fix: address multiple code audit findings

- CORS: replace wildcard with explicit origin list from CORS_ORIGINS env - Auth: enforce strong defaults, JWT blacklist (RevokedToken model), login rate limiting - Auth: validate password length before bcrypt (72-byte limit) - Scheduler: single-threaded worker to mitigate SQLite write contention - Scheduler: graceful shutdown (wait=True) - Snapshots: add prune_snapshots() with configurable retention count - Storage: isolate localStorage keys via VITE_APP_KEY prefix - Config: add cors_origins, login_rate_limit, snapshot_retention_count settings
2026-05-17 10:52:18 +08:00
parent a42ecf7bcc
commit ad16618406
25 changed files with 792 additions and 165 deletions
@@ -98,9 +98,16 @@ class BrowserSessionService:
        session = self._get(session_id)
        async with session.lock:
            self._ensure_open(session)
-            return await session.page.screenshot(type="jpeg", quality=78, full_page=False)
+            return await session.page.screenshot(type="jpeg", quality=65, full_page=False)

-    async def event(self, session_id: str, event_type: str, payload: dict[str, Any]) -> dict[str, Any]:
+    async def event(
+        self,
+        session_id: str,
+        event_type: str,
+        payload: dict[str, Any],
+        *,
+        include_state: bool = True,
+    ) -> dict[str, Any] | None:
        session = self._get(session_id)
        async with session.lock:
            self._ensure_open(session)
@@ -141,8 +148,17 @@ class BrowserSessionService:
                await page.set_viewport_size({"width": width, "height": height})
            else:
                raise ValueError("Unsupported browser event")
+            if not include_state:
+                return None
            return await self._session_state(session)

+    async def selected_text(self, session_id: str) -> str:
+        session = self._get(session_id)
+        async with session.lock:
+            self._ensure_open(session)
+            value = await session.page.evaluate("() => window.getSelection()?.toString() || ''")
+            return str(value or "")
+
    async def close(self, session_id: str) -> None:
        session = self._discard_session(session_id)
        if not session: