Spaces:

safetrack
/

edtech

Running

CognxSafeTrack Claude Sonnet 4.6 commited on 21 days ago

Commit

aa4f69f

1 Parent(s): 2859b85

fix: security hardening, log all silent catch blocks, remove prisma cast

Security:
- whatsapp.ts: remove WHATSAPP_VERIFY_TOKEN hardcoded fallback — return 500
if env var is missing instead of silently accepting a public default
- rateLimit.ts: key by req.ip (not spoofable x-organization-id header)

Code quality — 7 empty catch blocks now log with context:
- NudgeHandler, AdminHandler (+ missing logger import), EnrollHandler (x2),
MediaHandler (x2), organization.ts invalidateOrgCache

- admin.ts: remove (prisma as any).normalizationRule — model is in schema,
cast was unnecessary

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Files changed (8) hide show

apps/api/src/middleware/rateLimit.ts +1 -1
apps/api/src/routes/admin.ts +1 -1
apps/api/src/routes/whatsapp.ts +2 -1
apps/whatsapp-worker/src/handlers/AdminHandler.ts +4 -1
apps/whatsapp-worker/src/handlers/EnrollHandler.ts +7 -2
apps/whatsapp-worker/src/handlers/MediaHandler.ts +6 -2
apps/whatsapp-worker/src/handlers/NudgeHandler.ts +3 -1
apps/whatsapp-worker/src/services/organization.ts +3 -1

apps/api/src/middleware/rateLimit.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export async function setupRateLimit(server: FastifyInstance) {
         await server.register(rateLimit as any, {
             max: 100,
             timeWindow: '1 minute',
-            keyGenerator: (req: FastifyRequest) => (req.headers['x-organization-id'] as string) || req.ip,
             errorResponseBuilder: (_request: FastifyRequest, context: { after: string }) => {
                 return {
                     statusCode: 429,

         await server.register(rateLimit as any, {
             max: 100,
             timeWindow: '1 minute',
+            keyGenerator: (req: FastifyRequest) => req.ip as string,
             errorResponseBuilder: (_request: FastifyRequest, context: { after: string }) => {
                 return {
                     statusCode: 429,

apps/api/src/routes/admin.ts CHANGED Viewed

@@ -448,7 +448,7 @@ export async function adminRoutes(fastify: FastifyInstance) {
     // List current normalization rules from DB
     fastify.get('/training/rules', async () => {
-        return (prisma as any).normalizationRule.findMany({
             orderBy: { original: 'asc' }
         });
     });

     // List current normalization rules from DB
     fastify.get('/training/rules', async () => {
+        return prisma.normalizationRule.findMany({
             orderBy: { original: 'asc' }
         });
     });

apps/api/src/routes/whatsapp.ts CHANGED Viewed

@@ -45,7 +45,8 @@ export async function whatsappRoutes(fastify: FastifyInstance) {
         const token = query['hub.verify_token'];
         const challenge = query['hub.challenge'];
-        const VERIFY_TOKEN = process.env.WHATSAPP_VERIFY_TOKEN || 'xamle_studio_secret_token';
         if (mode && token) {
             if (mode === 'subscribe' && token === VERIFY_TOKEN) {

         const token = query['hub.verify_token'];
         const challenge = query['hub.challenge'];
+        const VERIFY_TOKEN = process.env.WHATSAPP_VERIFY_TOKEN;
+        if (!VERIFY_TOKEN) return reply.code(500).send({ error: 'WHATSAPP_VERIFY_TOKEN not configured' });
         if (mode && token) {
             if (mode === 'subscribe' && token === VERIFY_TOKEN) {

apps/whatsapp-worker/src/handlers/AdminHandler.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { Job, Queue } from 'bullmq';
 import Redis from 'ioredis';
 import { JobHandler, JobData } from './types';
 import { prisma } from '../services/prisma';
 import { sendTextMessage } from '../whatsapp-cloud';
 interface TenantConfig {
@@ -15,7 +16,9 @@ export class AdminHandler implements JobHandler {
         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
-        } catch (err) {}
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },

 import Redis from 'ioredis';
 import { JobHandler, JobData } from './types';
 import { prisma } from '../services/prisma';
+import { logger } from '../logger';
 import { sendTextMessage } from '../whatsapp-cloud';
 interface TenantConfig {
         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
+        } catch (err) {
+            logger.warn({ err, organizationId }, '[AdminHandler] Redis cache lookup failed');
+        }
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },

apps/whatsapp-worker/src/handlers/EnrollHandler.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { Job, Queue } from 'bullmq';
 import Redis from 'ioredis';
 import { JobHandler, JobData } from './types';
 import { prisma } from '../services/prisma';
 import { sendTextMessage } from '../whatsapp-cloud';
 import { getApiUrl, getAdminApiKey } from '../config';
@@ -16,7 +17,9 @@ export class EnrollHandler implements JobHandler {
         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
-        } catch (err) {}
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },
@@ -60,7 +63,9 @@ export class EnrollHandler implements JobHandler {
                         await sendTextMessage(user.phone, `💳 Cette formation est Premium. Complétez votre paiement ici :\n${checkoutData.url}`, tenantConfig);
                     }
                 }
-            } catch (err) {}
         } else {
             const existing = await prisma.enrollment.findFirst({ where: { userId, trackId } });
             if (!existing) {

 import Redis from 'ioredis';
 import { JobHandler, JobData } from './types';
 import { prisma } from '../services/prisma';
+import { logger } from '../logger';
 import { sendTextMessage } from '../whatsapp-cloud';
 import { getApiUrl, getAdminApiKey } from '../config';
         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
+        } catch (err) {
+            logger.warn({ err, organizationId }, '[EnrollHandler] Redis cache lookup failed');
+        }
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },
                         await sendTextMessage(user.phone, `💳 Cette formation est Premium. Complétez votre paiement ici :\n${checkoutData.url}`, tenantConfig);
                     }
                 }
+            } catch (err) {
+                logger.error({ err, userId, trackId }, '[EnrollHandler] Premium checkout failed');
+            }
         } else {
             const existing = await prisma.enrollment.findFirst({ where: { userId, trackId } });
             if (!existing) {

apps/whatsapp-worker/src/handlers/MediaHandler.ts CHANGED Viewed

@@ -20,7 +20,9 @@ export class MediaHandler implements JobHandler {
         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
-        } catch (err) {}
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },
@@ -68,7 +70,9 @@ export class MediaHandler implements JobHandler {
                     headers: { 'x-organization-id': organizationId as string }
                 });
                 audioUrl = storeRes.data.url;
-            } catch (err) {}
             const user = await prisma.user.findFirst({ where: { phone } });
             if (user) {

         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
+        } catch (err) {
+            logger.warn({ err, organizationId }, '[MediaHandler] Redis cache lookup failed');
+        }
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },
                     headers: { 'x-organization-id': organizationId as string }
                 });
                 audioUrl = storeRes.data.url;
+            } catch (err) {
+                logger.warn({ err, mediaId }, '[MediaHandler] Failed to store audio to R2');
+            }
             const user = await prisma.user.findFirst({ where: { phone } });
             if (user) {

apps/whatsapp-worker/src/handlers/NudgeHandler.ts CHANGED Viewed

@@ -16,7 +16,9 @@ export class NudgeHandler implements JobHandler {
         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
-        } catch (err) {}
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },

         try {
             const cached = await connection.get(cacheKey);
             if (cached) return JSON.parse(cached);
+        } catch (err) {
+            logger.warn({ err, organizationId }, '[NudgeHandler] Redis cache lookup failed');
+        }
         const org = await prisma.organization.findUnique({
             where: { id: organizationId },

apps/whatsapp-worker/src/services/organization.ts CHANGED Viewed

@@ -82,7 +82,9 @@ export async function invalidateOrgCache(id: string) {
     try {
         localCache.delete(`org:full:${id}`);
         await redis.del(`org:full:${id}`);
-    } catch (err) {}
 }
 export async function getOrganizationByPhoneNumberId(phoneNumberId: string): Promise<string> {

     try {
         localCache.delete(`org:full:${id}`);
         await redis.del(`org:full:${id}`);
+    } catch (err) {
+        logger.warn({ err, id }, '[OrgCache] Cache invalidation failed');
+    }
 }
 export async function getOrganizationByPhoneNumberId(phoneNumberId: string): Promise<string> {