Dev

[CodeMeAPixel]

Summary by CodeRabbit

Release Notes — Version 2.4.6

• Security

  • Multiple security hardening fixes including regex, SSRF, and validation improvements
  • Enhanced authentication and authorization checks

• Changed

  • Removed status page integration; system status now links directly to emberlystat.us
  • Removed legacy Kener integration

• Performance

  • Background file scanning no longer blocks uploads
  • Optimized file listing queries with concurrent data fetching
  • Improved session management and caching

• Bug Fixes

  • Fixed TypeScript type correctness issues
  • Improved validation and timeout handling
  • Enhanced quota and session management
  • Resolved authentication and middleware edge cases

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 816e9cf7-4063-4242-98af-6093b8949bca

📥 Commits

Reviewing files that changed from the base of the PR and between eb59d45 and 8e3dab0.

📒 Files selected for processing (36)

• .github/README.md
• CHANGELOG.md
• app/(main)/[userUrlId]/[filename]/page.tsx
• app/(main)/auth/alpha-migration/page.tsx
• app/(main)/blog/[slug]/page.tsx
• app/(main)/blog/page.tsx
• app/(main)/dashboard/bucket/page.tsx
• app/(main)/dashboard/client.tsx
• app/(main)/dashboard/squads/client.tsx
• app/api/admin/integrations/test/route.ts
• app/api/files/route.ts
• app/api/settings/route.ts
• app/api/status/route.ts
• package.json
• packages/components/admin/settings/settings-manager.tsx
• packages/components/dashboard/user-list.tsx
• packages/components/layout/StatusIndicator.tsx
• packages/components/layout/footer.tsx
• packages/components/theme/theme-initializer.tsx
• packages/lib/auth/api-auth.ts
• packages/lib/cache/session-cache.ts
• packages/lib/config/index.ts
• packages/lib/events/handlers/file-expiry.ts
• packages/lib/files/filename.ts
• packages/lib/files/security-validation.ts
• packages/lib/files/upload-validation.ts
• packages/lib/kener/index.ts
• packages/lib/security/password-breach-checker.ts
• packages/lib/storage/index.ts
• packages/lib/storage/quota.ts
• packages/lib/storage/sync-buckets.ts
• packages/lib/utils/index.ts
• packages/types/react-jsx-compat.d.ts
• proxy.ts
• scripts/hash-file-passwords.mjs
• scripts/migrate-config.mjs

---

Walkthrough

This release marks version 2.4.6 and bundles several major improvements: the complete removal of the Kener status-page integration in favor of a static external link, a significant refactoring of file upload security validation into fast local checks plus asynchronous VirusTotal scanning, propagation of emailVerified field through all authentication paths, and performance optimizations using globalThis to persist storage and quota caches across hot-reloads. The proxy routing layer is consolidated with centralized URL constants, and numerous UI/formatting updates clean up dashboard, blog, and component code.

Changes

Status Page Integration Removal

Layer / File(s)	Summary
StatusIndicator and footer UI updates packages/components/layout/StatusIndicator.tsx, packages/components/layout/footer.tsx	StatusIndicator component is simplified from a dynamic client-side fetching widget to a static external link to emberlystat.us, and the status indicator is removed from the footer layout.
Status API endpoint and config schema cleanup app/api/status/route.ts, packages/lib/config/index.ts, app/api/settings/route.ts	The /api/status endpoint now returns a 404 error; the kener integration is removed from the config schema and integration merge logic is updated accordingly.
Integration test updates for removed Kener app/api/admin/integrations/test/route.ts	The kener case is removed from the integration test dispatcher; all integration tests gain 8-second timeouts and structured error responses, with new sanitization helpers for Cloudflare and Discord inputs.
Documentation and release notes .github/README.md, CHANGELOG.md, packages/lib/kener/index.ts	README replaces Kener monitoring text with a direct emberlystat.us link, removes Kener from tech stack, and the v2.4.6 changelog entry documents security fixes, integration removal, performance improvements, and numerous bug fixes.

File Upload Security and Performance Optimization

Layer / File(s)	Summary
File security validation refactoring packages/lib/files/security-validation.ts	New validateFileSecurityChecks export runs fast local-only checks (dangerous extension/MIME + zip-bomb heuristics), and new scanWithVirusTotal export performs asynchronous malware detection and invokes a callback on detection; deprecated validateFileSecurityChecksWithVT now orchestrates the two-stage flow.
File upload POST handler and validation improvements app/api/files/route.ts, packages/lib/files/upload-validation.ts	Upload handler buffers files early, parallelizes filename and storage-provider resolution, runs local security checks before transaction, hashes passwords pre-transaction, moves VirusTotal to background with quarantine on detection, and validateUploadRequest now accepts preloaded user data to skip DB lookups.
File listing query optimization app/api/files/route.ts, packages/lib/events/handlers/file-expiry.ts	Squad and personal file list views replace per-file expiration lookups with batch getFileExpirationInfoBatch calls, and personal view parallelizes count and findMany Prisma queries.
Filename sanitization and validation tweaks packages/lib/files/filename.ts	URL-safe slug trimming switches from regex to index-based slicing; empty slugs fall back to nanoid(6).

Email Verification Field Propagation

Layer / File(s)	Summary
Auth type and interface updates packages/lib/auth/api-auth.ts, packages/lib/cache/session-cache.ts	AuthenticatedUser and CachedUserSession types gain emailVerified: boolean field; session-cache reads include backward-compatible coercion for older cached entries.
Authentication flow implementations packages/lib/auth/api-auth.ts	All auth paths (session-cache hits, NextAuth, Prisma lookups, user API key tokens, upload tokens) now fetch and propagate emailVerified as a boolean, storing it in the session cache.

Storage Provider and Quota Optimization

Layer / File(s)	Summary
StorageProvider hot-reload persistence packages/lib/storage/index.ts	StorageProvider singleton is cached on globalThis to survive Next.js dev hot-reloads; getStorageProvider reads from and writes to the global cache, and invalidateStorageProvider clears both module-local and global state.
Quota computation and Stripe caching packages/lib/storage/quota.ts	Stripe subscription sync cache moves to globalThis-backed TTL; getPlanLimits performs re-check for storage-bucket-* subscriptions post-sync; getEffectiveQuotaMB now overrides quota whenever defaultQuotaMB is provided.
Bucket sync operations logging packages/lib/storage/sync-buckets.ts	Completion and error logging updated to use structured payload objects instead of direct object/error casting.

Proxy Routing and URL Normalization

Layer / File(s)	Summary
Proxy constants and host normalization proxy.ts, packages/lib/utils/index.ts	Introduces BASE_URL, MAIN_HOST, VIDEO_EXTENSIONS_SET, and ALPHA_CUTOFF_DATE constants; simplifies getClientIP header handling and replaces regex-based trailing-slash trimming with slice-based approach.
Unified file URL request routing proxy.ts	File URL handling refactored into an early unified block that runs before auth/bot logic, computing media requests from headers and rewriting to /raw or trailing-slash variants accordingly.
Authentication and redirect consolidation proxy.ts	Alpha-migration, email-verification, password-breach, and login redirects updated to use centralized BASE_URL; duplicated media-handling block removed.

UI Components, Pages, and Type System Updates

Layer / File(s)	Summary
Page and component UI updates app/(main)/blog/[slug]/page.tsx, app/(main)/blog/page.tsx, app/(main)/dashboard/bucket/page.tsx	Blog and dashboard pages refactored with multiline JSX props, improved layout structure, and updated icon imports; rendered output and logic remain unchanged.
Squads dashboard client UI enhancements app/(main)/dashboard/squads/client.tsx	SquadIncomingInvite type expanded; explicit glass card subcomponents introduced; error handling, creation button state, and metadata label rendering restructured.
File page and auth page updates app/(main)/[userUrlId]/[filename]/page.tsx, app/(main)/auth/alpha-migration/page.tsx	File page removes unused imports and getConfig call, updates generateMetadata to remove password-based derivation; alpha-migration page removes codeSent state and clears success on resend.
React JSX types, theme, and utility refactoring packages/types/react-jsx-compat.d.ts, packages/components/theme/theme-initializer.tsx, app/(main)/dashboard/client.tsx, packages/components/dashboard/user-list.tsx	JSX interface declarations converted to type aliases; theme initializer refactored; pagination updated to use pageCount; dashboard prop destructuring simplified.
CommonJS to ES module conversions scripts/hash-file-passwords.mjs, scripts/migrate-config.mjs	Migration scripts updated from CommonJS require to ES module import syntax.
Version bump and security documentation package.json, packages/lib/security/password-breach-checker.ts	Package version bumped to 2.4.6; password-breach-checker JSDoc expanded with parameter and return documentation.

---

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Possibly Related PRs

• EmberlyOSS/Emberly#105: Both PRs center on removing the Kener/status-page integration and switching to the static emberlystat.us status link across components, API, and configuration.
• EmberlyOSS/Emberly#80: Both PRs modify proxy.ts to refactor file URL routing and media-request handling with rewriting to /raw or trailing-slash paths.
• EmberlyOSS/Emberly#72: Both PRs change proxy.ts file/video URL routing, client IP normalization, and path rewriting logic.

---

Suggested Labels

enhancement

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}