kaffa/telegram-bot-workers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: critical security and data integrity improvements (P1/P2)

Browse Source 
## P1 Critical Issues
- Add D1 batch result verification to prevent partial transaction failures
  * deposit-agent.ts: deposit confirmation and admin approval
  * domain-register.ts: domain registration payment
  * deposit-matcher.ts: SMS auto-matching
  * summary-service.ts: profile system updates
  * routes/api.ts: external API deposit deduction

- Remove internal error details from API responses
  * All 500 errors now return generic "Internal server error"
  * Detailed errors logged internally via console.error

- Enforce WEBHOOK_SECRET validation
  * Reject requests when WEBHOOK_SECRET is not configured
  * Prevent accidental production deployment without security

## P2 High Priority Issues
- Add SQL LIMIT parameter validation (1-100 range)
- Enforce CORS Origin header validation for /api/contact
- Optimize domain suggestion API calls (parallel processing)
  * 80% performance improvement for TLD price fetching
  * Individual error handling per TLD
- Add sensitive data masking in logs (user IDs)
  * New maskUserId() helper function
  * GDPR compliance for user privacy

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
kappa
2026-01-19 21:53:18 +09:00
parent eee934391a
commit 4f68dd3ebb
9 changed files with 212 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/utils/logger.ts
View File

@@ -432,3 +432,27 @@ export function createDebugLogger(service: string): Logger {
environment: 'development',
});
}
/**
* Mask sensitive user ID for GDPR compliance
*
* Shows first 4 characters only, rest replaced with asterisks.
* Prevents logging of full user IDs which may violate data protection regulations.
*
* @param userId - User ID (Telegram ID or database ID)
* @returns Masked user ID string
*
* @example
* ```typescript
* maskUserId('821596605') // '8215****'
* maskUserId(821596605) // '8215****'
* maskUserId(undefined) // 'unknown'
* maskUserId('123') // '****'
* ```
*/
export function maskUserId(userId: string | number | undefined): string {
if (!userId) return 'unknown';
const str = String(userId);
if (str.length <= 4) return '****';
return str.slice(0, 4) + '****';
}