fix: security hardening and stem multi-select

- Remove public /migrate endpoint (startup migration handles it) - Add membership + canUpload check to POST /versions/track/:trackId - Add membership check to stream-url, download-url, waveform endpoints - Scope member PATCH/DELETE to projectId to prevent cross-project mutation - Add auth + membership check to POST /comments/:id/resolve - Add secure: true to session cookie in production - Hash magic link tokens before storing (was plaintext) - Return generic error message instead of err.message - Fix stem multi-file-select: replace hidden attr with CSS offscreen (Safari/WebKit drops multiple selection on display:none file inputs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 21:04:22 +02:00
parent afcb818dd4
commit c949d6b829
6 changed files with 72 additions and 56 deletions
--- a/apps/web/src/lib/components/audio/StemUploadDropzone.svelte
+++ b/apps/web/src/lib/components/audio/StemUploadDropzone.svelte
@@ -124,7 +124,7 @@
      accept="audio/*"
      multiple
      onchange={handleFileSelect}
-      hidden
+      style="position:absolute;width:1px;height:1px;opacity:0;pointer-events:none;"
    />
    <div class="dropzone-content">
      <span class="icon"><Icon name="upload" size={24} /></span>