fix(audit): post-review hardening across phases 0-7
15 of 17 findings from the consolidated audit (3 reviewer agents on the previously-shipped phase commits). Remaining two are nice-to-have follow-ups deferred. Critical (data integrity / security): - Public berths API: closed-deal junction rows no longer flip a berth to "Under Offer" - filter on `interests.outcome IS NULL` so won/ lost/cancelled don't pollute public-map status. Both list + single-mooring routes. - Recommender heat: cancelled outcomes now count as fall-throughs (SQL was `LIKE 'lost%'` which silently dropped them, leaving cancelled-only berths stuck in tier A). - Filesystem presignDownload returns an absolute URL (origin from APP_URL) so emailed download links resolve from external mail clients. - Magic-byte verification on the presigned-PUT path: both per-berth PDFs and brochures stream the first 5 bytes via the storage backend and reject + delete on `%PDF-` mismatch (was only enforced when the server saw the buffer; presign-PUT was wide open). - Replay-protection TTL aligned to the token's own expiry (was a fixed 30 min, but send-out tokens live 24 h). Floor 60 s, ceiling 25 days. - Brochures unique partial index on (port_id) WHERE is_default=true + 0032 migration. Closes the read-then-write race in the create/ update transactions. Important: - Recommender SQL: defense-in-depth `i.port_id = $portId` filter on the aggregates CTE. - berth-pdf service: per-berth pg_advisory_xact_lock around the version-number SELECT + insert. Storage key is now UUID-based so concurrent uploads can't collide on blob paths. Replaces `nextVersionNumber` with the tx-bound variant. - berth-pdf apply: rejects with ConflictError when parse_results contain a mooring-mismatch warning unless the caller passes `confirmMooringMismatch: true` (force-reconfirm gate was UI-only). - Send-out body: HTML-escape brochure filename in the download-link fallback (XSS guard). - parseDecimalWithUnit rejects negative numbers. - listClients DISTINCT ON for primary contact resolution: bounds contact-row count to ~2 per client. Defensive: - verifyProxyToken rejects NaN/Infinity expiries via Number.isFinite. - Replaced sql ANY() with inArray() in interest-berths. Tests: 1145 -> 1163 passing. Deferred: bulk-send rate limit (no bulk endpoint today), markdown italic regex breaking links with asterisks (cosmetic). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -126,7 +126,11 @@ export function verifyProxyToken(
|
||||
return { ok: false, reason: 'malformed-payload' };
|
||||
}
|
||||
|
||||
if (typeof payload.e !== 'number' || payload.e * 1000 < Date.now()) {
|
||||
// `Number.isFinite` catches NaN / ±Infinity that a tampered token could
|
||||
// otherwise smuggle past the `< Date.now()` comparison (NaN compares
|
||||
// false against any number, which would treat the token as eternally
|
||||
// valid). Reject non-finite expiries outright.
|
||||
if (!Number.isFinite(payload.e) || payload.e * 1000 < Date.now()) {
|
||||
return { ok: false, reason: 'expired' };
|
||||
}
|
||||
try {
|
||||
@@ -279,8 +283,12 @@ export class FilesystemBackend implements StorageBackend {
|
||||
{ k: key, e: expiresAtSec, n: randomUUID(), f: opts.filename, c: opts.contentType },
|
||||
this.hmacSecret,
|
||||
);
|
||||
// ABSOLUTE URL: send-out emails interpolate this verbatim into the
|
||||
// recipient's inbox. A relative path is unreachable from a mail
|
||||
// client. APP_URL strips any trailing slash to keep the join clean.
|
||||
const origin = env.APP_URL.replace(/\/$/, '');
|
||||
return {
|
||||
url: `/api/storage/${token}`,
|
||||
url: `${origin}/api/storage/${token}`,
|
||||
expiresAt: new Date(expiresAtSec * 1000),
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user