fix: auth, container resilience, ISO build, gamepad polish
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Successful in 57m41s
Build Archipelago ISO / build-iso (push) Has been cancelled
Container Orchestration Tests / unit-tests (push) Failing after 7m14s
Container Orchestration Tests / smoke-tests (push) Has been skipped

- fix: login disconnect — verify session before WebSocket connect
- fix: 403 on app install — distinguish CSRF vs RBAC errors, only retry CSRF
- fix: health monitor now watches ALL containers (removed skip list for
  backend services like nbxplorer, databases, UI containers)
- fix: server.get-state added to CSRF-exempt list (read-only)
- fix: ISO build includes container-specs.sh and lib/common.sh in rootfs
  so reconcile actually works on fresh installs
- fix: gamepad nav — improved Server tab zone nav, focus styles, autofocus
- chore: move L484 web-only apps to Services tab
- chore: install store for cross-view install tracking

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-30 13:35:02 +01:00
parent 377195f7e0
commit 5bd3caf141
16 changed files with 218 additions and 88 deletions

View File

@@ -220,7 +220,8 @@ impl RpcHandler {
// Skip CSRF for read-only methods (polling, status) — CSRF prevents state-changing forgery.
// Skip when session was just auto-restored from remember-me (browser has stale CSRF cookie).
let csrf_exempt = matches!(rpc_req.method.as_str(),
"node-messages-received" | "server.echo" | "system.stats" | "tor.status"
"node-messages-received" | "server.echo" | "server.get-state"
| "system.stats" | "tor.status"
| "tor.onion-addresses" | "federation.list-nodes" | "system.get-settings"
| "system.get-node-key" | "system.get-metrics" | "system.get-version"
);