Skip to content

feat: public demo mode + base-path rewrites + security hardening#7

Open
hongphuc5497 wants to merge 15 commits into
hoquanghai:mainfrom
hongphuc5497:feat/public-demo-security
Open

feat: public demo mode + base-path rewrites + security hardening#7
hongphuc5497 wants to merge 15 commits into
hoquanghai:mainfrom
hongphuc5497:feat/public-demo-security

Conversation

@hongphuc5497
Copy link
Copy Markdown

@hongphuc5497 hongphuc5497 commented May 29, 2026

Summary

Add public demo mode, base-path support, and security hardening for deployment behind hongphuc5497.com/news-video-creating.

Changes

  • Demo mode: PUBLIC_DEMO_MODE blocks POST /api/generate, POST /api/pipeline, PUT /api/settings (403)
  • Base-path: PUBLIC_BASE_PATH normalization, stripPublicBasePath(), publicPath() helpers
  • Client-side: app.js auto-detects base path from script src, all API calls use appPath()
  • Dockerfile: Multi-stage build, non-root appuser, HEALTHCHECK
  • SSRF protection: Block private/internal IP ranges (10.x, 192.168.x, 172.16-31.x, localhost, AWS IMDS)
  • fly.toml: Configured with PORT=4317, PUBLIC_BASE_PATH=/news-video-creating, PUBLIC_DEMO_MODE=1

Verification

  • Tests: ✅ 69/69 pass
  • Typecheck: ✅ clean
  • Docker build: ✅ image built successfully

hongphuc5497 and others added 15 commits May 20, 2026 00:13
@hongphuc5497 @claude
chore: add gstack skill routing rules to CLAUDE.md
979d2bc 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@hongphuc5497
Add TikTok UI settings
8907336 
Allow the local web UI to toggle TikTok info rendering and persist TikTok profile settings outside env-only configuration.

Tested: npm test

Tested: npm run typecheck

Tested: npm run build

Tested: npm audit --audit-level=moderate
@hongphuc5497 @claude
chore: bump version to 2.0.1 and add CHANGELOG
82e1e55 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@hongphuc5497
Merge pull request #1 from hongphuc5497/codex/deps-ui-refresh
cc5c189 
v2.0.1 feat: web UI, LLM abstraction, TikTok settings
@hongphuc5497
feat: public demo mode + base-path rewrites + security hardening
c840cb2 
- Add PUBLIC_DEMO_MODE guard blocking POST /api/generate, POST /api/pipeline, PUT /api/settings
- Add PUBLIC_BASE_PATH support with path normalization and stripPublicBasePath()
- Add base-path-aware URL helpers in server.ts (publicPath) and app.js (appPath)
- Add redacted settings in demo mode (redactUiSettings)
- Convert Dockerfile to multi-stage with non-root appuser and HEALTHCHECK
- Add SSRF protection: block private/internal IP ranges in web-fetcher.ts
- Add .dockerignore to exclude sensitive and build-only files
- Add fly.toml with NEWS_VIDEO_ORIGIN, PUBLIC_BASE_PATH, PUBLIC_DEMO_MODE
@hongphuc5497
fix: resolve merge conflicts in web-fetcher.ts and server.ts
83797c4
@hongphuc5497
fix: restore full server.ts from Codex branch, resolve stash corruption
38c7910
@hongphuc5497
perf: add npm prune --production to reduce Docker image size
81e7b38
@hongphuc5497
fix: remove broken HEALTHCHECK
5827f54
@hongphuc5497
fix: use HOST env var instead of hardcoded 127.0.0.1
b2a3c9c
@hongphuc5497
fix: hardcode 0.0.0.0 host, remove missing PUBLIC_BASE_PATH ref
819ee59
@hongphuc5497
fix: inline PUBLIC_BASE_PATH normalization, drop missing helper
8a68493
@hongphuc5497
fix: copy src/ directory in Dockerfile (missing UI files)
848c2b1
@hongphuc5497
fix: add inline base-path stripping to request handler
1b64787
@hongphuc5497
fix: resolve merge conflicts in UI files
5f8fbdb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hongphuc5497