fix: comprehensive security and bug fixes across auth, API, and frontend

CRITICAL:
- Fix XSS in highlightBash via escapeHtml before regex highlighting
- Reject JWT tokens without exp claim (was bypassable with exp:0)
- Add rate limiting, size cap, and error handling to brewfile parse

HIGH:
- Preserve existing username on GitHub re-login (prevent overwrite)
- Clear OAuth state cookies on state mismatch (both providers)
- Fix CLI approve race condition with atomic UPDATE claim + db.batch
- Server-generate all device codes (remove client-supplied code path)
- Fix open redirect in validateReturnTo via decodeURIComponent
- Wrap GitHub callback in try/catch matching Google callback pattern
- Hide unlisted configs from public profile pages
- Check response.ok before reloading after deleteConfig
- Fix packageDescs mutation (create new Map instead of mutating)
- Add performance indexes on configs and cli_auth_codes

MEDIUM:
- Add updated_at to snapshot UPDATE query
- Cap slug dedup loop at 100 attempts
- Fix formatDate unconditional Z append for D1 date strings
- Fix stale event?.currentTarget in ConfigDetail copy button
- Migrate ThemeToggle from Svelte 4 on:click to Svelte 5 onclick
- Remove dead starCount GitHub API fetch from home page
- Add name/description length validation to config creation
- Centralize RESERVED_ALIASES constant across hooks and API endpoints
- Change logout from GET to POST (CSRF prevention)
- Replace N+1 queries with JOIN in hooks.server.ts
- Fix auth store checkPromise reset on fetch failure
- Add opportunistic expired cli_auth_codes cleanup

Author: fullstackjam

migrations/0015_add_performance_indexes.sql

@@ -0,0 +1,13 @@
+-- Add indexes for frequently queried columns to avoid full table scans
+
+-- Visibility-based queries (explore page, profile page, alias resolution)
+CREATE INDEX IF NOT EXISTS idx_configs_visibility ON configs(visibility);
+CREATE INDEX IF NOT EXISTS idx_configs_visibility_updated_at ON configs(visibility, updated_at DESC);
+CREATE INDEX IF NOT EXISTS idx_configs_visibility_install_count ON configs(visibility, install_count DESC);
+
+-- Featured sort (explore page default view)
+CREATE INDEX IF NOT EXISTS idx_configs_featured ON configs(featured DESC, install_count DESC);
+
+-- CLI auth codes lookup by status (approve endpoint)
+CREATE INDEX IF NOT EXISTS idx_cli_auth_codes_status ON cli_auth_codes(status);
+CREATE INDEX IF NOT EXISTS idx_cli_auth_codes_expires_at ON cli_auth_codes(expires_at);

src/hooks.server.ts

@@ -1,5 +1,6 @@
 import type { Handle } from '@sveltejs/kit';
 import { generateInstallScript, generatePrivateInstallScript } from '$lib/server/install-script';
+import { RESERVED_ALIASES } from '$lib/server/validation';
 
 const INSTALL_SCRIPT_URL = 'https://raw.githubusercontent.com/openbootdotdev/openboot/main/scripts/install.sh';
 
@@ -43,7 +44,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 	}
 
 	const shortAliasMatch = path.match(/^\/([a-z0-9-]+)$/);
-	if (shortAliasMatch && !['dashboard', 'api', 'install', 'docs', 'cli-auth', 'explore'].includes(shortAliasMatch[1])) {
+	if (shortAliasMatch && !(RESERVED_ALIASES as readonly string[]).includes(shortAliasMatch[1])) {
 		const alias = shortAliasMatch[1];
 		const env = event.platform?.env;
 
@@ -90,31 +91,28 @@ export const handle: Handle = async ({ event, resolve }) => {
 			const username = installShMatch[1];
 			const slug = installShMatch[2];
 
-			const user = await env.DB.prepare('SELECT id FROM users WHERE username = ?').bind(username).first<{ id: string }>();
-			if (user) {
-				const config = await env.DB.prepare('SELECT custom_script, visibility, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?')
-					.bind(user.id, slug)
-					.first<{ custom_script: string; visibility: string; dotfiles_repo: string }>();
-
-				if (config) {
-					if (config.visibility === 'private') {
-						const script = generatePrivateInstallScript(env.APP_URL, username, slug);
-						return withSecurityHeaders(new Response(script, {
-							headers: { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'no-cache' }
-						}));
-					}
-
-					const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
-
-					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch((e: unknown) => console.error('install count update failed:', e));
+			const config = await env.DB.prepare(
+				'SELECT c.custom_script, c.visibility, c.dotfiles_repo, c.user_id FROM configs c JOIN users u ON c.user_id = u.id WHERE u.username = ? AND c.slug = ?'
+			).bind(username, slug).first<{ custom_script: string; visibility: string; dotfiles_repo: string; user_id: string }>();
 
+			if (config) {
+				if (config.visibility === 'private') {
+					const script = generatePrivateInstallScript(env.APP_URL, username, slug);
 					return withSecurityHeaders(new Response(script, {
-						headers: {
-							'Content-Type': 'text/plain; charset=utf-8',
-							'Cache-Control': 'no-cache'
-						}
+						headers: { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'no-cache' }
 					}));
 				}
+
+				const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
+
+				env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(config.user_id, slug).run().catch((e: unknown) => console.error('install count update failed:', e));
+
+				return withSecurityHeaders(new Response(script, {
+					headers: {
+						'Content-Type': 'text/plain; charset=utf-8',
+						'Cache-Control': 'no-cache'
+					}
+				}));
 			}
 		}
 	}
@@ -129,31 +127,28 @@ export const handle: Handle = async ({ event, resolve }) => {
 				const username = twoSegMatch[1];
 				const slug = twoSegMatch[2];
 
-				const user = await env.DB.prepare('SELECT id FROM users WHERE username = ?').bind(username).first<{ id: string }>();
-				if (user) {
-				const config = await env.DB.prepare('SELECT custom_script, visibility, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?')
-					.bind(user.id, slug)
-					.first<{ custom_script: string; visibility: string; dotfiles_repo: string }>();
+				const config = await env.DB.prepare(
+					'SELECT c.custom_script, c.visibility, c.dotfiles_repo, c.user_id FROM configs c JOIN users u ON c.user_id = u.id WHERE u.username = ? AND c.slug = ?'
+				).bind(username, slug).first<{ custom_script: string; visibility: string; dotfiles_repo: string; user_id: string }>();
 
 				if (config) {
-						if (config.visibility === 'private') {
-							const script = generatePrivateInstallScript(env.APP_URL, username, slug);
-							return withSecurityHeaders(new Response(script, {
-								headers: { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'no-cache' }
-							}));
-						}
-
-						const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
-
-						env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch((e: unknown) => console.error('install count update failed:', e));
-
+					if (config.visibility === 'private') {
+						const script = generatePrivateInstallScript(env.APP_URL, username, slug);
 						return withSecurityHeaders(new Response(script, {
-							headers: {
-								'Content-Type': 'text/plain; charset=utf-8',
-								'Cache-Control': 'no-cache'
-							}
+							headers: { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'no-cache' }
 						}));
 					}
+
+					const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
+
+					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(config.user_id, slug).run().catch((e: unknown) => console.error('install count update failed:', e));
+
+					return withSecurityHeaders(new Response(script, {
+						headers: {
+							'Content-Type': 'text/plain; charset=utf-8',
+							'Cache-Control': 'no-cache'
+						}
+					}));
 				}
 			}
 		}

src/lib/components/ConfigDetail.svelte

@@ -123,11 +123,20 @@
 		return gradients[index % gradients.length];
 	}
 
+	function escapeHtml(str: string): string {
+		return str
+			.replace(/&/g, '&')
+			.replace(/</g, '&lt;')
+			.replace(/>/g, '&gt;')
+			.replace(/"/g, '&quot;')
+			.replace(/'/g, '&#039;');
+	}
+
 	function highlightBash(code: string): string {
-		return code
+		return escapeHtml(code)
 			.replace(/^(#.*)$/gm, '<span class="comment">$1</span>')
 			.replace(/\b(if|then|else|elif|fi|for|while|do|done|case|esac|function|return|exit|echo|export|source|cd|mkdir|chmod|chown|sudo|brew|npm|git|curl|wget)\b/g, '<span class="keyword">$1</span>')
-			.replace(/(["'])(.*?)\1/g, '<span class="string">$1$2$1</span>')
+			.replace(/(&#039;|&quot;)(.*?)\1/g, '<span class="string">$1$2$1</span>')
 			.replace(/(\$\w+|\$\{[^}]+\})/g, '<span class="variable">$1</span>');
 	}
 
@@ -384,9 +393,9 @@
 				<div class="code-block">
 					<div class="code-header">
 						<span>custom-script.sh</span>
-						<button onclick={() => {
+						<button onclick={(e: MouseEvent) => {
 							navigator.clipboard.writeText(config.custom_script || '');
-							const btn = event?.currentTarget as HTMLButtonElement;
+							const btn = e.currentTarget as HTMLButtonElement;
 							if (btn) {
 								btn.textContent = 'Copied!';
 								setTimeout(() => btn.textContent = 'Copy', 2000);

src/lib/components/SiteHeader.svelte

@@ -26,7 +26,7 @@
 				{:else if $auth.user}
 					<a href="/dashboard" class="header-dashboard-link">Dashboard</a>
 					<span class="header-separator">/</span>
-					<a href="/api/auth/logout" class="header-logout-link">Logout</a>
+					<form method="POST" action="/api/auth/logout" style="display:inline"><button type="submit" class="header-logout-link">Logout</button></form>
 				{:else}
 					<a href="/login" class="header-login-link">Sign in</a>
 				{/if}
@@ -138,6 +138,14 @@
 		transition: color 0.2s cubic-bezier(0.4, 0, 0.2, 1);
 	}
 
+	button.header-logout-link {
+		background: none;
+		border: none;
+		cursor: pointer;
+		padding: 0;
+		font-family: inherit;
+	}
+
 	.header-dashboard-link:hover,
 	.header-login-link:hover,
 	.header-logout-link:hover {

src/lib/components/ThemeToggle.svelte

@@ -2,7 +2,7 @@
 	import { theme } from '$lib/stores/theme';
 </script>
 
-<button class="theme-toggle" on:click={() => theme.toggle()} title="Toggle theme">
+<button class="theme-toggle" onclick={() => theme.toggle()} title="Toggle theme">
 	{#if $theme === 'dark'}
 		<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
 			<path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z" />

src/lib/server/auth.ts

@@ -30,7 +30,7 @@ export async function verifyToken(token: string, secret: string): Promise<TokenP
 		if (!valid) return null;
 
 		const payload = JSON.parse(data) as TokenPayload;
-		if (payload.exp && Date.now() > payload.exp) return null;
+		if (!payload.exp || Date.now() > payload.exp) return null;
 
 		return payload;
 	} catch {

src/lib/server/validation.test.ts

@@ -209,8 +209,12 @@ describe('validateReturnTo', () => {
 		expect(validateReturnTo('/page?foo=bar&baz=qux')).toBe(true);
 	});
 
-	it('should accept paths with URL-encoded query params', () => {
-		expect(validateReturnTo('/page?param=%20space')).toBe(true);
+	it('should reject paths with URL-encoded unsafe characters', () => {
+		expect(validateReturnTo('/page?param=%20space')).toBe(false);
+	});
+
+	it('should reject percent-encoded double slash (open redirect)', () => {
+		expect(validateReturnTo('/%2F%2Fevil.com')).toBe(false);
 	});
 
 	it('should reject paths not starting with /', () => {

src/lib/server/validation.ts

@@ -3,6 +3,9 @@ interface ValidationResult {
 	error?: string;
 }
 
+/** Reserved aliases that conflict with top-level routes. Used by both hooks.server.ts and config creation. */
+export const RESERVED_ALIASES = ['api', 'install', 'dashboard', 'login', 'docs', 'cli-auth', 'explore'] as const;
+
 /** Validates custom script: max 10k chars, no null bytes. Base64-encoded at generation time to prevent shell injection. */
 export function validateCustomScript(script: string | null | undefined): ValidationResult {
 	if (!script) {
@@ -77,16 +80,24 @@ export function validateReturnTo(path: string | null | undefined): boolean {
 		return false;
 	}
 
-	if (!path.startsWith('/')) {
+	// Decode first to catch %2F%2F → // bypass attempts
+	let decoded: string;
+	try {
+		decoded = decodeURIComponent(path);
+	} catch {
+		return false;
+	}
+
+	if (!decoded.startsWith('/')) {
 		return false;
 	}
 
-	if (path.startsWith('//')) {
+	if (decoded.startsWith('//')) {
 		return false;
 	}
 
-	// Allow path + optional query string with safe characters
-	return /^\/[a-zA-Z0-9\-_/]*(\?[a-zA-Z0-9\-_=&%]*)?$/.test(path);
+	// Allow path + optional query string with safe characters (no % to prevent double-encoding attacks)
+	return /^\/[a-zA-Z0-9\-_/]*(\?[a-zA-Z0-9\-_=&]*)?$/.test(decoded);
 }
 
 interface Package {

src/lib/stores/auth.ts

@@ -38,7 +38,7 @@ function createAuthStore() {
 					}
 				} catch {
 					set({ user: null, loading: false });
-				} finally {
+					// Reset on failure so next check() retries instead of returning stale error
 					checkPromise = null;
 				}
 			})();

src/lib/test/db-mock.ts

@@ -33,8 +33,12 @@ export function createMockDB(data: MockData = {}): D1Database & { data: Record<s
 		dump() {
 			throw new Error('dump() not implemented in mock');
 		},
-		batch<T = unknown>(statements: D1PreparedStatement[]): Promise<D1Result<T>[]> {
-			throw new Error('batch() not implemented in mock');
+		async batch<T = unknown>(statements: D1PreparedStatement[]): Promise<D1Result<T>[]> {
+			const results: D1Result<T>[] = [];
+			for (const stmt of statements) {
+				results.push(await stmt.run() as D1Result<T>);
+			}
+			return results;
 		},
 		exec(query: string): Promise<D1Result> {
 			throw new Error('exec() not implemented in mock');
@@ -74,17 +78,18 @@ function createMockStatement(sql: string, tables: Record<string, any[]>): D1Prep
 		},
 
 		async run<T = unknown>(): Promise<D1Result<T>> {
-			// For INSERT/UPDATE/DELETE
+			// For INSERT/UPDATE/DELETE - modified array length indicates change count
 			const modified = executeQuery<T>(sql, bindings, tables);
+			const changes = Array.isArray(modified) ? modified.length : 0;
 			return {
 				results: [],
 				success: true,
 				meta: {
 					duration: 0.1,
-					changes: modified ? 1 : 0,
-					last_row_id: modified ? 1 : 0,
+					changes,
+					last_row_id: changes ? 1 : 0,
 					rows_read: 0,
-					rows_written: modified ? 1 : 0
+					rows_written: changes ? 1 : 0
 				}
 			};
 		},
@@ -252,31 +257,72 @@ function executeQuery<T>(sql: string, bindings: any[], tables: Record<string, an
 
 		const tableName = tableMatch[1];
 		const setMatch = sql.match(/set\s+(.*?)\s+where/i);
-		const whereMatch = sql.match(/where\s+(\w+)\s*=\s*\?/i);
-
-		if (setMatch && whereMatch) {
-			const whereField = whereMatch[1];
-			const whereValue = bindings[bindings.length - 1];
+		const whereClause = sql.match(/where\s+(.*?)$/i);
 
+		if (setMatch && whereClause) {
+			// Count SET bindings to determine where WHERE bindings start
 			const setFields = setMatch[1].split(',').map((s) => s.trim());
-			let bindingIndex = 0;
+			let setBindingCount = 0;
+			setFields.forEach((field) => {
+				if (field.match(/=\s*\?/)) setBindingCount++;
+			});
+
+			// Parse WHERE conditions
+			const conditions = whereClause[1].split(/\s+and\s+/i);
+			let whereBindingIndex = setBindingCount;
+
+			const matchesRow = (row: any): boolean => {
+				for (const condition of conditions) {
+					const eqMatch = condition.match(/(\w+)\s*=\s*\?/);
+					if (eqMatch) {
+						if (row[eqMatch[1]] !== bindings[whereBindingIndex++]) return false;
+						continue;
+					}
 
+					const literalEqMatch = condition.match(/(\w+)\s*=\s*'([^']*)'/);
+					if (literalEqMatch) {
+						if (row[literalEqMatch[1]] !== literalEqMatch[2]) return false;
+						continue;
+					}
+
+					const datetimeGtMatch = condition.match(/(\w+)\s*>\s*datetime\(['"]now['"]\)/i);
+					if (datetimeGtMatch) {
+						const fieldValue = row[datetimeGtMatch[1]];
+						if (!fieldValue || fieldValue <= new Date().toISOString()) return false;
+						continue;
+					}
+				}
+				return true;
+			};
+
+			let changeCount = 0;
 			tables[tableName].forEach((row) => {
-				if (row[whereField] === whereValue) {
+				// Reset whereBindingIndex for each row
+				whereBindingIndex = setBindingCount;
+				if (matchesRow(row)) {
+					let bindingIndex = 0;
 					setFields.forEach((field) => {
-						const bindingMatch = field.match(/(\w+)\s*=\s*\?/);
-						if (bindingMatch && bindingIndex < bindings.length - 1) {
-							row[bindingMatch[1]] = bindings[bindingIndex++];
+						const bindingMatchField = field.match(/(\w+)\s*=\s*\?/);
+						if (bindingMatchField && bindingIndex < setBindingCount) {
+							row[bindingMatchField[1]] = bindings[bindingIndex++];
 							return;
 						}
 
 						const literalMatch = field.match(/(\w+)\s*=\s*'([^']*)'/);
 						if (literalMatch) {
 							row[literalMatch[1]] = literalMatch[2];
 						}
+
+						const datetimeMatch = field.match(/(\w+)\s*=\s*datetime\(['"]now['"]\)/i);
+						if (datetimeMatch) {
+							row[datetimeMatch[1]] = new Date().toISOString().replace('T', ' ').replace(/\.\d+Z$/, '');
+						}
 					});
+					changeCount++;
 				}
 			});
+			// Return array with one element per changed row to signal change count
+			return new Array(changeCount).fill({}) as T[];
 		}
 		return [] as T[];
 	}
@@ -295,6 +341,7 @@ function executeQuery<T>(sql: string, bindings: any[], tables: Record<string, an
 			const index = tables[tableName].findIndex((row) => row[fieldName] === value);
 			if (index !== -1) {
 				tables[tableName].splice(index, 1);
+				return [{}] as T[];
 			}
 		}
 		return [] as T[];