mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
12454749ad
27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low): Security (Critical): - Escape HTML in OAuth authorization page to prevent XSS (C1) - Add CSRF protection to OAuth authorize flow (C2) - Replace bypassable regex sanitizer with sanitize-html library (C3) - Enforce OAuth scopes on all Mastodon API routes (C4) Security (Medium/Low): - Fix SSRF via DNS resolution before private IP check (M1) - Add rate limiting to API, auth, and app registration endpoints (M2) - Validate redirect_uri on POST /oauth/authorize (M4) - Fix custom emoji URL injection with scheme validation + escaping (M5) - Remove data: scheme from allowed image sources (L6) - Add access token expiry (1hr) and refresh token rotation (90d) (M3) - Hash client secrets before storage (L3) Architecture: - Extract batch-broadcast.js — shared delivery logic (H1a) - Extract init-indexes.js — MongoDB index creation (H1b) - Extract syndicator.js — syndication logic (H1c) - Create federation-actions.js facade for controllers (M6) - index.js reduced from 1810 to ~1169 lines (35%) Performance: - Cache moderation data with 30s TTL + write invalidation (H6) - Increase inbox queue throughput to 10 items/sec (H5) - Make account enrichment non-blocking with fire-and-forget (H4) - Remove ephemeral getReplies/getLikes/getShares from ingest (M11) - Fix LRU caches to use true LRU eviction (L1) - Fix N+1 backfill queries with batch $in lookup (L2) UI/UX: - Split 3441-line reader.css into 15 feature-scoped files (H2) - Extract inline Alpine.js interaction component (H3) - Reduce sidebar navigation from 7 to 3 items (M7) - Add ARIA live regions for dynamic content updates (M8) - Extract shared CW/non-CW content partial (M9) - Document form handling pattern convention (M10) - Add accessible labels to functional emoji icons (L4) - Convert profile editor to Alpine.js (L5) Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md
75 lines
1.3 KiB
CSS
75 lines
1.3 KiB
CSS
/* ==========================================================================
|
|
Skeleton Loaders
|
|
========================================================================== */
|
|
|
|
@keyframes ap-skeleton-shimmer {
|
|
0% { background-position: 200% 0; }
|
|
100% { background-position: -200% 0; }
|
|
}
|
|
|
|
.ap-skeleton {
|
|
background: linear-gradient(90deg,
|
|
var(--color-offset) 25%,
|
|
var(--color-background) 50%,
|
|
var(--color-offset) 75%);
|
|
background-size: 200% 100%;
|
|
animation: ap-skeleton-shimmer 1.5s ease-in-out infinite;
|
|
border-radius: var(--border-radius-small);
|
|
}
|
|
|
|
.ap-card--skeleton {
|
|
pointer-events: none;
|
|
}
|
|
|
|
.ap-card--skeleton .ap-card__author {
|
|
display: flex;
|
|
align-items: center;
|
|
gap: var(--space-s);
|
|
}
|
|
|
|
.ap-skeleton--avatar {
|
|
width: 2.5rem;
|
|
height: 2.5rem;
|
|
border-radius: 50%;
|
|
flex-shrink: 0;
|
|
}
|
|
|
|
.ap-skeleton-lines {
|
|
flex: 1;
|
|
display: flex;
|
|
flex-direction: column;
|
|
gap: 0.4rem;
|
|
}
|
|
|
|
.ap-skeleton--name {
|
|
height: 0.85rem;
|
|
width: 40%;
|
|
}
|
|
|
|
.ap-skeleton--handle {
|
|
height: 0.7rem;
|
|
width: 25%;
|
|
}
|
|
|
|
.ap-skeleton-body {
|
|
display: flex;
|
|
flex-direction: column;
|
|
gap: 0.5rem;
|
|
margin-top: var(--space-s);
|
|
}
|
|
|
|
.ap-skeleton--line {
|
|
height: 0.75rem;
|
|
width: 100%;
|
|
}
|
|
|
|
.ap-skeleton--short {
|
|
width: 60%;
|
|
}
|
|
|
|
.ap-skeleton-group {
|
|
display: flex;
|
|
flex-direction: column;
|
|
gap: var(--space-m);
|
|
}
|