Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 7625053a6c | |||
| 6218a46b57 | |||
| e4f0471614 | |||
| 2bbbc5e283 | |||
| 62559a59c9 | |||
| e0df32f42b |
@@ -1,6 +1,6 @@
|
|||||||
# Configuration and constants for MacroPad Server
|
# Configuration and constants for MacroPad Server
|
||||||
|
|
||||||
VERSION = "1.1.0"
|
VERSION = "1.1.2"
|
||||||
DEFAULT_PORT = 40000
|
DEFAULT_PORT = 40000
|
||||||
SETTINGS_FILE = "settings.json"
|
SETTINGS_FILE = "settings.json"
|
||||||
|
|
||||||
|
|||||||
+14
-6
@@ -416,15 +416,23 @@ class MacroManager:
|
|||||||
|
|
||||||
elif cmd_type == "app":
|
elif cmd_type == "app":
|
||||||
# Launch application.
|
# Launch application.
|
||||||
# SECURITY: shell=True was removed to kill shell-metacharacter
|
# SECURITY: never use shell=True — that would allow shell-metacharacter
|
||||||
# injection (no ; && | $() chaining). We tokenize the command
|
# injection (; && | $() chaining, redirection). Both branches below run
|
||||||
# and exec the program directly without a shell.
|
# without a shell, so the command can only launch a program with args.
|
||||||
command = cmd.get("command", "")
|
command = cmd.get("command", "")
|
||||||
if command:
|
if command:
|
||||||
try:
|
try:
|
||||||
args = shlex.split(command, posix=(os.name != "nt"))
|
if os.name == "nt":
|
||||||
if args:
|
# Windows: pass the string so CreateProcess parses it
|
||||||
subprocess.Popen(args)
|
# (correctly handling quoted paths like "C:\Program
|
||||||
|
# Files\app.exe"). shell=False means no cmd.exe, so no
|
||||||
|
# metacharacter chaining.
|
||||||
|
subprocess.Popen(command)
|
||||||
|
else:
|
||||||
|
# POSIX: split into an argv list; no shell involved.
|
||||||
|
args = shlex.split(command)
|
||||||
|
if args:
|
||||||
|
subprocess.Popen(args)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print(f"Error launching app command: {e}")
|
print(f"Error launching app command: {e}")
|
||||||
|
|
||||||
|
|||||||
@@ -7,6 +7,11 @@ class MacroPadApp {
|
|||||||
this.tabs = [];
|
this.tabs = [];
|
||||||
this.currentTab = 'All';
|
this.currentTab = 'All';
|
||||||
this.ws = null;
|
this.ws = null;
|
||||||
|
// Cache of image_path -> Promise<objectURL>. Macro images are
|
||||||
|
// content-addressed by uuid filename, so they are immutable: once
|
||||||
|
// fetched, an image never changes for a given path. Caching here avoids
|
||||||
|
// re-fetching every image through the relay on each re-render.
|
||||||
|
this._imageCache = new Map();
|
||||||
this.desktopConnected = false;
|
this.desktopConnected = false;
|
||||||
this.wsAuthenticated = false;
|
this.wsAuthenticated = false;
|
||||||
|
|
||||||
@@ -249,35 +254,55 @@ class MacroPadApp {
|
|||||||
this.loadMacroImages();
|
this.loadMacroImages();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fetch each macro image with the password header and display it
|
// Fetch each macro image with the password header and display it as a blob
|
||||||
// as a blob object URL so the credential never appears in a URL.
|
// object URL so the credential never appears in a URL. Images are fetched
|
||||||
async loadMacroImages() {
|
// in parallel and cached (see _imageCache) so re-renders reuse them instead
|
||||||
|
// of re-fetching through the relay each time.
|
||||||
|
loadMacroImages() {
|
||||||
for (const [id, macro] of Object.entries(this.macros)) {
|
for (const [id, macro] of Object.entries(this.macros)) {
|
||||||
if (!macro.image_path) continue;
|
if (!macro.image_path) continue;
|
||||||
const card = document.querySelector(`[data-macro-id="${id}"]`);
|
const card = document.querySelector(`[data-macro-id="${id}"]`);
|
||||||
if (!card) continue;
|
if (!card) continue;
|
||||||
const img = card.querySelector('.macro-image');
|
const img = card.querySelector('.macro-image');
|
||||||
if (!img) continue;
|
if (!img) continue;
|
||||||
|
this._applyMacroImage(img, macro.image_path);
|
||||||
try {
|
|
||||||
const response = await fetch(
|
|
||||||
`/${this.sessionId}/api/image/${macro.image_path}`,
|
|
||||||
{ headers: this.getApiHeaders() }
|
|
||||||
);
|
|
||||||
if (!response.ok) continue; // keep placeholder
|
|
||||||
const blob = await response.blob();
|
|
||||||
const objectUrl = URL.createObjectURL(blob);
|
|
||||||
img.onload = () => URL.revokeObjectURL(objectUrl);
|
|
||||||
img.src = objectUrl;
|
|
||||||
img.style.display = '';
|
|
||||||
const placeholder = img.nextElementSibling;
|
|
||||||
if (placeholder) placeholder.style.display = 'none';
|
|
||||||
} catch (error) {
|
|
||||||
// Leave the placeholder visible on failure.
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async _applyMacroImage(img, imagePath) {
|
||||||
|
try {
|
||||||
|
const objectUrl = await this._getImageUrl(imagePath);
|
||||||
|
img.src = objectUrl;
|
||||||
|
img.style.display = '';
|
||||||
|
const placeholder = img.nextElementSibling;
|
||||||
|
if (placeholder) placeholder.style.display = 'none';
|
||||||
|
} catch (error) {
|
||||||
|
// Leave the placeholder visible on failure.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Returns a cached Promise<objectURL> for an image path, fetching once.
|
||||||
|
// The object URL is retained for the page's lifetime (images are immutable
|
||||||
|
// per path, so there is nothing to invalidate); this de-duplicates
|
||||||
|
// concurrent requests and eliminates re-fetching on re-render.
|
||||||
|
_getImageUrl(imagePath) {
|
||||||
|
let entry = this._imageCache.get(imagePath);
|
||||||
|
if (entry) return entry;
|
||||||
|
entry = (async () => {
|
||||||
|
const response = await fetch(
|
||||||
|
`/${this.sessionId}/api/image/${imagePath}`,
|
||||||
|
{ headers: this.getApiHeaders() }
|
||||||
|
);
|
||||||
|
if (!response.ok) throw new Error(`image ${response.status}`);
|
||||||
|
const blob = await response.blob();
|
||||||
|
return URL.createObjectURL(blob);
|
||||||
|
})();
|
||||||
|
// Drop failed fetches from the cache so a later render can retry.
|
||||||
|
entry.catch(() => this._imageCache.delete(imagePath));
|
||||||
|
this._imageCache.set(imagePath, entry);
|
||||||
|
return entry;
|
||||||
|
}
|
||||||
|
|
||||||
setupEventListeners() {
|
setupEventListeners() {
|
||||||
document.getElementById('tabs-container').addEventListener('click', (e) => {
|
document.getElementById('tabs-container').addEventListener('click', (e) => {
|
||||||
if (e.target.classList.contains('tab')) {
|
if (e.target.classList.contains('tab')) {
|
||||||
|
|||||||
@@ -49,6 +49,10 @@ export function createApiProxy(
|
|||||||
if (response.body?.base64 && response.body?.contentType) {
|
if (response.body?.base64 && response.body?.contentType) {
|
||||||
const buffer = Buffer.from(response.body.base64, 'base64');
|
const buffer = Buffer.from(response.body.base64, 'base64');
|
||||||
res.set('Content-Type', response.body.contentType);
|
res.set('Content-Type', response.body.contentType);
|
||||||
|
// Macro images are content-addressed (uuid filenames) and therefore
|
||||||
|
// immutable, so let the browser cache them aggressively. 'private'
|
||||||
|
// keeps them out of shared proxy caches since they sit behind auth.
|
||||||
|
res.set('Cache-Control', 'private, max-age=31536000, immutable');
|
||||||
res.send(buffer);
|
res.send(buffer);
|
||||||
} else {
|
} else {
|
||||||
res.status(response.status).json(response.body);
|
res.status(response.status).json(response.body);
|
||||||
|
|||||||
+1
-1
@@ -1 +1 @@
|
|||||||
1.1.0
|
1.1.2
|
||||||
+25
-16
@@ -34,8 +34,10 @@ class MacroPadApp {
|
|||||||
// Guards against out-of-order macro fetches
|
// Guards against out-of-order macro fetches
|
||||||
this._macroReqId = 0;
|
this._macroReqId = 0;
|
||||||
|
|
||||||
// Blob object URLs created for macro images (revoked on re-render)
|
// Cache of image URL -> Promise<objectURL>. Macro images are
|
||||||
this._objectUrls = [];
|
// content-addressed by uuid filename, so they are immutable; caching
|
||||||
|
// avoids re-fetching every image on each re-render.
|
||||||
|
this._imageCache = new Map();
|
||||||
|
|
||||||
// Set once a local-mode auth failure has been surfaced, to avoid
|
// Set once a local-mode auth failure has been surfaced, to avoid
|
||||||
// reconnect loops and repeated toasts.
|
// reconnect loops and repeated toasts.
|
||||||
@@ -451,16 +453,12 @@ class MacroPadApp {
|
|||||||
return headers;
|
return headers;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fetch a macro image with the auth header and display it as a blob
|
// Fetch a macro image with the auth header and display it as a blob object
|
||||||
// object URL, so no credential is ever placed on an <img> src.
|
// URL, so no credential is ever placed on an <img> src. The fetched blob is
|
||||||
|
// cached (images are immutable per URL) and reused across re-renders.
|
||||||
async loadMacroImage(url, img, placeholder) {
|
async loadMacroImage(url, img, placeholder) {
|
||||||
try {
|
try {
|
||||||
const res = await fetch(url, { headers: this.getAuthHeaders() });
|
const objectUrl = await this._getImageUrl(url);
|
||||||
if (!res.ok) throw new Error('image request failed');
|
|
||||||
const blob = await res.blob();
|
|
||||||
const objectUrl = URL.createObjectURL(blob);
|
|
||||||
// Track for best-effort revocation on the next render.
|
|
||||||
this._objectUrls.push(objectUrl);
|
|
||||||
img.src = objectUrl;
|
img.src = objectUrl;
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
// Fall back to the placeholder if the image can't be loaded.
|
// Fall back to the placeholder if the image can't be loaded.
|
||||||
@@ -469,6 +467,23 @@ class MacroPadApp {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Returns a cached Promise<objectURL> for an image URL, fetching once and
|
||||||
|
// retaining it for the page's lifetime (immutable content, nothing to
|
||||||
|
// invalidate); de-duplicates concurrent requests too.
|
||||||
|
_getImageUrl(url) {
|
||||||
|
let entry = this._imageCache.get(url);
|
||||||
|
if (entry) return entry;
|
||||||
|
entry = (async () => {
|
||||||
|
const res = await fetch(url, { headers: this.getAuthHeaders() });
|
||||||
|
if (!res.ok) throw new Error('image request failed');
|
||||||
|
const blob = await res.blob();
|
||||||
|
return URL.createObjectURL(blob);
|
||||||
|
})();
|
||||||
|
entry.catch(() => this._imageCache.delete(url));
|
||||||
|
this._imageCache.set(url, entry);
|
||||||
|
return entry;
|
||||||
|
}
|
||||||
|
|
||||||
// Rendering (safe DOM construction only - no user value reaches innerHTML)
|
// Rendering (safe DOM construction only - no user value reaches innerHTML)
|
||||||
renderTabs() {
|
renderTabs() {
|
||||||
const container = document.getElementById('tabs-container');
|
const container = document.getElementById('tabs-container');
|
||||||
@@ -492,12 +507,6 @@ class MacroPadApp {
|
|||||||
const container = document.getElementById('macro-grid');
|
const container = document.getElementById('macro-grid');
|
||||||
if (!container) return;
|
if (!container) return;
|
||||||
|
|
||||||
// Best-effort: revoke object URLs from the previous render to avoid leaks.
|
|
||||||
if (this._objectUrls && this._objectUrls.length) {
|
|
||||||
this._objectUrls.forEach((u) => URL.revokeObjectURL(u));
|
|
||||||
}
|
|
||||||
this._objectUrls = [];
|
|
||||||
|
|
||||||
container.textContent = '';
|
container.textContent = '';
|
||||||
|
|
||||||
const macroEntries = Object.entries(this.macros);
|
const macroEntries = Object.entries(this.macros);
|
||||||
|
|||||||
+5
-1
@@ -338,7 +338,11 @@ class WebServer:
|
|||||||
# Only serve files that resolve to inside the macro_images directory
|
# Only serve files that resolve to inside the macro_images directory
|
||||||
if (os.path.commonpath([requested, images_real]) == images_real
|
if (os.path.commonpath([requested, images_real]) == images_real
|
||||||
and os.path.isfile(requested)):
|
and os.path.isfile(requested)):
|
||||||
return FileResponse(requested)
|
# Macro images are content-addressed (uuid filenames) and thus
|
||||||
|
# immutable, so let the browser cache them aggressively.
|
||||||
|
return FileResponse(requested, headers={
|
||||||
|
"Cache-Control": "private, max-age=31536000, immutable"
|
||||||
|
})
|
||||||
raise HTTPException(status_code=404, detail="Image not found")
|
raise HTTPException(status_code=404, detail="Image not found")
|
||||||
|
|
||||||
@app.websocket("/ws")
|
@app.websocket("/ws")
|
||||||
|
|||||||
Reference in New Issue
Block a user