[codex] Harden advanced Caddy routing and restore checks#2
Open
imsakg wants to merge 4 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens Caddyfile generation for advanced routes/forward-auth by validating and sanitizing user-provided inputs before rendering, while also updating the test suite and applying Pint formatting/cleanup across the codebase.
Changes:
- Validate/sanitize advanced-route + forward-auth matcher/upstream/header inputs before emitting Caddyfile blocks.
- Refresh feature tests to match the current ProxySite workflow and remove stale Breeze-era auth/project tests.
- Repo-wide formatting/cleanup (Pint), plus test env tweaks (APP_KEY) and dependency cleanup (remove Breeze).
Reviewed changes
Copilot reviewed 46 out of 55 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Feature/WebhookTest.php | Updates webhook behavior test to target ProxySite failover workflow. |
| tests/Feature/ProxySiteTest.php | Adds dashboard + create-site feature coverage for ProxySite workflow. |
| tests/Feature/ProjectTest.php | Removes stale Project workflow tests. |
| tests/Feature/CaddyServiceTest.php | Adds coverage for advanced-route sanitization and persistence normalization. |
| tests/Feature/Auth/RegistrationTest.php | Removes Breeze-era registration tests. |
| tests/Feature/Auth/PasswordUpdateTest.php | Aligns password update test with SettingsController workflow/logout behavior. |
| tests/Feature/Auth/PasswordResetTest.php | Removes Breeze-era password reset tests. |
| tests/Feature/Auth/PasswordConfirmationTest.php | Removes Breeze-era password confirmation tests. |
| tests/Feature/Auth/EmailVerificationTest.php | Removes Breeze-era email verification tests. |
| routes/api.php | Import ordering cleanup. |
| resources/js/Pages/Sites/Show.jsx | Adjusts JSON editor change/blur handling. |
| phpunit.xml | Adds APP_KEY for test runs. |
| database/seeders/UserSeeder.php | Pint formatting cleanup. |
| database/seeders/ProxySiteSeeder.php | Removes unused import. |
| database/seeders/DatabaseSeeder.php | Import cleanup and comment formatting. |
| database/seeders/BannedIpSeeder.php | Removes unused import. |
| database/migrations/2026_04_13_235000_create_config_audits_table.php | Whitespace cleanup. |
| config/services.php | Pint alignment/formatting. |
| config/sanctum.php | Uses imported middleware class names (formatting/clarity). |
| composer.lock | Removes Breeze package, updates platform PHP constraint. |
| composer.json | Removes Breeze dev dependency. |
| bootstrap/app.php | Import cleanup and scheduling/exception handler formatting. |
| app/Services/WafPresetService.php | Array formatting cleanup. |
| app/Services/PolicyOptimizerService.php | Pint formatting cleanup. |
| app/Services/HealthCheckService.php | Import ordering + formatting cleanup. |
| app/Services/ErrorPageService.php | Fixes trailing commas in template array entries. |
| app/Services/CaddyService.php | Adds matcher/upstream/header sanitization + skips unrenderable matcher blocks. |
| app/Providers/AppServiceProvider.php | Uses AppSetting import + formatting cleanup. |
| app/Models/User.php | Uses relation type imports for cleaner return types. |
| app/Models/SecurityEvent.php | Removes unused import. |
| app/Models/PageRule.php | Adds trailing commas in arrays. |
| app/Models/Notification.php | Uses NotificationSent import; formatting cleanup. |
| app/Models/HealthCheckLog.php | Adds trailing commas; formatting cleanup. |
| app/Models/BannedIp.php | Import ordering cleanup. |
| app/Models/AppSetting.php | Minor formatting/spacing cleanup. |
| app/Http/Middleware/HandleInertiaRequests.php | Formatting cleanup. |
| app/Http/Controllers/WebhookController.php | Formatting cleanup around site lookup + sync calls. |
| app/Http/Controllers/UptimeController.php | Formatting cleanup. |
| app/Http/Controllers/TeamController.php | Removes unused imports; formatting cleanup. |
| app/Http/Controllers/SettingsController.php | Adds explicit logout on email/password change; formatting cleanup. |
| app/Http/Controllers/SearchController.php | Formatting cleanup. |
| app/Http/Controllers/ProxySiteController.php | Normalizes/validates advanced-route inputs before persistence. |
| app/Http/Controllers/PolicyOptimizerController.php | Formatting cleanup. |
| app/Http/Controllers/NotificationController.php | Removes unused import. |
| app/Http/Controllers/LogExplorerController.php | Formatting cleanup. |
| app/Http/Controllers/BannedIpController.php | Constructor formatting cleanup. |
| app/Http/Controllers/AuthController.php | Removes unused imports; formatting cleanup. |
| app/Http/Controllers/AnalyticsController.php | Removes unused imports; formatting cleanup. |
| app/Events/SecurityEventOccurred.php | Constructor formatting cleanup. |
| app/Events/NotificationSent.php | Formatting cleanup. |
| app/Events/BackendHealthUpdated.php | Uses ProxySite import; constructor formatting cleanup. |
| app/Console/Commands/SyncCaddyCommand.php | Import cleanup and formatting (but see scheduled name mismatch comment). |
| app/Console/Commands/ResetAdminPassword.php | Minor formatting cleanup. |
| app/Console/Commands/IngestLogsCommand.php | Import cleanup and formatting. |
| app/Console/Commands/CheckBackendHealth.php | Import order cleanup. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
|
|
||
| if (\is_array($value)) { | ||
| $value = implode(' ', array_filter($value)); |
Comment on lines
19
to
20
| $site = ProxySite::where('notification_webhook_url', 'like', "%{$token}%")->first(); | ||
|
|
| })->everyMinute()->name('parse-caddy-logs')->withoutOverlapping(); | ||
|
|
||
| // Sync Caddy config every 5 minutes (catch any drift) | ||
| $schedule->command('caddy:sync')->everyFiveMinutes()->withoutOverlapping(); |
|
|
||
| class SyncCaddyCommand extends Command | ||
| { | ||
| protected $signature = 'sync:caddy'; |
Comment on lines
489
to
491
| if (\is_array($value)) { | ||
| $value = implode(' ', array_filter($value)); | ||
| } |
Author
|
@copilot apply changes based on the comments in this thread |
Author
|
@paramientos bump! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
The lint/check pass found stale test coverage from older Breeze and Project workflows, plus unsafe advanced-route input paths that could render invalid Caddy config. This PR keeps the current ProxyPanther model and routes under test while preserving the enterprise route-hardening work already on the branch.
Validation
composer validate --strictvendor/bin/pint --testphp artisan testpassed: 21 tests, 90 assertionsapp,bootstrap,config,database,routes, andtestscomposer audityarn buildpassed after refreshing Docker-runner Yarn dependencies; Vite still reports the existing large chunk warningNotes
originpush was denied forimsakg, so the branch was pushed toimsakg/proxypantherand opened back intoparamientos/proxypanther:main.codedb.snapshotremains untracked and is intentionally excluded from this PR.