- Updated console log messages in cost.ts and proxy.ts for clarity and consistency.
- Added important SSRF warning in README.md regarding localhost access issues with certain clients, along with solutions using external proxy services.
- Created a new .env.example file with default environment variables for PORT, OPENAI_UPSTREAM_URL, ANTHROPIC_UPSTREAM_URL, and DATABASE_URL.
- Updated .npmignore to exclude all .env files except .env.example.
- Revised CONTRIBUTING.md to simplify the contribution process and provide clearer setup instructions.
- Enhanced cost.ts with detailed type definitions and improved cost calculation logic.
- Updated proxy.ts to include new environment variables and improved logging functionality.
- Modified README.md to reflect new configuration instructions and usage examples.
- Removed unnecessary dashboard files and streamlined the project structure.
This commit addresses three important bugs:
1. SQL Injection Prevention (proxy.ts:70-75):
- Added whitelist validation for DATABASE_TABLE environment variable
- Table names are now validated against ALLOWED_TABLES before use
- Prevents potential SQL injection through malicious table names
2. SQL Interval Parameter Bug (dashboard/app/api/metrics/route.ts):
- Fixed incorrect INTERVAL syntax in PostgreSQL queries
- Changed from INTERVAL '$1 hours' to INTERVAL '1 hour' * $1
- Properly uses parameterized queries with interval multiplication
- Affects all 4 queries: summary, recent, model breakdown, and trends
3. Incorrect Property Reference (proxy.ts:206):
- Fixed usage.cached_tokens to usage.prompt_tokens_details?.cached_tokens
- Aligns with OpenAI API response structure for cached tokens
- Ensures accurate logging of cached token usage
- Add input validation for hours and limit query parameters to prevent NaN and DoS attacks
- Replace || with ?? for proper null coalescing in metrics summary
- Fix IPv6 normalization to prevent empty string when IP is malformed
- Fix stream parsing to skip empty JSON strings and avoid parse errors
- Remove redundant .toString() calls on authorization header
