Skip to content

refactor: remove identity provider logo handling and related tests#487

Merged
chenyme merged 1 commit into
devfrom
web
Jul 14, 2026
Merged

refactor: remove identity provider logo handling and related tests#487
chenyme merged 1 commit into
devfrom
web

Conversation

@chenyme

@chenyme chenyme commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Simplify browser security boundaries so they apply only where the project handles untrusted content.

  • Remove the global CSP while preserving sandbox policies for uploaded files and AI-generated Artifacts.
  • Remove automatic HSTS and redirect production HTTP requests to HTTPS with 308.
  • Remove the global no-referrer policy.
  • Load administrator-configured identity provider logos directly from their configured URLs.
  • Delete the identity provider Logo proxy route, remote fetching, MIME detection, size limits, errors, and tests.

Change type

  • Bug fix
  • Feature
  • Documentation
  • Refactor
  • Configuration / deployment
  • Security hardening
  • Other

Affected areas

  • Frontend / UI
  • Backend / API
  • Authentication / authorization
  • Conversations / streaming
  • Files / RAG / extraction
  • Model routing / providers
  • MCP / tools
  • Billing / payments
  • Admin console
  • Deployment / Docker / configuration
  • Documentation

Verification

  • cd frontend && pnpm lint
  • cd backend && env GOCACHE=/Users/project/DEEIX-Chat/.gocache go test ./internal/application/auth
  • cd backend && env GOCACHE=/Users/project/DEEIX-Chat/.gocache go test ./internal/transport/http/...
  • git diff --check
  • Build not run per request.

Screenshots, API examples, or logs

Not applicable. The UI layout is unchanged.

Configuration, migration, and compatibility notes

  • Production HTTP requests now receive a 308 Permanent Redirect to the same host over HTTPS.
  • /healthz and /readyz remain available over HTTP.
  • Requests with TLS or X-Forwarded-Proto: https are not redirected.
  • Automatic Strict-Transport-Security and includeSubDomains are removed.
  • The undocumented GET /api/v1/auth/providers/:slug/logo endpoint is removed.
  • Identity provider Logo URLs are now requested directly by the browser.
  • External Logo hosts can observe the client IP and cross-origin referrer origin.
  • No database, environment variable, or generated Swagger changes are required.

Documentation

  • Documentation is not needed for this change.
  • Documentation was updated.
  • Documentation still needs to be updated.

Security and privacy

  • No secrets, tokens, credentials, local config, or personal data are included.
  • User data access remains scoped by authenticated user context unless an admin-only path explicitly requires broader access.
  • Security-sensitive behavior was reviewed, including HTTPS redirects, administrator-configured external resources, uploaded files, and Artifact isolation.

Checklist

  • I searched existing issues and pull requests.
  • Changes are focused and do not include unrelated refactors.
  • Tests or static verification were run where practical.
  • User-facing behavior, deployment steps, API contracts, or configuration changes are documented.
  • Generated artifacts are included only when this project explicitly requires them.
  • Caches, build output, .pyc files, .env files, and local storage data are not committed.

@chenyme chenyme self-assigned this Jul 14, 2026
@chenyme
chenyme merged commit 5a500c5 into dev Jul 14, 2026
10 checks passed
@chenyme
chenyme deleted the web branch July 14, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant