Introduce an 'external' attribute on the image-preview component to bypass the devrant image URL builder when the source is an external link. Update the component's observed attributes, rendering logic, and lightbox initialization to conditionally use the raw src URL. Modify rant-content to detect external images via the presence of links and pass the external flag accordingly.
Move the '..' detection to operate on the raw path string before normalization, ensuring path traversal attempts are caught even when normpath would collapse them. Also apply the same early check to api_parsed_url.path in proxy_request, preventing bypass via normalized path segments.
The notification item component was incorrectly accessing `notif.username` directly instead of `notif.username.name`, causing undefined values to appear in the notification display when the username field contained an object with a `name` property. Added a console.info statement for debugging and corrected the property chain to properly extract the display name from nested object structures.
- Add notifyAuthChange() call after successful token validation in setAuthFromToken
- Fetch user profile during login to obtain canonical username instead of using raw input
- Update both authData and currentUser objects with resolved username from profile API
- Handle profile fetch failure gracefully by falling back to provided username