Prevent invalid mxc from getting used

.github/workflows/build-pull-request.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v4.4.0
         with:
-          node-version: 24.13.1
+          node-version: 20.12.2
           cache: 'npm'
       - name: Install dependencies
         run: npm ci

.github/workflows/netlify-dev.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v4.4.0
         with:
-          node-version: 24.13.1
+          node-version: 20.12.2
           cache: 'npm'
       - name: Install dependencies
         run: npm ci

.github/workflows/prod-deploy.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v4.4.0
         with:
-          node-version: 24.13.1
+          node-version: 20.12.2
           cache: 'npm'
       - name: Install dependencies
         run: npm ci

Dockerfile

@@ -1,5 +1,5 @@
 ## Builder
-FROM node:24.13.1-alpine AS builder
+FROM node:20.12.2-alpine3.18 as builder
 
 WORKDIR /src
 
@@ -11,7 +11,7 @@ RUN npm run build
 
 
 ## App
-FROM nginx:1.29.5-alpine
+FROM nginx:1.29.3-alpine
 
 COPY --from=builder /src/dist /app
 COPY --from=builder /src/docker-nginx.conf /etc/nginx/conf.d/default.conf

README.md

@@ -83,7 +83,7 @@ mxFo+ioe/ABCufSmyqFye0psX3Sp
 
 ## Local development
 > [!TIP]
-> We recommend using a version manager as versions change very quickly. You will likely need to switch between multiple Node.js versions based on the needs of different projects you're working on. [NVM on windows](https://github.com/coreybutler/nvm-windows#installation--upgrades) on Windows and [nvm](https://github.com/nvm-sh/nvm) on Linux/macOS are pretty good choices. Recommended nodejs version is Krypton LTS (v24.13.1).
+> We recommend using a version manager as versions change very quickly. You will likely need to switch between multiple Node.js versions based on the needs of different projects you're working on. [NVM on windows](https://github.com/coreybutler/nvm-windows#installation--upgrades) on Windows and [nvm](https://github.com/nvm-sh/nvm) on Linux/macOS are pretty good choices. Recommended nodejs version is Iron LTS (v20).
 
 Execute the following commands to start a development server:
 ```sh

package-lock.json

@@ -56,7 +56,7 @@
         "react-google-recaptcha": "2.1.0",
         "react-i18next": "15.0.0",
         "react-range": "1.8.14",
-        "react-router-dom": "6.30.3",
+        "react-router-dom": "6.20.0",
         "sanitize-html": "2.12.1",
         "slate": "0.112.0",
         "slate-dom": "0.112.2",
@@ -3699,10 +3699,9 @@
       }
     },
     "node_modules/@remix-run/router": {
-      "version": "1.23.2",
+      "version": "1.13.0",
-      "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.23.2.tgz",
+      "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.13.0.tgz",
-      "integrity": "sha512-Ic6m2U/rMjTkhERIa/0ZtXJP17QUi2CbWE7cqx4J58M8aA3QTfW+2UlQ4psvTX9IO1RfNVhK3pcpdjej7L+t2w==",
+      "integrity": "sha512-5dMOnVnefRsl4uRnAdoWjtVTdh8e6aZqgM4puy9nmEADH72ck+uXwzpJLEKE9Q6F8ZljNewLgmTfkxUrBdv4WA==",
-      "license": "MIT",
       "engines": {
         "node": ">=14.0.0"
       }
@@ -9606,12 +9605,11 @@
       }
     },
     "node_modules/react-router": {
-      "version": "6.30.3",
+      "version": "6.20.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.30.3.tgz",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.20.0.tgz",
-      "integrity": "sha512-XRnlbKMTmktBkjCLE8/XcZFlnHvr2Ltdr1eJX4idL55/9BbORzyZEaIkBFDhFGCEWBBItsVrDxwx3gnisMitdw==",
+      "integrity": "sha512-pVvzsSsgUxxtuNfTHC4IxjATs10UaAtvLGVSA1tbUE4GDaOSU1Esu2xF5nWLz7KPiMuW8BJWuPFdlGYJ7/rW0w==",
-      "license": "MIT",
       "dependencies": {
-        "@remix-run/router": "1.23.2"
+        "@remix-run/router": "1.13.0"
       },
       "engines": {
         "node": ">=14.0.0"
@@ -9621,13 +9619,12 @@
       }
     },
     "node_modules/react-router-dom": {
-      "version": "6.30.3",
+      "version": "6.20.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.30.3.tgz",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.20.0.tgz",
-      "integrity": "sha512-pxPcv1AczD4vso7G4Z3TKcvlxK7g7TNt3/FNGMhfqyntocvYKj+GCatfigGDjbLozC4baguJ0ReCigoDJXb0ag==",
+      "integrity": "sha512-CbcKjEyiSVpA6UtCHOIYLUYn/UJfwzp55va4yEfpk7JBN3GPqWfHrdLkAvNCcpXr8QoihcDMuk0dzWZxtlB/mQ==",
-      "license": "MIT",
       "dependencies": {
-        "@remix-run/router": "1.23.2",
+        "@remix-run/router": "1.13.0",
-        "react-router": "6.30.3"
+        "react-router": "6.20.0"
       },
       "engines": {
         "node": ">=14.0.0"

package.json

@@ -67,7 +67,7 @@
     "react-google-recaptcha": "2.1.0",
     "react-i18next": "15.0.0",
     "react-range": "1.8.14",
-    "react-router-dom": "6.30.3",
+    "react-router-dom": "6.20.0",
     "sanitize-html": "2.12.1",
     "slate": "0.112.0",
     "slate-dom": "0.112.2",

src/app/pages/Router.tsx

@@ -68,7 +68,6 @@ import { Create } from './client/create';
 import { CreateSpaceModalRenderer } from '../features/create-space';
 import { SearchModalRenderer } from '../features/search';
 import { getFallbackSession } from '../state/sessions';
-import { pushSessionToSW } from '../../sw-session';
 
 export const createRouter = (clientConfig: ClientConfig, screenSize: ScreenSize) => {
   const { hashRouter } = clientConfig;
@@ -107,8 +106,7 @@ export const createRouter = (clientConfig: ClientConfig, screenSize: ScreenSize)
 
       <Route
         loader={() => {
-          const session = getFallbackSession();
+          if (!getFallbackSession()) {
-          if (!session) {
             const afterLoginPath = getAppPathFromHref(
               getOriginBaseUrl(hashRouter),
               window.location.href
@@ -116,7 +114,6 @@ export const createRouter = (clientConfig: ClientConfig, screenSize: ScreenSize)
             if (afterLoginPath) setAfterLoginRedirectPath(afterLoginPath);
             return redirect(getLoginPath());
           }
-          pushSessionToSW(session.baseUrl, session.accessToken);
           return null;
         }}
         element={

src/app/utils/notifications.ts

@@ -1,6 +1,6 @@
 import { MatrixClient, ReceiptType } from 'matrix-js-sdk';
 
-export async function markAsRead(mx: MatrixClient, roomId: string, privateReceipt?: boolean) {
+export async function markAsRead(mx: MatrixClient, roomId: string, privateReceipt: boolean) {
   const room = mx.getRoom(roomId);
   if (!room) return;
 
@@ -19,15 +19,8 @@ export async function markAsRead(mx: MatrixClient, roomId: string, privateReceip
   const latestEvent = getLatestValidEvent();
   if (latestEvent === null) return;
 
-  const latestEventId = latestEvent.getId();
+  await mx.sendReadReceipt(
-  if (!latestEventId) return;
+    latestEvent,
-
+    privateReceipt ? ReceiptType.ReadPrivate : ReceiptType.Read
-  // Set both the read receipt AND the fully_read marker
-  // The fully_read marker is what persists your read position across sessions
-  await mx.setRoomReadMarkers(
-    roomId,
-    latestEventId, // m.fully_read marker
-    latestEvent,   // m.read receipt event
-    privateReceipt ? { receiptType: ReceiptType.ReadPrivate } : undefined
   );
 }

src/client/initMatrix.ts

@@ -2,7 +2,6 @@ import { createClient, MatrixClient, IndexedDBStore, IndexedDBCryptoStore } from
 
 import { cryptoCallbacks } from './secretStorageKeys';
 import { clearNavToActivePathStore } from '../app/state/navToActivePath';
-import { pushSessionToSW } from '../sw-session';
 
 type Session = {
   baseUrl: string;
@@ -54,7 +53,6 @@ export const clearCacheAndReload = async (mx: MatrixClient) => {
 };
 
 export const logoutClient = async (mx: MatrixClient) => {
-  pushSessionToSW();
   mx.stopClient();
   try {
     await mx.logout();

src/index.tsx

@@ -15,8 +15,6 @@ import App from './app/pages/App';
 
 // import i18n (needs to be bundled ;))
 import './app/i18n';
-import { pushSessionToSW } from './sw-session';
-import { getFallbackSession } from './app/state/sessions';
 
 document.body.classList.add(configClass, varsClass);
 
@@ -27,9 +25,16 @@ if ('serviceWorker' in navigator) {
       ? `${trimTrailingSlash(import.meta.env.BASE_URL)}/sw.js`
       : `/dev-sw.js?dev-sw`;
 
-  navigator.serviceWorker.register(swUrl).then(() => {
+  navigator.serviceWorker.register(swUrl);
-    const session = getFallbackSession();
+  navigator.serviceWorker.addEventListener('message', (event) => {
-    pushSessionToSW(session?.baseUrl, session?.accessToken);
+    if (event.data?.type === 'token' && event.data?.responseKey) {
+      // Get the token for SW.
+      const token = localStorage.getItem('cinny_access_token') ?? undefined;
+      event.source!.postMessage({
+        responseKey: event.data.responseKey,
+        token,
+      });
+    }
   });
 }
 

src/sw-session.ts

@@ -1,10 +0,0 @@
-export function pushSessionToSW(baseUrl?: string, accessToken?: string) {
-  if (!('serviceWorker' in navigator)) return;
-  if (!navigator.serviceWorker.controller) return;
-
-  navigator.serviceWorker.controller.postMessage({
-    type: 'setSession',
-    accessToken,
-    baseUrl,
-  });
-}

src/sw.ts

@@ -3,64 +3,22 @@
 export type {};
 declare const self: ServiceWorkerGlobalScope;
 
-self.addEventListener('install', () => {
+async function askForAccessToken(client: Client): Promise<string | undefined> {
-  self.skipWaiting();
+  return new Promise((resolve) => {
-});
+    const responseKey = Math.random().toString(36);
-
+    const listener = (event: ExtendableMessageEvent) => {
-self.addEventListener('activate', (event: ExtendableEvent) => {
+      if (event.data.responseKey !== responseKey) return;
-  event.waitUntil(self.clients.claim());
+      resolve(event.data.token);
-});
+      self.removeEventListener('message', listener);
-
+    };
-type SessionInfo = {
+    self.addEventListener('message', listener);
-  accessToken: string;
+    client.postMessage({ responseKey, type: 'token' });
-  baseUrl: string;
-};
-
-/**
- * Store session per client (tab)
- */
-const sessions = new Map<string, SessionInfo>();
-
-async function cleanupDeadClients() {
-  const activeClients = await self.clients.matchAll();
-  const activeIds = new Set(activeClients.map((c) => c.id));
-
-  Array.from(sessions.keys()).forEach((id) => {
-    if (!activeIds.has(id)) {
-      sessions.delete(id);
-    }
   });
 }
 
-/**
+function fetchConfig(token?: string): RequestInit | undefined {
- * Receive session updates from clients
+  if (!token) return undefined;
- */
-self.addEventListener('message', (event: ExtendableMessageEvent) => {
-  const client = event.source as Client | null;
-  if (!client) return;
 
-  const { type, accessToken, baseUrl } = event.data || {};
-
-  if (type !== 'setSession') return;
-
-  cleanupDeadClients();
-
-  if (typeof accessToken === 'string' && typeof baseUrl === 'string') {
-    sessions.set(client.id, { accessToken, baseUrl });
-  } else {
-    // Logout or invalid session
-    sessions.delete(client.id);
-  }
-});
-
-function validMediaRequest(url: string, baseUrl: string): boolean {
-  const downloadUrl = new URL('/_matrix/client/v1/media/download', baseUrl);
-  const thumbnailUrl = new URL('/_matrix/client/v1/media/thumbnail', baseUrl);
-
-  return url.startsWith(downloadUrl.href) || url.startsWith(thumbnailUrl.href);
-}
-
-function fetchConfig(token: string): RequestInit {
   return {
     headers: {
       Authorization: `Bearer ${token}`,
@@ -69,16 +27,26 @@ function fetchConfig(token: string): RequestInit {
   };
 }
 
+self.addEventListener('activate', (event: ExtendableEvent) => {
+  event.waitUntil(clients.claim());
+});
+
 self.addEventListener('fetch', (event: FetchEvent) => {
   const { url, method } = event.request;
-
   if (method !== 'GET') return;
-  if (!event.clientId) return;
+  if (
+    !url.includes('/_matrix/client/v1/media/download') &&
+    !url.includes('/_matrix/client/v1/media/thumbnail')
+  ) {
+    return;
+  }
+  event.respondWith(
+    (async (): Promise<Response> => {
+      const client = await self.clients.get(event.clientId);
+      let token: string | undefined;
+      if (client) token = await askForAccessToken(client);
 
-  const session = sessions.get(event.clientId);
+      return fetch(url, fetchConfig(token));
-  if (!session) return;
+    })()
-
+  );
-  if (!validMediaRequest(url, session.baseUrl)) return;
-
-  event.respondWith(fetch(url, fetchConfig(session.accessToken)));
 });