fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability
Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:
error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
comes back with a non-JSON body (reverse-proxy HTML pages); message
becomes "The server is unreachable. Please try again." with code
UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
no longer 500s login + portal sign-in; logged at warn so monitoring
catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
/api/public/website-inquiries, and the Documenso webhook body (drops
the "Invalid secret" reconnaissance string)
outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
timestamp surfaced as X-Webhook-Timestamp so receivers can reject
replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
null (defence-in-depth against DB tampering / future migration
mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
exponential backoff so a 30 s receiver blip during a deploy no
longer dead-letters every in-flight event; per-queue
backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
can't slip plaintext through
storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
with portSlug threaded into backend.presignUpload — engages the
filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
segment when callers don't pass it, so all 8 download sites engage
the `p`-token guard without per-site plumbing
search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
unused looksLikeEmail helper — the bucket-reorder it was scaffolded
for was never wired
maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
imports across clients/bulk, interests/bulk, admin/email-templates,
admin/website-submissions, alert-rules, and notes.service
Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
binding)
Tests: 1315/1315 vitest ✅ ; tsc clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -21,7 +21,13 @@ import { Readable } from 'node:stream';
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
|
||||
import { MAX_FILE_SIZE } from '@/lib/constants/file-validation';
|
||||
import { errorResponse } from '@/lib/errors';
|
||||
import {
|
||||
AppError,
|
||||
errorResponse,
|
||||
ForbiddenError,
|
||||
NotFoundError,
|
||||
ValidationError,
|
||||
} from '@/lib/errors';
|
||||
import { logger } from '@/lib/logger';
|
||||
import { redis } from '@/lib/redis';
|
||||
import { FilesystemBackend, getStorageBackend } from '@/lib/storage';
|
||||
@@ -47,16 +53,13 @@ export async function GET(
|
||||
|
||||
const backend = await getStorageBackend();
|
||||
if (!(backend instanceof FilesystemBackend)) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Storage proxy is only available in filesystem mode' },
|
||||
{ status: 404 },
|
||||
);
|
||||
return errorResponse(new NotFoundError('storage proxy'));
|
||||
}
|
||||
|
||||
const result = verifyProxyToken(token, backend.getHmacSecret(), 'get');
|
||||
if (!result.ok) {
|
||||
logger.warn({ reason: result.reason }, 'Storage proxy token rejected');
|
||||
return NextResponse.json({ error: 'Invalid or expired token' }, { status: 403 });
|
||||
return errorResponse(new ForbiddenError('Invalid or expired token'));
|
||||
}
|
||||
const { payload } = result;
|
||||
|
||||
@@ -72,7 +75,7 @@ export async function GET(
|
||||
const setOk = await redis.set(replayKey, '1', 'EX', remainingSeconds, 'NX');
|
||||
if (setOk !== 'OK') {
|
||||
logger.warn({ key: payload.k }, 'Storage proxy token replay rejected');
|
||||
return NextResponse.json({ error: 'Token already used' }, { status: 403 });
|
||||
return errorResponse(new ForbiddenError('Token already used'));
|
||||
}
|
||||
|
||||
let absolutePath: string;
|
||||
@@ -80,22 +83,22 @@ export async function GET(
|
||||
absolutePath = backend.resolveKeyForProxy(payload.k);
|
||||
} catch (err) {
|
||||
logger.warn({ err, key: payload.k }, 'Storage proxy key resolution failed');
|
||||
return NextResponse.json({ error: 'Invalid key' }, { status: 400 });
|
||||
return errorResponse(new ValidationError('Invalid key'));
|
||||
}
|
||||
|
||||
let size: number;
|
||||
try {
|
||||
const stat = await fs.stat(absolutePath);
|
||||
if (!stat.isFile()) {
|
||||
return NextResponse.json({ error: 'Not found' }, { status: 404 });
|
||||
return errorResponse(new NotFoundError('file'));
|
||||
}
|
||||
size = stat.size;
|
||||
} catch (err) {
|
||||
const code = (err as NodeJS.ErrnoException).code;
|
||||
if (code === 'ENOENT') {
|
||||
return NextResponse.json({ error: 'Not found' }, { status: 404 });
|
||||
return errorResponse(new NotFoundError('file'));
|
||||
}
|
||||
throw err;
|
||||
return errorResponse(err);
|
||||
}
|
||||
|
||||
// Convert the Node Readable into a Web ReadableStream for NextResponse.
|
||||
@@ -140,16 +143,13 @@ export async function PUT(
|
||||
|
||||
const backend = await getStorageBackend();
|
||||
if (!(backend instanceof FilesystemBackend)) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Storage proxy is only available in filesystem mode' },
|
||||
{ status: 404 },
|
||||
);
|
||||
return errorResponse(new NotFoundError('storage proxy'));
|
||||
}
|
||||
|
||||
const result = verifyProxyToken(token, backend.getHmacSecret(), 'put');
|
||||
if (!result.ok) {
|
||||
logger.warn({ reason: result.reason }, 'Storage proxy upload token rejected');
|
||||
return NextResponse.json({ error: 'Invalid or expired token' }, { status: 403 });
|
||||
return errorResponse(new ForbiddenError('Invalid or expired token'));
|
||||
}
|
||||
const { payload } = result;
|
||||
|
||||
@@ -164,7 +164,7 @@ export async function PUT(
|
||||
const setOk = await redis.set(replayKey, '1', 'EX', remainingSeconds, 'NX');
|
||||
if (setOk !== 'OK') {
|
||||
logger.warn({ key: payload.k }, 'Storage proxy upload token replay rejected');
|
||||
return NextResponse.json({ error: 'Token already used' }, { status: 403 });
|
||||
return errorResponse(new ForbiddenError('Token already used'));
|
||||
}
|
||||
|
||||
// Pre-flight size check via Content-Length so a malicious caller can't
|
||||
@@ -172,14 +172,17 @@ export async function PUT(
|
||||
const contentLengthHeader = req.headers.get('content-length');
|
||||
const contentLength = contentLengthHeader ? Number(contentLengthHeader) : NaN;
|
||||
if (Number.isFinite(contentLength) && contentLength > MAX_FILE_SIZE) {
|
||||
return NextResponse.json(
|
||||
{ error: `File exceeds ${MAX_FILE_SIZE} byte cap (Content-Length: ${contentLength})` },
|
||||
{ status: 413 },
|
||||
return errorResponse(
|
||||
new AppError(
|
||||
413,
|
||||
`File exceeds ${MAX_FILE_SIZE} byte cap (Content-Length: ${contentLength})`,
|
||||
'PAYLOAD_TOO_LARGE',
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
if (!req.body) {
|
||||
return NextResponse.json({ error: 'Empty body' }, { status: 400 });
|
||||
return errorResponse(new ValidationError('Empty body'));
|
||||
}
|
||||
|
||||
// Read the body into a buffer with a hard cap. Filesystem deployments are
|
||||
@@ -200,9 +203,8 @@ export async function PUT(
|
||||
} catch {
|
||||
/* ignore */
|
||||
}
|
||||
return NextResponse.json(
|
||||
{ error: `File exceeds ${MAX_FILE_SIZE} byte cap` },
|
||||
{ status: 413 },
|
||||
return errorResponse(
|
||||
new AppError(413, `File exceeds ${MAX_FILE_SIZE} byte cap`, 'PAYLOAD_TOO_LARGE'),
|
||||
);
|
||||
}
|
||||
chunks.push(Buffer.from(value));
|
||||
@@ -210,7 +212,7 @@ export async function PUT(
|
||||
buffer = Buffer.concat(chunks);
|
||||
} catch (err) {
|
||||
logger.warn({ err, key: payload.k }, 'Storage proxy upload read failed');
|
||||
return NextResponse.json({ error: 'Upload read failed' }, { status: 400 });
|
||||
return errorResponse(new ValidationError('Upload read failed'));
|
||||
}
|
||||
|
||||
// Magic-byte gate: when the token was minted with `c=application/pdf`
|
||||
@@ -218,9 +220,8 @@ export async function PUT(
|
||||
// that isn't actually a PDF. Mirrors the post-upload check in
|
||||
// berth-pdf.service.ts so the two paths behave identically.
|
||||
if (payload.c === 'application/pdf' && !isPdfMagic(buffer)) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Uploaded file failed PDF magic-byte check (does not start with %PDF-).' },
|
||||
{ status: 400 },
|
||||
return errorResponse(
|
||||
new ValidationError('Uploaded file failed PDF magic-byte check (does not start with %PDF-).'),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user