viktor/wrongmove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix 7 bugs: security, memory leak, stale state, error handling

Browse source 
- WebSocket: verify task ownership before allowing subscribe (security)
- POI routes: replace assert with HTTPException for production safety
- cancel_task: return HTTP 404 instead of 200 for missing tasks
- routing_config: add descriptive ValueError for invalid env vars
- POIManager: show error feedback instead of silently swallowing failures
- VisualizationCard: reset POI/travel mode state on metric switch
- Map: clean up heatmap layers/sources on unmount to prevent memory leak
- Update test to expect 404 from cancel_task ownership check
This commit is contained in:
Viktor Barzin 2026-02-13 19:36:43 +00:00
parent 25c87da1cf
commit 41b7d221e4
No known key found for this signature in database
GPG key ID: 0EB088298288D958
8 changed files with 45 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

4
api/ws_routes.py
View file

@ -137,6 +137,10 @@ async def ws_task_progress(websocket: WebSocket) -> None:
if msg_type == "subscribe":
new_task_id = msg.get("task_id")
if new_task_id:
# Verify task belongs to the authenticated user
user_tasks = task_service.get_user_tasks(user.email)
if new_task_id not in user_tasks:
continue
channel = f"task_progress:{new_task_id}"
if channel not in subscribed_channels:
await pubsub.subscribe(channel)