letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3e4d9d631040ca238693fb0499285cfe51a1859d
pn-new-crm/src/app/api/webhooks/documenso/route.ts

218 lines
7.4 KiB
TypeScript
Raw Normal View History

Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
import { NextRequest, NextResponse } from 'next/server';
import { createHash } from 'crypto';
import { db } from '@/lib/db';
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
import { verifyDocumensoSecret } from '@/lib/services/documenso-webhook';
fix(audit-tier-6): validation, perms, ops/infra, per-port webhook secret Final audit polish — closes the remaining LOW + MED items the previous tiers didn't reach: * Validation hardening: me.preferences uses .strict() + 8KB cap instead of unbounded .passthrough(); files.uploadFile gains magic-byte verification (jpeg/png/gif/webp/pdf/doc/xlsx); OCR scan endpoint enforces 10MB cap + magic-byte check on receipt images; port logoUrl + me.avatarUrl reject javascript:/data: schemes via a shared httpUrl refinement. * Permission gates: document-sends/{brochure,berth-pdf} now require email.send (was withAuth-only); document-sends/{preview,list} on email.view; ai/email-draft on email.send; documents/[id]/send uses send_for_signing (was create); expenses/export/parent-company flips from hard isSuperAdmin to expenses.export for parity; admin/users/options gated on reminders.assign_others (was withAuth). * Envelope hygiene: auth/set-password switches the third {message} variant to errorResponse + {data: {email}}; ai/email-draft wraps jobId in {data: {jobId}}. * UI polish: reports-list.handleDownload surfaces failures via toastError (was console-only). * Ops/infra: pin pnpm@10.33.2 across all three Dockerfiles + packageManager field in package.json; Dockerfile.worker re-orders user creation BEFORE pnpm install so node_modules / .cache dirs are worker-owned (fixes tesseract.js + sharp EACCES at first PDF parse); add Redis-ping HEALTHCHECK to the worker container. * Public health endpoint: returns full env+appUrl payload only when the caller presents X-Intake-Secret, otherwise a minimal {status} so generic uptime monitors still work but anonymous internet doesn't get deployment fingerprints. * Per-port Documenso webhook secret: new system_settings key + listDocumensoWebhookSecrets() helper. The webhook receiver iterates every configured per-port secret with timing-safe comparison + falls back to env, then forwards the resolved portId into handleDocumentExpired so two ports sharing a documensoId cannot cross-mutate. Deferred (handled in dedicated follow-up PRs): * Tier 5.1 — direct service tests for portal-auth / users / email-accounts / document-sends / sales-email-config. MED, large test-writing scope. * The {ok: true} → {data: null} envelope migration across alerts/expenses/admin-ocr-settings/storage routes. Mechanical but needs coordinated client + test updates. * CSP-nonce migration (drop unsafe-inline) — needs middleware-level nonce generation that the Next 15 router has to thread through. * Idempotency-Key header on Documenso createDocument. Requires schema column on documents to persist the key; deferred so it doesn't bundle a migration into this commit. * The 16 better-auth user_id FKs — separate dedicated migration with care (some columns are NOT NULL today and cascade decisions matter). * PermissionGate / Skeleton / EmptyState wraps across 5 admin lists (auditor-H §§36–37) and the residential-clients filter bar. Test status: 1175/1175 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md MED §§28,29,30 + LOW §§32–43 + HIGH §9 (Documenso secrets follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:03:31 +02:00
import { listDocumensoWebhookSecrets } from '@/lib/services/port-config';
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
import {
handleRecipientSigned,
handleDocumentCompleted,
fix(documenso): expired event, real signer emails, query invalidation, double-fire - Wire the `DOCUMENT_EXPIRED` webhook event to `handleDocumentExpired`. Previously the handler existed but was never called, leaving expired EOIs stuck in `sent` / `partially_signed` forever. - `sendForSigning` now resolves real port-configured signer emails via `getPortEoiSigners(portId)` instead of fabricating `developer@{slug}.com` / `sales@{slug}.com`. The Documenso-template pathway was already using these; the upload-PDF pathway now matches. - `handleRecipientSigned` logs a warning when the email match returns zero rows so a misconfigured signer isn't a silent no-op. - `handleDocumentCompleted` skips berth-rule re-evaluation when the interest is already at or past `eoi_signed`, preventing a double-fire when `DOCUMENT_SIGNED` and `DOCUMENT_COMPLETED` arrive close together. - EOI generate dialog now invalidates by predicate (any queryKey starting with `'documents'`) so the Documents tab and hub counts refresh after generation, instead of missing because the actual query key shape didn't match the targeted invalidation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:00:58 +02:00
handleDocumentExpired,
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
handleDocumentOpened,
handleDocumentRejected,
handleDocumentCancelled,
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
} from '@/lib/services/documents.service';
import { logger } from '@/lib/logger';
feat(audit): wider coverage — sensitive views, cron, jobs, portal abuse Builds on the audit infra split (severity/source) by emitting events from every place a security or operations review would want to see: Sensitive data views (severity=warning): - GDPR export download URL issued - Audit log page opened (watch-the-watchers; first page only) - CSV export of expenses - Webhook secret regenerated Authentication abuse (severity=warning, source=auth): - Portal sign-in: success + failed-credentials + portal-disabled - Portal password reset: unknown email + portal-disabled + bad token - Portal activation: bad/expired token Inbound webhook hardening: - Documenso webhook with invalid X-Documenso-Secret now writes webhook_failed instead of being silently logged Background work (source=cron / job): - New attachWorkerAudit() helper wires every BullMQ worker to emit job_failed (severity=error) on .on('failed') and cron_run on .on('completed') for any job whose name matches the recurring scheduler list. Applied across all 10 workers. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 20:44:38 +02:00
import { createAuditLog } from '@/lib/audit';
fix(audit): security HIGHs — rate-limit hard-delete codes, collapse error msgs, doc bad-secret per-IP H1: hard-delete-request and bulk-hard-delete-request endpoints had no rate limit; an admin's compromised account could email-bomb the operator's inbox or use the endpoints as a client-id oracle. Added a new `hardDeleteCode` limiter (5 per hour per user). H3: hard-delete error messages distinguished "no code requested" from "wrong code", letting an attacker brute-force the 4-digit space with ~5k attempts (vs the full 10k). Both single + bulk paths now return the same 'Invalid or expired confirmation code' message. H5: invalid Documenso webhook secret submissions are now rate-limited per-IP (10 per 15min) and only audit-logged inside the cap, so a slow enumeration can't fill the audit log silently. Real Documenso traffic won't fail the secret check, so any traffic beyond the cap is brute-force. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:06:40 +02:00
import { checkRateLimit, rateLimiters } from '@/lib/rate-limit';
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
// BR-024: Dedup via signatureHash unique index on documentEvents
// Always return 200 from webhook (webhook best practice)
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
// Documenso emits Prisma enum names on the wire (e.g. "DOCUMENT_SIGNED").
// The UI displays them as lowercase-dotted ("document.signed") but the JSON
// body uses the enum value as-is. Normalize both forms in case 2.x ever flips.
function canonicalizeEvent(event: string): string {
return event.toUpperCase().replace(/\./g, '_');
}
type DocumensoRecipient = {
email: string;
signingStatus?: string;
readStatus?: string;
signedAt?: string | null;
};
type DocumensoWebhookBody = {
event: string;
payload: {
id: number | string;
recipients?: DocumensoRecipient[];
};
};
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
export async function POST(req: NextRequest): Promise<NextResponse> {
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
let rawBody: string;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
try {
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
rawBody = await req.text();
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
} catch {
return NextResponse.json({ ok: false }, { status: 200 });
}
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
// Documenso v1.13 + 2.x send the secret in plaintext via X-Documenso-Secret.
fix(audit-tier-6): validation, perms, ops/infra, per-port webhook secret Final audit polish — closes the remaining LOW + MED items the previous tiers didn't reach: * Validation hardening: me.preferences uses .strict() + 8KB cap instead of unbounded .passthrough(); files.uploadFile gains magic-byte verification (jpeg/png/gif/webp/pdf/doc/xlsx); OCR scan endpoint enforces 10MB cap + magic-byte check on receipt images; port logoUrl + me.avatarUrl reject javascript:/data: schemes via a shared httpUrl refinement. * Permission gates: document-sends/{brochure,berth-pdf} now require email.send (was withAuth-only); document-sends/{preview,list} on email.view; ai/email-draft on email.send; documents/[id]/send uses send_for_signing (was create); expenses/export/parent-company flips from hard isSuperAdmin to expenses.export for parity; admin/users/options gated on reminders.assign_others (was withAuth). * Envelope hygiene: auth/set-password switches the third {message} variant to errorResponse + {data: {email}}; ai/email-draft wraps jobId in {data: {jobId}}. * UI polish: reports-list.handleDownload surfaces failures via toastError (was console-only). * Ops/infra: pin pnpm@10.33.2 across all three Dockerfiles + packageManager field in package.json; Dockerfile.worker re-orders user creation BEFORE pnpm install so node_modules / .cache dirs are worker-owned (fixes tesseract.js + sharp EACCES at first PDF parse); add Redis-ping HEALTHCHECK to the worker container. * Public health endpoint: returns full env+appUrl payload only when the caller presents X-Intake-Secret, otherwise a minimal {status} so generic uptime monitors still work but anonymous internet doesn't get deployment fingerprints. * Per-port Documenso webhook secret: new system_settings key + listDocumensoWebhookSecrets() helper. The webhook receiver iterates every configured per-port secret with timing-safe comparison + falls back to env, then forwards the resolved portId into handleDocumentExpired so two ports sharing a documensoId cannot cross-mutate. Deferred (handled in dedicated follow-up PRs): * Tier 5.1 — direct service tests for portal-auth / users / email-accounts / document-sends / sales-email-config. MED, large test-writing scope. * The {ok: true} → {data: null} envelope migration across alerts/expenses/admin-ocr-settings/storage routes. Mechanical but needs coordinated client + test updates. * CSP-nonce migration (drop unsafe-inline) — needs middleware-level nonce generation that the Next 15 router has to thread through. * Idempotency-Key header on Documenso createDocument. Requires schema column on documents to persist the key; deferred so it doesn't bundle a migration into this commit. * The 16 better-auth user_id FKs — separate dedicated migration with care (some columns are NOT NULL today and cascade decisions matter). * PermissionGate / Skeleton / EmptyState wraps across 5 admin lists (auditor-H §§36–37) and the residential-clients filter bar. Test status: 1175/1175 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md MED §§28,29,30 + LOW §§32–43 + HIGH §9 (Documenso secrets follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:03:31 +02:00
// Resolve the matching port by trying each configured per-port secret
// (plus the global env fallback) with timing-safe comparison. The
// resolved portId, when non-null, is threaded into handleDocumentExpired
// so two ports sharing a documensoId can't cross-mutate (auditor-D §22).
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
const providedSecret = req.headers.get('x-documenso-secret') ?? '';
fix(audit-tier-6): validation, perms, ops/infra, per-port webhook secret Final audit polish — closes the remaining LOW + MED items the previous tiers didn't reach: * Validation hardening: me.preferences uses .strict() + 8KB cap instead of unbounded .passthrough(); files.uploadFile gains magic-byte verification (jpeg/png/gif/webp/pdf/doc/xlsx); OCR scan endpoint enforces 10MB cap + magic-byte check on receipt images; port logoUrl + me.avatarUrl reject javascript:/data: schemes via a shared httpUrl refinement. * Permission gates: document-sends/{brochure,berth-pdf} now require email.send (was withAuth-only); document-sends/{preview,list} on email.view; ai/email-draft on email.send; documents/[id]/send uses send_for_signing (was create); expenses/export/parent-company flips from hard isSuperAdmin to expenses.export for parity; admin/users/options gated on reminders.assign_others (was withAuth). * Envelope hygiene: auth/set-password switches the third {message} variant to errorResponse + {data: {email}}; ai/email-draft wraps jobId in {data: {jobId}}. * UI polish: reports-list.handleDownload surfaces failures via toastError (was console-only). * Ops/infra: pin pnpm@10.33.2 across all three Dockerfiles + packageManager field in package.json; Dockerfile.worker re-orders user creation BEFORE pnpm install so node_modules / .cache dirs are worker-owned (fixes tesseract.js + sharp EACCES at first PDF parse); add Redis-ping HEALTHCHECK to the worker container. * Public health endpoint: returns full env+appUrl payload only when the caller presents X-Intake-Secret, otherwise a minimal {status} so generic uptime monitors still work but anonymous internet doesn't get deployment fingerprints. * Per-port Documenso webhook secret: new system_settings key + listDocumensoWebhookSecrets() helper. The webhook receiver iterates every configured per-port secret with timing-safe comparison + falls back to env, then forwards the resolved portId into handleDocumentExpired so two ports sharing a documensoId cannot cross-mutate. Deferred (handled in dedicated follow-up PRs): * Tier 5.1 — direct service tests for portal-auth / users / email-accounts / document-sends / sales-email-config. MED, large test-writing scope. * The {ok: true} → {data: null} envelope migration across alerts/expenses/admin-ocr-settings/storage routes. Mechanical but needs coordinated client + test updates. * CSP-nonce migration (drop unsafe-inline) — needs middleware-level nonce generation that the Next 15 router has to thread through. * Idempotency-Key header on Documenso createDocument. Requires schema column on documents to persist the key; deferred so it doesn't bundle a migration into this commit. * The 16 better-auth user_id FKs — separate dedicated migration with care (some columns are NOT NULL today and cascade decisions matter). * PermissionGate / Skeleton / EmptyState wraps across 5 admin lists (auditor-H §§36–37) and the residential-clients filter bar. Test status: 1175/1175 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md MED §§28,29,30 + LOW §§32–43 + HIGH §9 (Documenso secrets follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:03:31 +02:00
const secrets = await listDocumensoWebhookSecrets();
let matchedPortId: string | null = null;
let matched = false;
for (const entry of secrets) {
if (verifyDocumensoSecret(providedSecret, entry.secret)) {
matched = true;
matchedPortId = entry.portId;
break;
}
}
if (!matched) {
fix(audit): security HIGHs — rate-limit hard-delete codes, collapse error msgs, doc bad-secret per-IP H1: hard-delete-request and bulk-hard-delete-request endpoints had no rate limit; an admin's compromised account could email-bomb the operator's inbox or use the endpoints as a client-id oracle. Added a new `hardDeleteCode` limiter (5 per hour per user). H3: hard-delete error messages distinguished "no code requested" from "wrong code", letting an attacker brute-force the 4-digit space with ~5k attempts (vs the full 10k). Both single + bulk paths now return the same 'Invalid or expired confirmation code' message. H5: invalid Documenso webhook secret submissions are now rate-limited per-IP (10 per 15min) and only audit-logged inside the cap, so a slow enumeration can't fill the audit log silently. Real Documenso traffic won't fail the secret check, so any traffic beyond the cap is brute-force. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:06:40 +02:00
const callerIp =
req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
req.headers.get('x-real-ip') ??
'unknown';
// Rate-limit per IP. Real Documenso traffic won't fail the secret
// check, so any traffic here is enumeration / brute-force; we cap
// it sharply to keep audit-log volume bounded too.
const rl = await checkRateLimit(callerIp, rateLimiters.webhookBadSecret);
logger.warn(
{ providedLen: providedSecret.length, ip: callerIp, allowed: rl.allowed },
'Invalid Documenso webhook secret',
);
if (rl.allowed) {
void createAuditLog({
userId: null,
portId: null,
action: 'webhook_failed',
entityType: 'webhook_inbound',
entityId: 'documenso',
metadata: {
reason: 'invalid_secret',
providedLen: providedSecret.length,
},
ipAddress: callerIp,
userAgent: req.headers.get('user-agent') ?? '',
severity: 'warning',
source: 'webhook',
});
}
// Always return 200 (webhook best-practice — don't leak signal).
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
return NextResponse.json({ ok: false, error: 'Invalid secret' }, { status: 200 });
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
}
// Compute deduplication hash
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
const signatureHash = createHash('sha256').update(rawBody).digest('hex');
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
let parsed: DocumensoWebhookBody;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
try {
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
parsed = JSON.parse(rawBody) as DocumensoWebhookBody;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
} catch {
logger.warn('Failed to parse Documenso webhook payload');
return NextResponse.json({ ok: false }, { status: 200 });
}
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
// Replay guard: if any event with this hash already exists, skip.
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
try {
const existing = await db.query.documentEvents.findFirst({
where: (de, { eq }) => eq(de.signatureHash, signatureHash),
});
if (existing) {
chore(style): codebase em-dash sweep + minor layout polish Replaces every em-dash and en-dash with regular ASCII hyphens across comments, JSX strings, and dev-facing logs. Mostly cosmetic but stops the inconsistent mix that crept in over the last few months (some files used em-dashes in comments, others didn't, some used both). Bundles two small dashboard-layout tweaks that touch a couple of already-modified files: - (dashboard)/layout.tsx main padding goes from p-6 to pt-3 px-6 pb-6 so page content sits closer to the topbar. - Sidebar now receives the ports list it needs for the footer port switcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 22:57:01 +02:00
logger.info({ signatureHash }, 'Duplicate Documenso webhook - skipping');
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
return NextResponse.json({ ok: true }, { status: 200 });
}
} catch (err) {
logger.error({ err }, 'Failed to check duplicate webhook');
}
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
const event = canonicalizeEvent(parsed.event);
const documensoId = String(parsed.payload?.id ?? '');
const recipients = parsed.payload?.recipients ?? [];
if (!documensoId) {
logger.warn({ event }, 'Documenso webhook missing payload.id');
return NextResponse.json({ ok: true }, { status: 200 });
}
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
// Every handler accepts an optional `portId` and refuses to mutate when
// the lookup is ambiguous across multiple ports without one. Forward
// the secret-resolved portId everywhere — not just the expired path —
// so signed/completed/opened/rejected/cancelled events can't flip a
// foreign-tenant document via documensoId reuse.
const portScope = matchedPortId ? { portId: matchedPortId } : {};
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
try {
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
switch (event) {
case 'DOCUMENT_SIGNED':
case 'DOCUMENT_RECIPIENT_COMPLETED': {
// v1.13 fires DOCUMENT_SIGNED per recipient sign;
// 2.x fires DOCUMENT_RECIPIENT_COMPLETED for the same semantics.
const signedRecipients = recipients.filter(
(r) => r.signingStatus === 'SIGNED' || Boolean(r.signedAt),
);
for (const r of signedRecipients) {
await handleRecipientSigned({
documentId: documensoId,
recipientEmail: r.email,
signatureHash: `${signatureHash}:signed:${r.email}`,
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
...portScope,
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
});
}
break;
}
case 'DOCUMENT_OPENED': {
fix(audit-v2): platform-wide post-merge hardening across 5 domains Five-domain audit (security, routes, DB, integrations, UI/UX) ran after the cf37d09 merge. Critical + high-impact items landed here; deferred medium/low items indexed in docs/audit-final-deferred.md (now organised into a "Audit-final v2" section). Security: - Storage proxy tokens now bind to op (`'get'` vs `'put'`). A long-lived download URL minted by `presignDownload` for an emailed brochure can no longer be replayed against the proxy PUT to overwrite the original storage object. `verifyProxyToken` requires `expectedOp` and rejects mismatches; legacy tokens missing `op` fail-closed. Regression tests added. - Markdown email merge values are now markdown-escaped (`[`, `]`, `(`, `)`, `*`, `_`, `\`, backticks, braces) before substitution into the rep-authored body. A malicious value like `[click here](https://evil)` stored in `client.fullName` no longer survives `escapeHtml` to render as a real `<a href>` in the outbound email. Phishing-via-merge-field closed; regression tests added. - Middleware now performs an Origin/Referer check on POST/PUT/PATCH/DELETE to `/api/v1/**`. Defense-in-depth on top of better-auth's SameSite=Lax cookie. Webhooks/public/auth/portal routes exempt as they don't carry the session cookie. Routes: - Template management routes were calling `withPermission('documents', 'manage', ...)` — but `documents` doesn't have a `manage` action. The registry has `document_templates.manage`. Every non-superadmin was getting 403'd on the seven template endpoints. Fixed across the /admin/templates surface. - Custom-fields permission resource is hardcoded to `clients` regardless of which entity (yacht/company/etc.) the values belong to. Documented as deferred (requires per-entity routes). DB: - documentSends: every parent FK (client_id, interest_id, berth_id, brochure_id, brochure_version_id) now uses ON DELETE SET NULL so the audit trail outlasts hard-deletes. The denormalized columns (recipient_email, document_kind, body_markdown, from_address) were added precisely for this. Migration 0035. - Polymorphic discriminators on yachts.current_owner_type and invoices.billing_entity_type now have CHECK constraints — typos like `'clients'` vs `'client'` were silently inserting unreachable rows before. Migration 0036. Integrations: - Email attachment resolution (`src/lib/email/index.ts`) was importing MinIO directly instead of `getStorageBackend()`. Filesystem-backend deployments would have broken every email-with-attachment send. Now routes through the pluggable abstraction per CLAUDE.md. - Documenso DOCUMENT_OPENED webhook filter relaxed: v2 may omit `readStatus` or send lowercase, so an event that was the SIGNAL of an open was being silently dropped. Now treats any recipient on a DOCUMENT_OPENED event as opened. UI/UX: - Expense detail used to render `receiptFileIds` as opaque UUID badges — reps couldn't view the receipt they uploaded. Now renders an image thumbnail (via `/api/v1/files/[id]/preview`) plus a Download link for PDFs. Closed the "where's my receipt?" loop in the expense flow. - Expense detail Edit + Archive buttons now `<PermissionGate>` and the archive mutation surfaces success/error toasts instead of silent 403s. - Brochures admin: setDefault/archive/create mutations now have onError toasts (only onSuccess existed before). - Removed broken bulk-upload link in scan/page (route doesn't exist; used a raw `<a>` triggering a full reload to a 404). Test status: 1168/1168 vitest passing. tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 05:51:39 +02:00
// Documenso v1 sends `readStatus: 'OPENED'`; v2 has used both
// upper and lower case across releases and may omit the field
// entirely (the event itself signals the open). Treat the event
// as the signal: dispatch a per-recipient open for every
// recipient on the document so v2 deployments stop silently
// dropping opens.
const openedRecipients = recipients.filter(
(r) => !r.readStatus || String(r.readStatus).toUpperCase() === 'OPENED',
);
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
for (const r of openedRecipients) {
await handleDocumentOpened({
documentId: documensoId,
recipientEmail: r.email,
signatureHash: `${signatureHash}:opened:${r.email}`,
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
...portScope,
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
});
}
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
break;
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
}
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
case 'DOCUMENT_COMPLETED':
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
await handleDocumentCompleted({ documentId: documensoId, ...portScope });
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
break;
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
case 'DOCUMENT_REJECTED': {
const rejecting = recipients.find((r) => r.signingStatus === 'REJECTED');
await handleDocumentRejected({
documentId: documensoId,
recipientEmail: rejecting?.email,
signatureHash,
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
...portScope,
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
});
break;
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
}
case 'DOCUMENT_CANCELLED':
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
await handleDocumentCancelled({ documentId: documensoId, signatureHash, ...portScope });
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
break;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
fix(documenso): expired event, real signer emails, query invalidation, double-fire - Wire the `DOCUMENT_EXPIRED` webhook event to `handleDocumentExpired`. Previously the handler existed but was never called, leaving expired EOIs stuck in `sent` / `partially_signed` forever. - `sendForSigning` now resolves real port-configured signer emails via `getPortEoiSigners(portId)` instead of fabricating `developer@{slug}.com` / `sales@{slug}.com`. The Documenso-template pathway was already using these; the upload-PDF pathway now matches. - `handleRecipientSigned` logs a warning when the email match returns zero rows so a misconfigured signer isn't a silent no-op. - `handleDocumentCompleted` skips berth-rule re-evaluation when the interest is already at or past `eoi_signed`, preventing a double-fire when `DOCUMENT_SIGNED` and `DOCUMENT_COMPLETED` arrive close together. - EOI generate dialog now invalidates by predicate (any queryKey starting with `'documents'`) so the Documents tab and hub counts refresh after generation, instead of missing because the actual query key shape didn't match the targeted invalidation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:00:58 +02:00
case 'DOCUMENT_EXPIRED':
fix(audit-verification): regressions found in post-Tier-6 review Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL regression and a handful of remaining cross-tenant gaps that the original audit didn't enumerate. All fixed here: CRITICAL * document-reminders.processReminderQueue — the new bulk-fetch leftJoin to documentTemplates was scoped on `templateType` alone. Templates of the same type exist in every port; the cartesian explosion would have fired one Documenso reminder PER matching template-row per cron tick (a 5-port deploy = 5 reminders to the same signer per cycle). Added eq(documentTemplates.portId, portId) to the join. * All five remaining Documenso webhook handlers (RecipientSigned / Completed / Opened / Rejected / Cancelled) accept and require an optional portId now, with a shared resolveWebhookDocument() helper that refuses to mutate when the lookup is ambiguous across tenants without a resolved port. Tier 5's port-scoping was applied only to Expired; the route now forwards the matched portId to every handler. Tightens the WHERE clauses on subsequent UPDATEs to (id, portId) for defense-in-depth. HIGH * verifyDocumensoSecret rejects when `expected` is empty — timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose X-Documenso-Secret header was also missing/empty. listDocumensoWebhookSecrets skips the env entry when blank. * /api/public/health — the website-intake-secret comparison was a string `===` (not constant-time). Switched to timingSafeEqual via Buffer.from(). MEDIUM * server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP drain so long-poll websockets stop holding the server open past the compose stop_grace_period. * /api/v1/me PATCH preferences merge — allow-list filter on the merged JSONB so legacy rows from the old .passthrough() era stop silently re-shipping their bloat to disk. Migration fixes (deploy-blocking) * 0041 referenced `port_role_overrides.permissions` (column is `permission_overrides`) — overrides are partial JSONB and don't need backfilling at all (deepMerge resolves edit from the base role). Removed the override UPDATEs entirely. * 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the brief table-lock phase is decoupled from the row-scan validation, giving a cleaner abort-and-restart story if a constraint catches dirty production data. Added a pre-cleanup UPDATE for invoices.billing_entity_id = '' rows (backfills from clientName, falls back to the row id) so the new non-empty CHECK passes on a dirty table. Test status: 1175/1175 vitest, tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00
await handleDocumentExpired({ documentId: documensoId, ...portScope });
fix(documenso): expired event, real signer emails, query invalidation, double-fire - Wire the `DOCUMENT_EXPIRED` webhook event to `handleDocumentExpired`. Previously the handler existed but was never called, leaving expired EOIs stuck in `sent` / `partially_signed` forever. - `sendForSigning` now resolves real port-configured signer emails via `getPortEoiSigners(portId)` instead of fabricating `developer@{slug}.com` / `sales@{slug}.com`. The Documenso-template pathway was already using these; the upload-PDF pathway now matches. - `handleRecipientSigned` logs a warning when the email match returns zero rows so a misconfigured signer isn't a silent no-op. - `handleDocumentCompleted` skips berth-rule re-evaluation when the interest is already at or past `eoi_signed`, preventing a double-fire when `DOCUMENT_SIGNED` and `DOCUMENT_COMPLETED` arrive close together. - EOI generate dialog now invalidates by predicate (any queryKey starting with `'documents'`) so the Documents tab and hub counts refresh after generation, instead of missing because the actual query key shape didn't match the targeted invalidation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:00:58 +02:00
break;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
default:
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
logger.info({ event }, 'Unhandled Documenso webhook event type');
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
}
} catch (err) {
fix(documenso): align webhook receiver with Documenso v1.13 + 2.x protocol Documenso authenticates outbound webhooks via the X-Documenso-Secret header carrying the plaintext secret (no HMAC). The previous receiver verified an HMAC against a non-existent x-documenso-signature header and switched on parsed.type, neither of which Documenso emits — so every real delivery was being silently rejected. - Read X-Documenso-Secret, compare timing-safe to env secret - Switch on parsed.event with uppercase normalization for both v1.13 (DOCUMENT_SIGNED) and 2.x (lowercase-dotted UI labels) wire formats - Alias DOCUMENT_RECIPIENT_COMPLETED to DOCUMENT_SIGNED (same semantics across versions) - Handle DOCUMENT_OPENED / DOCUMENT_REJECTED / DOCUMENT_CANCELLED in addition to the existing DOCUMENT_SIGNED + DOCUMENT_COMPLETED paths - Bypass session middleware for /api/webhooks/* (signature is the auth) Verified end-to-end against signatures.letsbe.solutions: real DOCUMENT_RECIPIENT_COMPLETED + DOCUMENT_COMPLETED deliveries now pass secret verification, dispatch correctly, and the handler updates state (or warns gracefully when the documensoId is unknown). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:46:48 +02:00
logger.error({ err, event }, 'Error processing Documenso webhook');
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
}
return NextResponse.json({ ok: true }, { status: 200 });
}
Reference in New Issue Copy Permalink