12 Commits

Author SHA1 Message Date
HeagBoKaT
63013816c8 perf: optimize image loading — resize, thumbnails, caching, lazy load
- Server: resize uploads to max 1200px + generate 600px _thumb.jpg
- Server: cache /uploads with max-age=1y immutable headers
- Client: CatCard uses _thumb.jpg in feed (fallback to full on error)
- Client: first 3 feed cards load eagerly (LCP), rest lazy + decoding=async
- Client: loading placeholder bg while image fetches
- Migration: server/src/scripts/gen-thumbs.ts for existing images

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 09:55:49 +03:00
HeagBoKaT
852e0f5f5b fix: rate limiter was blocking all /api/cats reads after 10 requests
uploadLimiter now only applies to POST /api/cats (uploads), not GET
reads — previously users were getting 429 after ~10 page navigations.
Also remove duplicate file input in ProfilePage and cancel stale rAF
on route transition cleanup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 09:45:35 +03:00
heagbokat
15a6323dfe chore: update server package-lock.json (sharp dependency)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 00:55:02 +03:00
heagbokat
94fff09a41 feat: infinite scroll, HEIC support, likes fix, security & backup
- Fix liked hearts not showing after page reload (sync useEffect in CatCard)
- Replace pagination with infinite scroll (useInfiniteQuery + IntersectionObserver)
- Add HEIC/HEIF/AVIF image support with sharp conversion to JPEG on upload
- Validate MIME type alongside file extension to prevent spoofing
- Limit caption to 500 chars; increase upload size limit to 20MB
- Delete physical file from uploads/ when post is removed (cats + admin routes)
- Add WAL journal mode and graceful shutdown (SIGTERM/SIGINT) to db
- Add rate limiter for upload endpoint (10 req / 15 min)
- Add pre-deploy backup of data.db and uploads/ to deploy.sh (keeps last 10)
- Add plan_modernization.md with ideas for future improvements

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 00:18:46 +03:00
heagbokat
e0247bc288 Fix case-insensitive auth and harden for production
- Fix login/register to treat usernames case-insensitively (HeagBoKaT == heagbokat) using LOWER() in SQL with JS .toLowerCase() for Unicode safety
- Add helmet for HTTP security headers and express-rate-limit on auth endpoints (20 req / 15 min) to prevent brute-force
- Lock CORS to ALLOWED_ORIGIN env var; warn if JWT_SECRET is the default dev key
- Serve built client/dist from Express so a single PM2 process handles everything
- Add deploy.sh, README.md with full first-run and auto-restart instructions, and server/.env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-25 23:29:06 +03:00
HeagBoKaT
466cb97a4e Fix likes batch route order, add profile links to all usernames 2026-05-29 14:46:18 +03:00
HeagBoKaT
025e52e6b1 Fix likes display, add avatar system (presets+upload), improve desktop layout, fix profile viewing 2026-05-29 14:21:40 +03:00
HeagBoKaT
3664b60f10 Fix mobile scroll jump, add comments, rename to Котограм 2026-05-29 13:58:42 +03:00
HeagBoKaT
cfc6001d62 Админ: управление caption, баллами, список постов 2026-05-29 12:43:37 +03:00
HeagBoKaT
12701ffbc2 Баллы +1 за загрузку, убраны из лайков. Админ-панель (admin/admin123) 2026-05-29 12:13:42 +03:00
HeagBoKaT
ea0df060e8 UI: тёплый современный дизайн + русификация 2026-05-29 10:38:01 +03:00
HeagBoKaT
e4b25fe4b7 first commit 2026-05-29 10:23:25 +03:00