feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution. - Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events. - Update documentation with reverse proxy security guidelines and a production systemd deployment guide.
2026-05-31 21:52:56 +03:00
parent 2d04a42736
commit 10ed806153
38 changed files with 2310 additions and 43 deletions
--- a/backend/static/css/16-retro.css
+++ b/backend/static/css/16-retro.css
@@ -189,14 +189,25 @@
  padding-left: calc(0.85rem + 1px);
 }

-/* The primary call-to-action gets the blue title-bar gradient. */
+/* The primary call-to-action is a glossy raised blue button. A vertical
+   gradient + strong 3D bevel keeps it clearly a button (and distinct from the
+   horizontal title-bar gradient). */
 :root[data-theme="retro"] .button-primary {
-  background: linear-gradient(to right, #000078, 80%, #0f80cd);
+  background: linear-gradient(to bottom, #2f86e0 0%, #0a3aa0 52%, #000078 100%);
  color: #ffffff;
+  border: 1px solid #000000;
+  box-shadow: inset -1px -1px 0 #00003a, inset 1px 1px 0 #7fc0ff, inset -2px -2px 0 #001a6a, inset 2px 2px 0 #3f9fe8;
+  text-shadow: 1px 1px 0 rgba(0, 0, 0, 0.4);
 }

 :root[data-theme="retro"] .button-primary:hover {
-  background: linear-gradient(to right, #0a0a9a, 80%, #1a90dd);
+  filter: brightness(1.08);
+}
+
+:root[data-theme="retro"] .button-primary:active {
+  box-shadow: inset 1px 1px 0 #00003a, inset -1px -1px 0 #7fc0ff;
+  padding-top: calc(0.45rem + 1px);
+  padding-left: calc(0.85rem + 1px);
 }

 :root[data-theme="retro"] .button-danger {
@@ -277,7 +288,8 @@
   the API section cards. Pages where a heading sits below an icon or kicker
   (download/preview/login) keep the inset heading from the base h1 rule. */
 :root[data-theme="retro"] .card-content > h1:first-child,
-:root[data-theme="retro"] .docs-header h1 {
+:root[data-theme="retro"] .docs-header h1,
+:root[data-theme="retro"] .download-view-wide .download-card h1 {
  margin: -1.5rem -1.5rem 1rem;
 }

@@ -547,3 +559,64 @@
  border: 1px solid #000000;
  box-shadow: var(--shadow);
 }
+
+/* ------------------------------------------------------------------------- */
+/* Download / box page                                                       */
+/* ------------------------------------------------------------------------- */
+
+/* The decorative file glyph above the title doesn't suit a Win98 window. */
+:root[data-theme="retro"] .file-emblem {
+  display: none;
+}
+
+/* The download window's content is left-aligned like a real file manager. */
+:root[data-theme="retro"] .download-view-wide .download-card {
+  text-align: left;
+}
+
+/* Expiry shown as a sunken status field with a little clock. */
+:root[data-theme="retro"] .badge-row {
+  justify-content: flex-start;
+}
+
+:root[data-theme="retro"] .badge-expiry {
+  background: #ffffff;
+  color: #000000;
+  border: 1px solid #000000;
+  box-shadow: inset 1px 1px 0 #808080, inset -1px -1px 0 #ffffff;
+  font-weight: 700;
+  padding: 0.3rem 0.7rem;
+}
+
+:root[data-theme="retro"] .badge-expiry::before {
+  content: "\23F1  ";
+}
+
+/* List / Thumbnails / Preview images = a Win98 toolbar (menubar) of flat
+   buttons that raise on hover and depress when active. */
+:root[data-theme="retro"] .view-toolbar {
+  justify-content: flex-start;
+  gap: 2px;
+  margin-top: 1rem;
+  padding: 3px;
+  background: #c0c0c0;
+  border: 1px solid #000000;
+  box-shadow: inset 1px 1px 0 #ffffff, inset -1px -1px 0 #808080;
+}
+
+:root[data-theme="retro"] .view-toolbar .button {
+  background: transparent;
+  border: 1px solid transparent;
+  box-shadow: none;
+  font-weight: 400;
+}
+
+:root[data-theme="retro"] .view-toolbar .button:hover {
+  background: #c0c0c0;
+  box-shadow: inset -1px -1px 0 #808080, inset 1px 1px 0 #ffffff;
+}
+
+:root[data-theme="retro"] .view-toolbar .button.is-active {
+  background: #d4d0c8;
+  box-shadow: inset 1px 1px 0 #808080, inset -1px -1px 0 #ffffff;
+}
--- a/backend/static/css/50-admin.css
+++ b/backend/static/css/50-admin.css
@@ -106,6 +106,75 @@
  margin: 0;
 }

+.logs-filter-card {
+  display: grid;
+  grid-template-columns: repeat(6, minmax(0, 1fr));
+  gap: 0.7rem;
+  align-items: end;
+  margin-top: 1rem;
+  padding: 1rem;
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  background: var(--card);
+}
+
+.logs-filter-card label {
+  display: grid;
+  gap: 0.25rem;
+  min-width: 0;
+}
+
+.logs-filter-card label span {
+  color: var(--muted-foreground);
+  font-size: 0.72rem;
+}
+
+.logs-table td {
+  vertical-align: top;
+}
+
+.logs-table code {
+  white-space: pre-wrap;
+  word-break: break-word;
+}
+
+.log-time {
+  white-space: nowrap;
+}
+
+.admin-grid-two {
+  display: grid;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 1rem;
+  margin-top: 1rem;
+}
+
+.compact-form {
+  display: grid;
+  gap: 0.75rem;
+}
+
+.compact-form textarea {
+  width: 100%;
+  resize: vertical;
+}
+
+@media (max-width: 980px) {
+  .admin-grid-two {
+    grid-template-columns: 1fr;
+  }
+
+  .logs-filter-card {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+  }
+}
+
+@media (max-width: 620px) {
+  .logs-filter-card {
+    grid-template-columns: 1fr;
+  }
+}
+

 /* Inline row edit (details/summary in table cells) */
 .row-edit {