v1.0.9-beta.014 - fix: resolve multiple security, stability, and UI issues
Security:
- Patched an IDOR vulnerability in api/library/route.ts to ensure users can only bulk-remove items from reading lists they own.
- Patched a cryptographic timing attack vulnerability in api/auth/reset-password/confirm/route.ts by using crypto.timingSafeEqual.
- Applied rate-limiting utilities (src/lib/rate-limit.ts) to all sensitive authentication, password reset, and 2FA endpoints to prevent brute-force and enumeration attacks.
Stability & Performance:
- Fixed an Out-Of-Memory (OOM) crash risk in src/lib/converter.ts by writing processed WEBP images to disk instead of hoarding buffers in memory during massive archive repacks.
- Fixed background cron jobs crashing (headers called outside a request scope) by bypassing fake HTTP requests and dropping jobs directly into the BullMQ queue (src/lib/cron.ts).
- Optimized api/admin/diagnostics/route.ts by removing redundant manual deletions, allowing Prisma's onDelete: Cascade to handle cleanup efficiently.
Feature & UI:
- Replaced the dummy toast provider with the functional Radix UI implementation, ensuring all application success/error popups render correctly.
- Made the Manga Publisher detection lists fully dynamic via the SystemSetting database table, allowing admins to easily add indie/local publishers via the Settings UI.
- Added an in-memory 5-minute cache to the manga detector to prevent severe N+1 database querying problems during mass imports.
- Fixed alignment and layout issues in the Settings page for the Manga and Western publisher text boxes.