Security fixes:
- Add YouTube URL validation with regex to prevent command injection
- Fix path traversal vulnerability in download-file endpoint
- Add input validation for containers and audio codecs
- Initialize postproc_added variable to prevent undefined errors
- Run Docker container as non-root user (appuser:1000)
- Add curl to Docker image for healthcheck support
- Remove flask-cors (unused dependency)
Concurrency improvements:
- Implement UUID-based session directories for downloads
- Prevent race conditions between concurrent requests
- Add automatic cleanup of old sessions (>1h)
- Each download now isolated in its own directory
Code quality improvements:
- Add comprehensive logging throughout the application
- Add type hints for validation functions
- Improve error handling with specific exceptions
- Add constants for configuration (TIMEOUT, BYTES_PER_MB, etc.)
- Better documentation with docstrings
API changes:
- download endpoint now returns session_id
- download-file endpoint now requires session_id and filename
- New cleanup endpoints for session management
Frontend updates:
- Updated to use new session-based download URLs
- Remove command display for security (showed internal paths)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>