Georges-Antoine Assi 619e03ab32 fix: stop serving private user assets via unauthenticated nginx static route ...

The default Docker image symlinked /romm/assets into the nginx static web
root (/assets/romm/assets), where it was served by an unauthenticated
`location /assets { try_files ... }` block. /romm/assets holds private user
data (save files, save states, screenshots, avatars) that is meant to be
accessible only through the authenticated /api/raw/assets/{path} route
(Scope.ASSETS_READ). The static symlink bypassed that protection, letting any
unauthenticated caller read another user's files given a (guessable) path.
Avatar URLs leaked the hex user ID through the same static route, making path
construction straightforward.

Fix:
- Drop the /romm/assets symlink from the Docker image build and both
  entrypoint scripts; only /romm/resources (public cover art, screenshots,
  manuals) remains statically served.
- Point the frontend avatar URLs at the authenticated /api/raw/assets/ route
  instead of /assets/romm/assets/. Browser <img> loads authenticate via the
  existing session cookie.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 17:34:30 -04:00

..

docker-entrypoint.sh

fix: stop serving private user assets via unauthenticated nginx static route

2026-06-05 17:34:30 -04:00

init

Drop redundant out_arr reset in otel_prefix

2026-05-24 15:17:42 -04:00