kaffa/telegram-bot-workers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: critical security improvements

Browse Source 
- Apply optimistic locking to deposit-matcher.ts (race condition fix)
- Add timing-safe comparison for API key validation
- Move admin IDs from wrangler.toml vars to secrets
- Add .env.example for secure credential management

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kappa
2026-01-21 17:18:21 +09:00
parent 8edab3069f
commit 91f50ddc12
6 changed files with 82 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/routes/api.ts
View File

@@ -10,6 +10,7 @@ import { handleCommand } from '../commands';
import { openaiCircuitBreaker } from '../openai-service';
import { createLogger } from '../utils/logger';
import { toError } from '../utils/error';
import { timingSafeEqual } from '../security';
const logger = createLogger('api');
@@ -34,13 +35,13 @@ const ContactFormBodySchema = z.object({
});
/**
* API Key 인증 검증
* API Key 인증 검증 (Timing-safe comparison으로 타이밍 공격 방지)
* @returns 인증 실패 시 Response, 성공 시 null
*/
function requireApiKey(request: Request, env: Env): Response | null {
const apiSecret = env.DEPOSIT_API_SECRET;
const authHeader = request.headers.get('X-API-Key');
if (!apiSecret || authHeader !== apiSecret) {
if (!apiSecret || !timingSafeEqual(authHeader, apiSecret)) {
return Response.json({ error: 'Unauthorized' }, { status: 401 });
}
return null;