···
// Skip Polar sync in test mode
-
if (process.env.NODE_ENV === "test" || process.env.SKIP_POLAR_SYNC === "true") {
···
const server = Bun.serve({
-
port: process.env.NODE_ENV === "test"
-
: (process.env.PORT ? Number.parseInt(process.env.PORT, 10) : 3000),
idleTimeout: 120, // 120 seconds for SSE connections
···
has_subscription: !!subscription,
email_verified: isEmailVerified(user.id),
-
email_notifications_enabled: prefs?.email_notifications_enabled === 1,
···
const sessionId = getSessionFromRequest(req);
-
return Response.json({ error: "Not authenticated" }, { status: 401 });
const user = getUserBySession(sessionId);
···
const currentSessionId = getSessionFromRequest(req);
-
return Response.json({ error: "Not authenticated" }, { status: 401 });
const user = getUserBySession(currentSessionId);
···
const body = await req.json();
const { password } = body;
-
return Response.json({ error: "Password required" }, { status: 400 });
// Validate password format (client-side hashed PBKDF2)
const passwordValidation = validatePasswordHash(password);
···
// Allow access if: owner, admin, or enrolled in the class
if (!isOwner && !isAdmin && !isClassMember) {
-
{ error: "Forbidden" },
// Require subscription only if accessing own transcription (not class)
···
// Allow access if: owner, admin, or enrolled in the class
if (!isOwner && !isAdmin && !isClassMember) {
-
{ error: "Forbidden" },
// Require subscription only if accessing own transcription (not class)
···
// Allow access if: owner, admin, or enrolled in the class
if (!isOwner && !isAdmin && !isClassMember) {
-
{ error: "Forbidden" },
// Require subscription only if accessing own transcription (not class)
···
const existingMeeting = getMeetingById(meetingId);
-
return Response.json({ error: "Meeting not found" }, { status: 404 });
updateMeetingTime(meetingId, label);
···
const existingMeeting = getMeetingById(meetingId);
-
return Response.json({ error: "Meeting not found" }, { status: 404 });
deleteMeetingTime(meetingId);
···
const response = server.fetch(req);
// Add security headers to all responses
if (response instanceof Response) {
const headers = new Headers(response.headers);
···
headers.set("X-Content-Type-Options", "nosniff");
headers.set("X-Frame-Options", "DENY");
headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
// Set CSP that allows inline styles with unsafe-inline (needed for Lit components)
// and script-src 'self' for bundled scripts
"Content-Security-Policy",
-
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none';"
return new Response(response.body, {
statusText: response.statusText,
···
// Skip Polar sync in test mode
+
process.env.NODE_ENV === "test" ||
+
process.env.SKIP_POLAR_SYNC === "true"
···
const server = Bun.serve({
+
process.env.NODE_ENV === "test"
+
? Number.parseInt(process.env.PORT, 10)
idleTimeout: 120, // 120 seconds for SSE connections
···
has_subscription: !!subscription,
email_verified: isEmailVerified(user.id),
+
email_notifications_enabled:
+
prefs?.email_notifications_enabled === 1,
···
const sessionId = getSessionFromRequest(req);
+
{ error: "Not authenticated" },
const user = getUserBySession(sessionId);
···
const currentSessionId = getSessionFromRequest(req);
+
{ error: "Not authenticated" },
const user = getUserBySession(currentSessionId);
···
const body = await req.json();
const { password } = body;
+
{ error: "Password required" },
// Validate password format (client-side hashed PBKDF2)
const passwordValidation = validatePasswordHash(password);
···
// Allow access if: owner, admin, or enrolled in the class
if (!isOwner && !isAdmin && !isClassMember) {
+
return Response.json({ error: "Forbidden" }, { status: 403 });
// Require subscription only if accessing own transcription (not class)
···
// Allow access if: owner, admin, or enrolled in the class
if (!isOwner && !isAdmin && !isClassMember) {
+
return Response.json({ error: "Forbidden" }, { status: 403 });
// Require subscription only if accessing own transcription (not class)
···
// Allow access if: owner, admin, or enrolled in the class
if (!isOwner && !isAdmin && !isClassMember) {
+
return Response.json({ error: "Forbidden" }, { status: 403 });
// Require subscription only if accessing own transcription (not class)
···
const existingMeeting = getMeetingById(meetingId);
+
{ error: "Meeting not found" },
updateMeetingTime(meetingId, label);
···
const existingMeeting = getMeetingById(meetingId);
+
{ error: "Meeting not found" },
deleteMeetingTime(meetingId);
···
+
development: process.env.NODE_ENV === "dev",
const response = server.fetch(req);
// Add security headers to all responses
if (response instanceof Response) {
const headers = new Headers(response.headers);
···
headers.set("X-Content-Type-Options", "nosniff");
headers.set("X-Frame-Options", "DENY");
headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
// Set CSP that allows inline styles with unsafe-inline (needed for Lit components)
// and script-src 'self' for bundled scripts
"Content-Security-Policy",
+
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none';",
return new Response(response.body, {
statusText: response.statusText,
dunkirk.sh