kaffa/telegram-bot-workers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
87 Commits 1 Branch 0 Tags
e4ccff9f870e7f32e60c4b2d23b3f13e32082952
Commit Graph

6 Commits

Author SHA1 Message Date
kappa
e4ccff9f87 feat: add Reddit search tool and security/performance improvements 
New Features:
- Add reddit-tool.ts with search_reddit function (unofficial JSON API)

Security Fixes:
- Add timingSafeEqual for BOT_TOKEN/WEBHOOK_SECRET comparisons
- Add Optimistic Locking to domain registration balance deduction
- Add callback domain regex validation
- Sanitize error messages to prevent information disclosure
- Add timing-safe Bearer token comparison in api.ts

Performance Improvements:
- Parallelize Function Calling tool execution with Promise.all
- Parallelize domain registration API calls (check + price + balance)
- Parallelize domain info + nameserver queries

Reliability:
- Add in-memory fallback for KV rate limiting failures
- Add 10s timeout to Reddit API calls
- Add MAX_DEPOSIT_AMOUNT limit (100M KRW)

Testing:
- Skip stale test mocks pending vitest infrastructure update

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-26 16:20:17 +09:00
kappa
91f50ddc12 fix: critical security improvements 
- Apply optimistic locking to deposit-matcher.ts (race condition fix)
- Add timing-safe comparison for API key validation
- Move admin IDs from wrangler.toml vars to secrets
- Add .env.example for secure credential management

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-21 17:18:21 +09:00
kappa
4f68dd3ebb fix: critical security and data integrity improvements (P1/P2) 
## P1 Critical Issues
- Add D1 batch result verification to prevent partial transaction failures
  * deposit-agent.ts: deposit confirmation and admin approval
  * domain-register.ts: domain registration payment
  * deposit-matcher.ts: SMS auto-matching
  * summary-service.ts: profile system updates
  * routes/api.ts: external API deposit deduction

- Remove internal error details from API responses
  * All 500 errors now return generic "Internal server error"
  * Detailed errors logged internally via console.error

- Enforce WEBHOOK_SECRET validation
  * Reject requests when WEBHOOK_SECRET is not configured
  * Prevent accidental production deployment without security

## P2 High Priority Issues
- Add SQL LIMIT parameter validation (1-100 range)
- Enforce CORS Origin header validation for /api/contact
- Optimize domain suggestion API calls (parallel processing)
  * 80% performance improvement for TLD price fetching
  * Individual error handling per TLD
- Add sensitive data masking in logs (user IDs)
  * New maskUserId() helper function
  * GDPR compliance for user privacy

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-19 21:53:18 +09:00
kappa
4eb5bbd3d3 feat(security): API 키 보호, CORS 강화, Rate Limiting KV 전환 
보안 개선:
- API 키 하드코딩 제거 (NAMECHEAP_API_KEY_INTERNAL)
- CORS 정책: * → hosting.anvil.it.com 제한
- /health 엔드포인트 DB 정보 노출 방지
- Rate Limiting 인메모리 Map → Cloudflare KV 전환
  - 분산 환경 일관성 보장
  - 재시작 후에도 유지
  - 자동 만료 (TTL)

문서:
- CLAUDE.md Security 섹션 추가
- KV Namespace 설정 가이드 추가
- 배포/마이그레이션 가이드 추가

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-19 15:20:14 +09:00
kappa
8b2ccf05b5 feat: 도메인 관리 기능 추가 (Domain Agent 연동) 
- manage_domain Function Calling 도구 추가
- OpenAI Assistants API 기반 Domain Agent 연동
- Namecheap API 호출 (도메인 목록, 네임서버 관리 등)
- user_domains 테이블로 사용자별 도메인 권한 관리
- 타임스탬프 검증 비활성화 (WEBHOOK_SECRET으로 충분)
- CLAUDE.md 프로젝트 문서 추가

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-16 08:50:16 +09:00
kappa
1e71e035e7 Initial commit: Telegram bot with Cloudflare Workers 
- OpenAI GPT-4o-mini with Function Calling
- Cloudflare D1 for user profiles and message buffer
- Sliding window (3 summaries max) for infinite context
- Tools: weather, search, time, calculator
- Workers AI fallback support
- Webhook security with rate limiting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-14 13:00:44 +09:00