chore(release): release v1.10.0

[TimilsinaBimal]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
watchly	Ready	Preview, Comment	Apr 5, 2026 7:43am

General fix: When reading data from the DOM and reusing it in another sensitive context (here, as a URL for navigation), validate and normalize it rather than trusting the raw string. Ensure that only expected schemes, hostnames, and path characters are allowed, and avoid interpreting arbitrary text as a protocol URL.

Best specific fix here: Validate the url read from addonUrl before using it to build the stremio:// URL. A robust approach is:

1. Trim the string and ensure it is non-empty.
2. Normalize it as an HTTP(S) URL first via the URL constructor to ensure it has the expected scheme and structure.
3. Extract the host and path from the normalized URL, and reconstruct the stremio:// URL from those parts, rather than doing a naive string replace.
4. If parsing fails or the scheme is not http or https, abort (or show an error) instead of navigating.

This preserves functionality (it still converts an HTTP(S) addon URL into a stremio:// URL) but prevents arbitrary text from becoming an unchecked custom-protocol URL. All changes are confined to app/static/js/modules/form-success.js, specifically around lines 25–27. No new imports are needed.

Concretely, we will replace:

const url = document.getElementById('addonUrl').textContent;
window.location.href = `stremio://${url.replace(/^https?:\/\//, '')}`;

with logic that:

• Reads and trims the text;
• Uses new URL(...) to parse it (falling back to https:// if no scheme is provided);
• Verifies the protocol is http: or https:;
• Builds stremio:// using urlObj.host + urlObj.pathname + urlObj.search + urlObj.hash;
• Handles parsing errors by not redirecting (optionally using showError if we want minimal behavior change; to avoid new behavior we can just silently return).

---

In general, the fix is to stop exposing raw exception messages (str(e)) to the user and instead return a generic, non-sensitive error message while logging the detailed error server-side. The logging preserves debuggability; the user sees only a high-level explanation like “Trakt authorization failed. Please try again.”

Concretely for this file:

• Keep logging the exception using logger.error(...) (possibly with exc_info=True if desired), so developers still get full details.
• Change _oauth_error_page so it no longer accepts or renders an arbitrary error string. Instead, have it generate a static, generic error page for the given provider.
• Update the call at line 52 from _oauth_error_page("Trakt", str(e)) to simply _oauth_error_page("Trakt").
• Adjust _oauth_error_page’s signature and body accordingly: remove the error parameter and the <p>{error}</p> line, perhaps replace it with a generic message like “An error occurred while communicating with Trakt.”

All needed functionality is already available; no new imports or helpers are required. All changes are within app/api/endpoints/oauth.py at the shown locations.

In general, to fix information exposure through exceptions, you should log full exception details on the server and return only a high-level, user-friendly, generic error message to the client. Do not interpolate raw exception messages, stack traces, or internal configuration values into responses.

For this specific code, the best minimal change is to stop passing str(e) into _oauth_error_page and instead pass a generic message such as "An internal error occurred while connecting to Simkl." (or similar). This avoids changing the function signature or overall behavior of the endpoint: the user still gets an error page, but without internal details. The server-side logging with logger.error remains, so you still have all diagnostic detail in logs.

Concretely:

• In app/api/endpoints/oauth.py, within the simkl_callback function’s except block, replace return HTMLResponse(_oauth_error_page("Simkl", str(e))) with a call that uses a static, non-sensitive message string.
• No additional imports or helper methods are required; we reuse _oauth_error_page as-is.
• _oauth_error_page itself remains unchanged; it will receive the safe message string and render it.

[gemini-code-assist]

Code Review

This pull request introduces significant architectural changes, including the addition of OAuth support for Trakt and Simkl, a refactored token management system, and a new unified library/history model. While these changes expand functionality, several critical issues were identified: an AttributeError in the profile service due to incorrect attribute access on Pydantic models, a security vulnerability in the OAuth callback using a wildcard origin for postMessage, a missing import for the caching decorator in the TMDB service, and a breaking change to the health check endpoint's response format.