mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
e878baec52
* fix(digest): DIGEST_ONLY_USER self-expiring (mandatory until= suffix, 48h cap) Review finding on PR #3255: DIGEST_ONLY_USER was a sticky production footgun. If an operator forgot to unset after a one-off validation, the cron silently filtered every other user out indefinitely while still completing normally (exit 0) — prolonged partial outage with "green" runs. Fix: mandatory `|until=<ISO8601>` suffix within 48h of now. Otherwise the flag is IGNORED with a loud warn, fan-out proceeds normally. Active filter emits a structured console.warn at run start listing expiry + remaining minutes. Valid: DIGEST_ONLY_USER=user_xxx|until=2026-04-22T18:00Z Rejected (→ loud warn, normal fan-out): - Legacy bare `user_xxx` (missing required suffix) - Unparseable ISO - Expiry > 48h (forever-test mistake) - Expiry in past (auto-disable) Parser extracted to `scripts/lib/digest-only-user.mjs` (testable without importing seed-digest-notifications.mjs which has no isMain guard). Tests: 17 cases covering unset / reject / active branches, ISO variants, boundaries, and the 48h cap. 6066 total pass. typecheck × 2 clean. Breaking change on the flag's format, but it shipped 2h before this finding with no prod usage — tightening now is cheaper than after an incident. * chore(digest): address /ce:review P2s on DIGEST_ONLY_USER parser Two style fixes flagged by Greptile on PR #3271: 1. Misleading multi-pipe error message. `user_xxx|until=<iso>|extra` returned "missing mandatory suffix", which points the operator toward adding a suffix that is already present (confused operator might try `user_xxx|until=...|until=...`). Now distinguishes parts.length===1 ("missing suffix") from >2 ("expected exactly one '|' separator, got N"). 2. Date.parse is lenient — accepts RFC 2822, locale strings, "April 22". The documented contract is strict ISO 8601; the 48h cap catches accidental-valid dates but the documentation lied. Added a regex guard up-front that enforces the ISO 8601 shape (YYYY-MM-DD optionally followed by time + TZ). Rejects the 6 Date-parseable-but-not-ISO fixtures before Date.parse runs. Both regressions pinned in tests/digest-only-user.test.mjs (18 pass, was 17). typecheck × 2 clean.
84 lines
3.4 KiB
JavaScript
84 lines
3.4 KiB
JavaScript
// Pure parser for the DIGEST_ONLY_USER env flag. Lives here (not inline
|
|
// in seed-digest-notifications.mjs) because the seed script has no
|
|
// isMain guard — importing it executes main() + env-assert exits. This
|
|
// module is pure and test-friendly.
|
|
|
|
// Hard cap: an operator cannot set an expiry more than 48h in the future.
|
|
// Prevents "forever test" misconfig even if the format is otherwise valid.
|
|
// 48h covers every realistic same-day + next-day validation window.
|
|
export const DIGEST_ONLY_USER_MAX_HORIZON_MS = 48 * 60 * 60 * 1000;
|
|
|
|
/**
|
|
* Parse the DIGEST_ONLY_USER env value.
|
|
*
|
|
* The value MUST be in the form `<userId>|until=<ISO8601>` where the
|
|
* expiry is in the future and within the 48h horizon. Legacy bare-
|
|
* userId format is REJECTED to prevent sticky test flags from producing
|
|
* silent partial outages indefinitely if the operator forgets to unset.
|
|
*
|
|
* @param {string} raw - The trimmed env var value. Pass '' for unset.
|
|
* @param {number} nowMs - Current ms (injected for deterministic tests).
|
|
* @returns {{ kind: 'active', userId: string, untilMs: number }
|
|
* | { kind: 'reject', reason: string }
|
|
* | { kind: 'unset' }}
|
|
*/
|
|
export function parseDigestOnlyUser(raw, nowMs) {
|
|
if (typeof raw !== 'string' || raw.length === 0) return { kind: 'unset' };
|
|
|
|
const parts = raw.split('|');
|
|
if (parts.length !== 2) {
|
|
// Distinguish "no separator" from "too many" so the operator's
|
|
// next action is clear. Without this, a double-`|until=` typo got
|
|
// told "missing suffix" even though a suffix was present — the
|
|
// operator's instinct would be to add a second suffix, looping.
|
|
return {
|
|
kind: 'reject',
|
|
reason:
|
|
parts.length === 1
|
|
? 'missing mandatory "|until=<ISO8601>" suffix'
|
|
: `expected exactly one "|" separator, got ${parts.length - 1}`,
|
|
};
|
|
}
|
|
const userId = parts[0].trim();
|
|
const suffix = parts[1].trim();
|
|
if (!userId) return { kind: 'reject', reason: 'empty userId before "|"' };
|
|
if (!suffix.startsWith('until=')) {
|
|
return {
|
|
kind: 'reject',
|
|
reason: `suffix must be "until=<ISO8601>" (got "${suffix}")`,
|
|
};
|
|
}
|
|
const untilRaw = suffix.slice('until='.length).trim();
|
|
// `Date.parse` is intentionally lenient in V8 (accepts RFC 2822,
|
|
// locale-formatted dates, etc.). The documented contract is strict
|
|
// ISO 8601 — gate with a rough regex so non-ISO values are rejected
|
|
// by shape, not just by the 48h cap catching a random valid date.
|
|
// Accept YYYY-MM-DD with optional time / fractional / timezone.
|
|
if (!/^\d{4}-\d{2}-\d{2}(?:[T\s]\d{2}:\d{2}(?::\d{2}(?:\.\d+)?)?(?:Z|[+\-]\d{2}:?\d{2})?)?$/.test(untilRaw)) {
|
|
return {
|
|
kind: 'reject',
|
|
reason: `expiry "${untilRaw}" is not a parseable ISO8601 timestamp`,
|
|
};
|
|
}
|
|
const untilMs = Date.parse(untilRaw);
|
|
if (!Number.isFinite(untilMs)) {
|
|
return {
|
|
kind: 'reject',
|
|
reason: `expiry "${untilRaw}" is not a parseable ISO8601 timestamp`,
|
|
};
|
|
}
|
|
if (untilMs <= nowMs) {
|
|
return {
|
|
kind: 'reject',
|
|
reason: `expiry ${new Date(untilMs).toISOString()} is in the past (now=${new Date(nowMs).toISOString()}) — auto-disabled`,
|
|
};
|
|
}
|
|
if (untilMs > nowMs + DIGEST_ONLY_USER_MAX_HORIZON_MS) {
|
|
return {
|
|
kind: 'reject',
|
|
reason: `expiry ${new Date(untilMs).toISOString()} exceeds the 48h hard cap — set a closer expiry`,
|
|
};
|
|
}
|
|
return { kind: 'active', userId, untilMs };
|
|
}
|