cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
left4me/l4d2web
History
mwiegand f81e839ba2
security: harden boundary inputs and production defaults 
- validate instance names at the host lib and web boundary against
  [a-z0-9][a-z0-9_-]{0,63} to prevent path traversal via Server.name
- fail-closed on SECRET_KEY: load_config returns None when env unset,
  create_app raises if missing or "dev" outside TESTING
- close login timing oracle by hashing a dummy digest when the user
  is not found, equalizing response time
- set SESSION_COOKIE_SECURE outside TESTING
- delete_instance tolerates stop_service and fusermount3 failures so
  partially-initialized instances clean up without contract breaks;
  drops the is_mount() preflight that violated AGENTS.md
- document claim_next_job's single-process assumption
- clarify emit_step contract via docstring

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 00:53:33 +02:00
..
alembic fix: enable batch operations in alembic for sqlite unique constraints 2026-05-06 20:59:18 +02:00
routes security: harden boundary inputs and production defaults 2026-05-07 00:53:33 +02:00
services security: harden boundary inputs and production defaults 2026-05-07 00:53:33 +02:00
static feat(l4d2-web): add job pages and cancellation 2026-05-06 15:05:13 +02:00
templates feat(l4d2-web): add server creation form 2026-05-06 19:41:04 +02:00
tests security: harden boundary inputs and production defaults 2026-05-07 00:53:33 +02:00
__init__.py chore(l4d2): flatten component layout 2026-05-05 23:47:06 +02:00
alembic.ini chore(l4d2): flatten component layout 2026-05-05 23:47:06 +02:00
app.py security: harden boundary inputs and production defaults 2026-05-07 00:53:33 +02:00
auth.py fix(l4d2-web): reject encoded unsafe redirects 2026-05-06 13:24:04 +02:00
cli.py feat(deploy): add production-like test deployment 2026-05-06 19:30:10 +02:00
config.py security: harden boundary inputs and production defaults 2026-05-07 00:53:33 +02:00
db.py feat(deploy): add production-like test deployment 2026-05-06 19:30:10 +02:00
models.py feat: enforce unique port constraint on servers 2026-05-06 20:52:46 +02:00
pyproject.toml feat(deploy): add production-like test deployment 2026-05-06 19:30:10 +02:00
README.md feat(deploy): add production-like test deployment 2026-05-06 19:30:10 +02:00

README.md

l4d2-web-app

Flask web app for managing L4D2 servers through user-private blueprints.

Key v1 behaviors

  • Local username/password login; no public signup
  • Admin-managed overlay catalog
  • Private blueprints per user
  • Server creation from blueprints (live-linked; no per-server blueprint overrides)
  • Async job model with persisted command logs in job_logs
  • Desired vs actual state model
  • Live logs for jobs and servers via SSE endpoints
  • Host operations go through l4d2ctl via a local host command runner, not direct l4d2host imports

Frontend constraints

  • Server-rendered templates (Jinja)
  • Vendored HTMX (static/vendor/htmx.min.js)
  • Custom CSS only
  • Tokenized, consistent link and accent colors

Development

python3 -m venv .venv
.venv/bin/pip install -e .
.venv/bin/pytest tests -q

Configuration

The web app reads these settings from the environment:

  • DATABASE_URL: SQLAlchemy database URL, for example sqlite:////var/lib/left4me/left4me.db.
  • SECRET_KEY: Flask secret key used for sessions and CSRF-sensitive state.
  • JOB_WORKER_THREADS: number of background job worker threads.

In the systemd deployment, environment is loaded from /etc/left4me/host.env and /etc/left4me/web.env.

Admin Bootstrap

Create the first admin account with the Flask CLI. Provide the password through LEFT4ME_ADMIN_PASSWORD:

LEFT4ME_ADMIN_PASSWORD='change-me' flask create-user <username> --admin