mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
38e6892995
* fix(brief): per-run slot URL so same-day digests link to distinct briefs
Digest emails at 8am and 1pm on the same day pointed to byte-identical
magazine URLs because the URL was keyed on YYYY-MM-DD in the user tz.
Each compose run overwrote the single daily envelope in place, and the
composer rolling 24h story window meant afternoon output often looked
identical to morning. Readers clicking an older email got whatever the
latest cron happened to write.
Slot format is now YYYY-MM-DD-HHMM (local tz, per compose run). The
magazine URL, carousel URLs, and Redis key all carry the slot, and each
digest dispatch gets its own frozen envelope that lives out the 7d TTL.
envelope.data.date stays YYYY-MM-DD for rendering "19 April 2026".
The digest cron also writes a brief:latest:{userId} pointer (7d TTL,
overwritten each compose) so the dashboard panel and share-url endpoint
can locate the most recent brief without knowing the slot. The
previous date-probing strategy does not work once keys carry HHMM.
No back-compat for the old YYYY-MM-DD format: the verifier rejects it,
the composer only ever writes the new shape, and any in-flight
notifications signed under the old format will 403 on click. Acceptable
at the rollout boundary per product decision.
* fix(brief): carve middleware bot allowlist to accept slot-format carousel path
BRIEF_CAROUSEL_PATH_RE in middleware.ts was still matching only the
pre-slot YYYY-MM-DD segment, so every slot-based carousel URL emitted
by the digest cron (YYYY-MM-DD-HHMM) would miss the social allowlist
and fall into the generic bot gate. Telegram/Slack/Discord/LinkedIn
image fetchers would 403 on sendMediaGroup, breaking previews for the
new digest links.
CI missed this because tests/middleware-bot-gate.test.mts still
exercised the old /YYYY-MM-DD/ path shape. Swap the fixture to the
slot format and add a regression asserting the pre-slot shape is now
rejected, so legacy links cannot silently leak the allowlist after
the rollout.
* fix(brief): preserve caller-requested slot + correct no-brief share-url error
Two contract bugs in the slot rollout that silently misled callers:
1. GET /api/latest-brief?slot=X where X has no envelope was returning
{ status: 'composing', issueDate: <today UTC> } — which reads as
"today's brief is composing" instead of "the specific slot you
asked about doesn't exist". A caller probing a known historical
slot would get a completely unrelated "today" signal. Now we echo
the requested slot back (issueSlot + issueDate derived from its
date portion) when the caller supplied ?slot=, and keep the
UTC-today placeholder only for the no-param path.
2. POST /api/brief/share-url with no slot and no latest-pointer was
falling into the generic invalid_slot_shape 400 branch. That is
not an input-shape problem; it is "no brief exists yet for this
user". Return 404 brief_not_found — the same code the
existing-envelope check returns — so callers get one coherent
contract: either the brief exists and is shareable, or it doesn't
and you get 404.
183 lines
6.0 KiB
TypeScript
183 lines
6.0 KiB
TypeScript
/**
|
|
* HMAC-signed URL helpers for the WorldMonitor Brief magazine route.
|
|
*
|
|
* The hosted magazine at /api/brief/{userId}/{issueDate} is auth-less
|
|
* in the traditional sense (no Clerk session, no cookie). The signed
|
|
* token IS the credential: a recipient with the URL can read the
|
|
* magazine; without it, no. This matches the push / email delivery
|
|
* model where the token is delivered to the user through an already-
|
|
* authenticated channel.
|
|
*
|
|
* Secret rotation is supported: set BRIEF_URL_SIGNING_SECRET_PREV to
|
|
* the outgoing secret for the overlap window. `verifyBriefToken` will
|
|
* accept a token signed with either, so producers can roll the primary
|
|
* secret without invalidating in-flight notifications.
|
|
*
|
|
* Rotation runbook:
|
|
* - Normal roll: set PREV = current, then replace SECRET with a
|
|
* fresh value. Keep PREV set for at least the envelope TTL
|
|
* (7 days) plus the push/email-delivery window so in-flight
|
|
* notifications remain valid.
|
|
* - Emergency kill switch (suspected secret leak): rotate SECRET
|
|
* and do NOT set PREV. This invalidates every outstanding token
|
|
* immediately. Accept the breakage of in-flight notifications
|
|
* as the cost of containment.
|
|
*
|
|
* All crypto goes through Web Crypto (`crypto.subtle`) so this module
|
|
* runs unchanged in Vercel Edge, Node 18+, and Tauri.
|
|
*/
|
|
|
|
const USER_ID_RE = /^[A-Za-z0-9_-]{1,128}$/;
|
|
// YYYY-MM-DD-HHMM issue slot — hour+minute of the compose run in the
|
|
// user's tz. The token binds userId + slot so each digest dispatch
|
|
// gets its own frozen magazine URL.
|
|
const ISSUE_DATE_RE = /^\d{4}-\d{2}-\d{2}-\d{4}$/;
|
|
const TOKEN_RE = /^[A-Za-z0-9_-]{43}$/; // base64url(sha256) = 43 chars, no padding
|
|
|
|
export class BriefUrlError extends Error {
|
|
readonly code: 'invalid_user_id' | 'invalid_issue_date' | 'missing_secret';
|
|
|
|
constructor(code: BriefUrlError['code'], message: string) {
|
|
super(message);
|
|
this.code = code;
|
|
this.name = 'BriefUrlError';
|
|
}
|
|
}
|
|
|
|
function assertShape(userId: string, issueDate: string): void {
|
|
if (!USER_ID_RE.test(userId)) {
|
|
throw new BriefUrlError('invalid_user_id', 'userId must match [A-Za-z0-9_-]{1,128}');
|
|
}
|
|
if (!ISSUE_DATE_RE.test(issueDate)) {
|
|
throw new BriefUrlError('invalid_issue_date', 'issueDate must match YYYY-MM-DD-HHMM');
|
|
}
|
|
}
|
|
|
|
function base64url(bytes: Uint8Array): string {
|
|
let bin = '';
|
|
for (const b of bytes) bin += String.fromCharCode(b);
|
|
return btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
|
|
}
|
|
|
|
async function hmacSha256(secret: string, message: string): Promise<Uint8Array> {
|
|
const key = await crypto.subtle.importKey(
|
|
'raw',
|
|
new TextEncoder().encode(secret),
|
|
{ name: 'HMAC', hash: 'SHA-256' },
|
|
false,
|
|
['sign'],
|
|
);
|
|
const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(message));
|
|
return new Uint8Array(sig);
|
|
}
|
|
|
|
/** Constant-time byte comparison. Returns false on length mismatch. */
|
|
function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
|
|
if (a.length !== b.length) return false;
|
|
let diff = 0;
|
|
for (let i = 0; i < a.length; i++) diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
|
|
return diff === 0;
|
|
}
|
|
|
|
/**
|
|
* Deterministically sign `${userId}:${issueDate}` and return a
|
|
* base64url-encoded token. Throws BriefUrlError on malformed inputs or
|
|
* missing secret.
|
|
*/
|
|
export async function signBriefToken(
|
|
userId: string,
|
|
issueDate: string,
|
|
secret: string,
|
|
): Promise<string> {
|
|
assertShape(userId, issueDate);
|
|
if (!secret) {
|
|
throw new BriefUrlError('missing_secret', 'BRIEF_URL_SIGNING_SECRET is not configured');
|
|
}
|
|
const sig = await hmacSha256(secret, `${userId}:${issueDate}`);
|
|
return base64url(sig);
|
|
}
|
|
|
|
/**
|
|
* Verify a token against userId + issueDate. Accepts the primary
|
|
* secret and (if provided) a previous secret during rotation. Returns
|
|
* `true` only on a byte-for-byte match under either secret.
|
|
*
|
|
* The token is rejected without ever touching crypto if its shape is
|
|
* invalid (wrong length, illegal chars). userId and issueDate are
|
|
* shape-validated before any HMAC computation to prevent probing.
|
|
*/
|
|
export async function verifyBriefToken(
|
|
userId: string,
|
|
issueDate: string,
|
|
token: string,
|
|
secret: string,
|
|
prevSecret?: string,
|
|
): Promise<boolean> {
|
|
if (typeof token !== 'string' || !TOKEN_RE.test(token)) return false;
|
|
try {
|
|
assertShape(userId, issueDate);
|
|
} catch {
|
|
return false;
|
|
}
|
|
if (!secret) {
|
|
throw new BriefUrlError('missing_secret', 'BRIEF_URL_SIGNING_SECRET is not configured');
|
|
}
|
|
|
|
const tokenBytes = base64urlDecode(token);
|
|
if (!tokenBytes) return false;
|
|
|
|
const message = `${userId}:${issueDate}`;
|
|
const primary = await hmacSha256(secret, message);
|
|
if (constantTimeEqual(primary, tokenBytes)) return true;
|
|
|
|
if (prevSecret) {
|
|
const legacy = await hmacSha256(prevSecret, message);
|
|
if (constantTimeEqual(legacy, tokenBytes)) return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
function base64urlDecode(token: string): Uint8Array | null {
|
|
try {
|
|
const b64 = token.replace(/-/g, '+').replace(/_/g, '/');
|
|
const padded = b64 + '==='.slice((b64.length + 3) % 4);
|
|
const bin = atob(padded);
|
|
const out = new Uint8Array(bin.length);
|
|
for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
|
|
return out;
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Compose the full magazine URL with signed token.
|
|
*
|
|
* Producers should always go through this helper rather than string-
|
|
* concatenating URLs by hand. Example:
|
|
*
|
|
* const url = await signBriefUrl({
|
|
* userId: 'user_abc',
|
|
* issueDate: '2026-04-17-0800',
|
|
* baseUrl: 'https://worldmonitor.app',
|
|
* secret: process.env.BRIEF_URL_SIGNING_SECRET!,
|
|
* });
|
|
*/
|
|
export async function signBriefUrl({
|
|
userId,
|
|
issueDate,
|
|
baseUrl,
|
|
secret,
|
|
}: {
|
|
userId: string;
|
|
issueDate: string;
|
|
baseUrl: string;
|
|
secret: string;
|
|
}): Promise<string> {
|
|
const token = await signBriefToken(userId, issueDate, secret);
|
|
const encodedUser = encodeURIComponent(userId);
|
|
const encodedDate = encodeURIComponent(issueDate);
|
|
const trimmedBase = baseUrl.replace(/\/+$/, '');
|
|
return `${trimmedBase}/api/brief/${encodedUser}/${encodedDate}?t=${token}`;
|
|
}
|