Protego Mbweb: Hardening the Mediabot v3 Web Console

I have just pushed a new round of cleanup and hardening work around the Mediabot v3 web console (mbweb). This one is less about shiny new features and more about making the web interface safer, clearer, and more predictable.

The main goal was simple: keep the console useful for daily operations, but stop it from being fragile, noisy, or misleading.

What changed

1. Safer synchronization from the live app to the repository

The live mbweb app runs from:

/opt/mbweb/app

and is synchronized back into the repository under:

/home/mediabot/mediabot_v3/contrib/mbweb

The sync script was improved so it now behaves more strictly and predictably:

• keeps .env and private runtime files out of the repository;
• excludes node_modules, logs, backups, archives, sessions and temporary files;
• uses safer cleanup behavior during rsync;
• runs JavaScript syntax checks after sync;
• checks for forbidden files before reporting success;
• prints a manual review section for possible secrets.

That should make it much harder to accidentally commit sensitive or useless runtime material.

2. Cleaner and less noisy authentication logs

The login flow was logging too much detail. The previous logs could include things like:

• the submitted login name;
• the password length;
• the request IP;
• internal user IDs;
• nicknames from successful authentication.

That was useful while debugging, but too noisy and too sensitive for normal logs.

The authentication logs now keep only what is operationally useful:

POST received: URL, body keys, loginProvided, passwordProvided
auth result: ok, reason, method
login success: global level, role, channel count

So we still know what happened, without dumping personal or sensitive details into journalctl.

3. Metrics proxy hardening

The metrics proxy was improved to behave more defensively:

• HTTP fetches now have a timeout;
• metrics response size is capped;
• Prometheus parsing is more careful;
• the API can optionally filter metric names;
• the number of samples per metric is limited;
• failures now log the target URL and network cause, instead of only saying fetch failed.

This makes metrics failures easier to diagnose without exposing unnecessary details to the browser.

4. Partyline page corrected

This was an important one.

The Partyline page was previously showing users from the database with USER.auth = 1, and presenting that as if it were the live Partyline session list.

That was misleading.

A telnet/DCC Partyline connection lives inside the Perl bot process memory. The web console cannot directly list those users unless the bot exposes that runtime state somewhere.

So the page was corrected:

• it now clearly distinguishes runtime Partyline sessions from IRC / DB authenticated users;
• it uses the Prometheus metric mediabot_partyline_sessions_current when available;
• it explains that nick-level live Partyline details are not available yet from mbweb;
• it keeps the recent ChannelBan activity table.

This prevents confusion when someone is logged into the Partyline via telnet but does not appear in the DB-authenticated users table.

5. Repository functions for Partyline data

The Partyline SQL queries were moved into mediabotRepository.js instead of being embedded directly in the route.

New repository helpers include:

• getAuthenticatedDbUsers()
• getRecentChannelBans(limit)

This keeps route code cleaner and makes DB access easier to audit.

6. Safer numeric and search parameters

Several routes were using direct conversions such as:

Number(req.query.page) || 1

That works for happy paths, but can behave badly with values like:

• Infinity
• negative numbers
• decimals
• absurdly large values
• empty or messy search strings

A shared helper now clamps and sanitizes parameters more consistently:

• parsePositiveInt()
• cleanSearch()

This was applied across routes such as channels, users, commands and quotes.

7. Dashboard and profile API payload cleanup

Some API endpoints returned the whole session user object. That was broader than necessary.

The following endpoints now return a smaller public shape:

• /api/dashboard
• /api/me

Instead of returning everything in the session, they now expose only fields that are actually needed by the frontend, such as nickname, role, global level and channel count.

8. Radio status handling improved

The radio helper was hardened too:

• radio base URLs are validated as http:// or https://;
• mount paths are normalized;
• Icecast JSON response size is capped;
• empty and invalid JSON responses are handled cleanly;
• /api/radio/status no longer returns raw exception messages to the browser.

This makes the radio page safer and more predictable when Icecast is down, misconfigured, or returning unexpected data.

9. Fresh session checks for protected routes

The previous requireLogin() middleware refreshed the session in the background, but did not wait for that refresh before continuing.

For sensitive pages, that can mean a route makes a decision using slightly stale role information.

A new requireFreshLogin() middleware now waits for the session refresh before continuing. Protected routes were moved to this stricter middleware.

This matters especially for Owner/Master-only views like Partyline.

10. UI readability pass

The UI was also adjusted to make the console easier to read:

• slightly smaller base fonts;
• more compact navigation;
• less bulky tables;
• tighter cards and buttons;
• better density for dashboard-style pages.

The goal was not to remove the visual identity, but to make the interface less oversized and more practical for daily use.

Operational notes

The live app is still the source for runtime testing:

/opt/mbweb/app

Once validated, it is synchronized back into the repository with:

/home/mediabot/mediabot_v3/tools/sync_mbweb_contrib.sh

The repository copy lives here:

contrib/mbweb

Commit message

🪄 Protego Mbweb: harden the console, tame Partyline mirrors, and silence nosy logs

Final thoughts

This was mostly a hardening and clarity pass, but it matters a lot.

The web console now leaks less in logs, handles bad inputs more calmly, explains Partyline state more honestly, and is easier to maintain because more logic has moved into shared helpers and repository functions.

Next possible improvements:

• expose real live Partyline nick/session details from the Perl bot;
• add a dedicated runtime JSON endpoint or local status file for Partyline;
• continue auditing all remaining mbweb routes;
• add lightweight tests for the Node side of the console;
• improve the metrics dashboard once the Prometheus endpoint is confirmed stable.

Mischief managed.