cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
left4me/l4d2web
History
mwiegand e28d4fad8c
l4d2web/csp: allow Steam avatar CDN in img-src 
The live-state grid renders player avatars as <img src="https://avatars.steamstatic.com/...">,
but the CSP img-src directive was `'self' data:` — so the browser
silently blocked every avatar load, leaving placeholder circles in
place. The DB cache and Steam API path were both healthy; only the
browser-side load was blocked.

Use the wildcard *.steamstatic.com host-source rather than pinning a
single hostname: Steam rotates avatars across steamcdn-a.akamaihd.net,
avatars.akamai/cloudflare/fastly.steamstatic.com over time, and a
single-hostname allowlist would re-break on the next shuffle.

Test now pins img-src explicitly — the previous assertions only
checked default-src/frame-ancestors/form-action, so a regression of
this exact line would have silently passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 20:23:29 +02:00
..
alembic feat(l4d2-web): add command_history table for RCON console transcript 2026-05-14 21:26:56 +02:00
routes harden(l4d2web): per-username login rate limit alongside per-IP 2026-05-14 22:26:20 +02:00
services refactor(sandbox): collapse l4d2-sandbox user into left4me 2026-05-15 15:50:57 +02:00
static refactor(l4d2-web): harden console-history.js against HTMX version drift and races 2026-05-14 21:42:05 +02:00
templates harden(l4d2web): default security response headers and generic error handlers 2026-05-14 22:21:36 +02:00
tests l4d2web/csp: allow Steam avatar CDN in img-src 2026-05-15 20:23:29 +02:00
__init__.py chore(l4d2): flatten component layout 2026-05-05 23:47:06 +02:00
alembic.ini chore(l4d2): flatten component layout 2026-05-05 23:47:06 +02:00
app.py l4d2web/csp: allow Steam avatar CDN in img-src 2026-05-15 20:23:29 +02:00
auth.py harden(l4d2web): auth/session — clear on login+logout, constant-time CSRF, role-change invalidation 2026-05-14 22:18:46 +02:00
cli.py cli: add workshop-refresh subcommand for scheduled global refresh 2026-05-11 23:15:05 +02:00
config.py feat(live-state): start daemon poller, prune history, close stuck sessions 2026-05-12 22:10:55 +02:00
db.py feat(deploy): add production-like test deployment 2026-05-06 19:30:10 +02:00
models.py feat(l4d2-web): add command_history table for RCON console transcript 2026-05-14 21:26:56 +02:00
pyproject.toml refactor(l4d2-web): drop global-overlays subsystem in favor of script type 2026-05-08 15:43:41 +02:00
README.md feat(deploy): add production-like test deployment 2026-05-06 19:30:10 +02:00

README.md

l4d2-web-app

Flask web app for managing L4D2 servers through user-private blueprints.

Key v1 behaviors

  • Local username/password login; no public signup
  • Admin-managed overlay catalog
  • Private blueprints per user
  • Server creation from blueprints (live-linked; no per-server blueprint overrides)
  • Async job model with persisted command logs in job_logs
  • Desired vs actual state model
  • Live logs for jobs and servers via SSE endpoints
  • Host operations go through l4d2ctl via a local host command runner, not direct l4d2host imports

Frontend constraints

  • Server-rendered templates (Jinja)
  • Vendored HTMX (static/vendor/htmx.min.js)
  • Custom CSS only
  • Tokenized, consistent link and accent colors

Development

python3 -m venv .venv
.venv/bin/pip install -e .
.venv/bin/pytest tests -q

Configuration

The web app reads these settings from the environment:

  • DATABASE_URL: SQLAlchemy database URL, for example sqlite:////var/lib/left4me/left4me.db.
  • SECRET_KEY: Flask secret key used for sessions and CSRF-sensitive state.
  • JOB_WORKER_THREADS: number of background job worker threads.

In the systemd deployment, environment is loaded from /etc/left4me/host.env and /etc/left4me/web.env.

Admin Bootstrap

Create the first admin account with the Flask CLI. Provide the password through LEFT4ME_ADMIN_PASSWORD:

LEFT4ME_ADMIN_PASSWORD='change-me' flask create-user <username> --admin