fix(ui/security): Enforce idempotent AI fetching, secure auth handler, and memory leak guards #45

Merged
mjasin merged 4 commits from fix/idempotent-ai-fetching into develop 2026-05-20 17:27:40 +00:00
Collaborator

This PR provides critical stabilization, memory leak resolution, and security enhancements for the NexusReader application, specifically focusing on Blazor InteractiveAuto lifecycle safety, thread-safe automated authentication token refresh, and deduplication of active AI service queries.

Key Enhancements

1. Security & Lifecycle Stabilization (AuthenticationHeaderHandler.cs & Library.razor)

  • Secure Token Propagation (CWE-200): Modified the outbound delegating handler to only append JWT Bearer headers to trusted base origin requests matching the application's configured NavigationManager.BaseUri, preventing potential token leakage to external services.
  • Captive Dependency & Memory Leak Fix (CWE-400): Avoided capturing scoped dependencies in a singleton handler by wrapping the resolution of IIdentityService inside a dedicated, disposable IServiceProvider scope (_serviceProvider.CreateScope()).
  • Thread-Safe Automated Refresh: Embedded a SemaphoreSlim lock around the automated RefreshTokenAsync renewal sequence to handle concurrent API requests gracefully without triggering duplicate token refresh attempts.
  • Pre-rendering Safety: Deferred the secure book loading query in Library.razor from OnInitializedAsync to client-side OnAfterRenderAsync(firstRender: true) to avoid inevitable 401 Unauthorized responses and logs during the server pre-rendering phase.

2. Robust AI Request Deduplication (KnowledgeService.cs)

  • State Recovery Guards: Enhanced the thread-safe Lazy<Task<Result<KnowledgePacket>>> deduplication map by adding thorough failure handling blocks. Active requests are guaranteed to be cleaned up (TryRemove) inside finally and failed results pathways, ensuring future retries can run immediately if an initial request encounters an error.

3. Idempotent AI UI Fetching & JSRuntime Guards

  • Interactive Guards: Added an _isInteractive check to GroundednessBadge.razor and AiAssistantBubble.razor components, deferring WebAssembly API executions and DOM updates to client-side OnAfterRenderAsync.
  • State Synchronization: Integrated a synchronous OnParametersSet to properly reset groundedness badges when content changes.
  • Flicker Elimination: Moved JSRuntime local-storage checks in Home.razor (for focus mode preferences) to OnAfterRenderAsync(firstRender: true), resolving startup JSInterop exceptions and eliminating layout shifts.

Verification Performed

  • Mandatory build gate verified: Kompilacja powiodła się. with zero compile errors (dotnet build NexusReader.slnx --no-restore).
  • Validated dependency resolution patterns and async safety (no async void).
This PR provides critical stabilization, memory leak resolution, and security enhancements for the NexusReader application, specifically focusing on Blazor InteractiveAuto lifecycle safety, thread-safe automated authentication token refresh, and deduplication of active AI service queries. ### Key Enhancements #### 1. Security & Lifecycle Stabilization (`AuthenticationHeaderHandler.cs` & `Library.razor`) * **Secure Token Propagation (CWE-200)**: Modified the outbound delegating handler to only append JWT Bearer headers to trusted base origin requests matching the application's configured `NavigationManager.BaseUri`, preventing potential token leakage to external services. * **Captive Dependency & Memory Leak Fix (CWE-400)**: Avoided capturing scoped dependencies in a singleton handler by wrapping the resolution of `IIdentityService` inside a dedicated, disposable `IServiceProvider` scope (`_serviceProvider.CreateScope()`). * **Thread-Safe Automated Refresh**: Embedded a `SemaphoreSlim` lock around the automated `RefreshTokenAsync` renewal sequence to handle concurrent API requests gracefully without triggering duplicate token refresh attempts. * **Pre-rendering Safety**: Deferred the secure book loading query in `Library.razor` from `OnInitializedAsync` to client-side `OnAfterRenderAsync(firstRender: true)` to avoid inevitable `401 Unauthorized` responses and logs during the server pre-rendering phase. #### 2. Robust AI Request Deduplication (`KnowledgeService.cs`) * **State Recovery Guards**: Enhanced the thread-safe `Lazy<Task<Result<KnowledgePacket>>>` deduplication map by adding thorough failure handling blocks. Active requests are guaranteed to be cleaned up (`TryRemove`) inside `finally` and failed results pathways, ensuring future retries can run immediately if an initial request encounters an error. #### 3. Idempotent AI UI Fetching & JSRuntime Guards * **Interactive Guards**: Added an `_isInteractive` check to `GroundednessBadge.razor` and `AiAssistantBubble.razor` components, deferring WebAssembly API executions and DOM updates to client-side `OnAfterRenderAsync`. * **State Synchronization**: Integrated a synchronous `OnParametersSet` to properly reset groundedness badges when content changes. * **Flicker Elimination**: Moved JSRuntime local-storage checks in `Home.razor` (for focus mode preferences) to `OnAfterRenderAsync(firstRender: true)`, resolving startup JSInterop exceptions and eliminating layout shifts. ### Verification Performed * Mandatory build gate verified: `Kompilacja powiodła się.` with zero compile errors (`dotnet build NexusReader.slnx --no-restore`). * Validated dependency resolution patterns and async safety (no `async void`).
Antigravity added 1 commit 2026-05-18 18:07:42 +00:00
mjasin added 1 commit 2026-05-19 18:00:15 +00:00
mjasin added 1 commit 2026-05-19 18:14:12 +00:00
mjasin added 1 commit 2026-05-19 18:29:36 +00:00
Antigravity changed title from fix(ui): Enforce idempotent AI data fetching and JSRuntime guards to fix(ui/security): Enforce idempotent AI fetching, secure auth handler, and memory leak guards 2026-05-20 17:27:00 +00:00
mjasin approved these changes 2026-05-20 17:27:34 +00:00
mjasin merged commit 711822f5de into develop 2026-05-20 17:27:40 +00:00
mjasin deleted branch fix/idempotent-ai-fetching 2026-05-20 17:27:40 +00:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mjasin/Nexus.Reader#45