa3b75dd8R33-R38) [[8]](diffhunk://#diff-b5a8c18bef648b4f8b96605f1afef88a565d627094456d0f9be80cfe0e1cb73bR7) [[9]](diffhunk://#diff-b5a8c18bef648b4f8b96605f1afef88a565d627094456d0f9be80cfe0e1cb73bL15-R21) [[10]](diffhunk://#diff-b5a8c18bef648b4f8b96605f1afef88a565d627094456d0f9be80cfe0e1cb73bL30-R35) [[11]](diffhunk://#diff-a039bca4ebc5d0dbbdc9eb3476afd55436038a420b9d38b40dd48db059bd1c11R7) [[12]](diffhunk://#diff-a039bca4ebc5d0dbbdc9eb3476afd55436038a420b9d38b40dd48db059bd1c11L15-R16) [[13]](diffhunk://#diff-a039bca4ebc5d0dbbdc9eb3476afd55436038a420b9d38b40dd48db059bd1c11L48-R49) [[14]](diffhunk://#diff-89db7a38d796004d5d84d286f59bb753874568a2cf113d4c81cd811d227c768cR7) [[15]](diffhunk://#diff-89db7a38d796004d5d84d286f59bb753874568a2cf113d4c81cd811d227c768cL15-R25) [[16]](diffhunk://#diff-fa479c667dd3e618481feed4817c864f509a0d52c687bf6f627b61e43a1dbb13R7) [[17]](diffhunk://#diff-fa479c667dd3e618481feed4817c864f509a0d52c687bf6f627b61e43a1dbb13L15-R25) [[18]](diffhunk://#diff-a23d6ebd7fe7fa71a5cd337d2748747a662ed5cccc6800ac82960ebd8c949480R10-R31) **Build and Config Updates:** * Fixed import paths in `drizzle.sqlite.config.ts` and `server/index.ts` for consistency and compatibility. [[1]](diffhunk://#diff-d2b98c498bfaadb160c51e6239e3fc4c428c32fda4358732c903426d7eb1a52cL1-R1) [[2]](diffhunk://#diff-786114c6ebf98e577ec30dac884800bb7c9ce800b5323710ed03b916e1d33b68L2-R2) * Simplified and updated `next.config.ts` by moving `reactCompiler` to the top level and removing the `eslint` build ignore. These changes collectively improve the reliability of parameter handling in API endpoints and keep the project dependencies up to date. ## How to test? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-17 04:12:32 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#34608