Skip to content

fix(api-server): address PR #189 review — security, encapsulation, error handling#192

Closed
0xmrpeter wants to merge 3 commits intodevelopfrom
fix/session-history-endpoint
Closed

fix(api-server): address PR #189 review — security, encapsulation, error handling#192
0xmrpeter wants to merge 3 commits intodevelopfrom
fix/session-history-endpoint

Conversation

@0xmrpeter
Copy link
Copy Markdown
Contributor

@0xmrpeter 0xmrpeter commented Apr 2, 2026

Summary

Fixes critical issues identified in PR #189 (feat/session-history-endpoint):

  • Revert SessionIdParamSchema regex — the regex was applied to a shared schema used by ALL session routes, causing a breaking change. Path traversal protection is now handled at the data layer instead.
  • Path traversal protection in HistoryStore.filePath() — uses path.basename() + resolved path verification to prevent directory traversal attacks at the correct layer.
  • Remove decodeURIComponent bypass risk — regex validated the encoded form while decodeURIComponent could produce different characters. Removed since nanoid IDs don't need URL decoding.
  • ServiceUnavailableError class — consistent 503 error handling through the global error handler instead of inline reply.status(503).send().
  • Encapsulation: ContextManager.getHistory() — removed standalone history-store service registration. API server now accesses history through the existing context service (ContextManager), keeping HistoryStore as an internal implementation detail.
  • Tests — path traversal protection tests for HistoryStore + unit tests for ContextManager.getHistory().

Test plan

  • pnpm build passes
  • All 257 context plugin tests pass (including new ones)
  • Full test suite: 2431 passed, 2 pre-existing failures (unrelated instance tests)
  • GET /api/v1/sessions/:id/history returns history for active session
  • Returns 404 when session not found
  • Returns 503 when context plugin not loaded
  • Returns 404 when no history for given sessionId
  • Path traversal attempts are rejected

🤖 Generated with Claude Code

lngdao and others added 3 commits April 2, 2026 02:52
@lngdao
feat(api-server): add session history endpoint
1ca57cd 
GET /api/v1/sessions/:sessionId/history returns the full conversation
history for a session from the context plugin's HistoryStore.
@lngdao
fix(api-server): address PR #189 review — session check, path travers…
b947615 
…al, 503 status

- Add session existence check before querying history store
- Add regex constraint to SessionIdParamSchema to prevent path traversal
- Return 503 instead of 404 when history store is unavailable
@0xmrpeter @claude
fix(api-server): address PR #189 review — security, encapsulation, er…
a846911 
…ror handling

- Revert SessionIdParamSchema regex that was a breaking change for all session routes
- Add path traversal protection in HistoryStore.filePath() using path.basename()
- Remove decodeURIComponent bypass risk in history route
- Add ServiceUnavailableError class for consistent 503 error handling
- Refactor: route history access through ContextManager.getHistory() instead of
  exposing internal HistoryStore as standalone service
- Add path traversal and ContextManager.getHistory() tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@0xmrpeter 0xmrpeter mentioned this pull request Apr 2, 2026
Closed
4 tasks
@0xmrpeter
Copy link
Copy Markdown
Contributor Author

0xmrpeter commented Apr 2, 2026

Merged into develop via direct merge.

@0xmrpeter 0xmrpeter closed this Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0xmrpeter @lngdao