Spaces:

somratpro
/

HuggingPost

Running

somratpro Claude Sonnet 4.6 commited on 24 days ago

Commit

c87b389

1 Parent(s): 2272bb9

remove debug endpoints before release

Remove publicly-accessible debug endpoints that exposed sensitive data:
- /app/debug-logs (API keys, Redis oauth tokens, backend logs)
- /app/test-request-token (live OAuth token generation)
- /app/test-twitter (raw API connectivity probe)
- /app/read-x-provider (container source exposure)
- X OAuth callback Redis snapshot logging (/tmp/x-oauth-callbacks.log)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Files changed (1) hide show

health-server.js +0 -345

health-server.js CHANGED Viewed

@@ -2085,314 +2085,6 @@ const server = http.createServer((req, res) => {
     return;
   }
-  // ── /app/test-twitter — raw connectivity probe to api.twitter.com ────────
-  if (pathname === "/app/test-twitter") {
-    const https = require("https");
-    const lines = [];
-    lines.push(`NODE_OPTIONS         : ${process.env.NODE_OPTIONS || "(not set)"}`);
-    lines.push(`CLOUDFLARE_PROXY_URL : ${process.env.CLOUDFLARE_PROXY_URL || "(not set)"}`);
-    lines.push("");
-    // Two probes:
-    //   A) GET api.twitter.com/ — basic reachability + proxy detection
-    //   B) POST oauth/access_token (no auth) — 4xx+JSON if IP allowed, 500 HTML if IP blocked
-    const makeProbe = (opts, postBody) => new Promise((resolve) => {
-      const t0 = Date.now();
-      const req = https.request({ ...opts, timeout: 10000 }, (r) => {
-        let body = "";
-        r.setEncoding("utf8");
-        r.on("data", (c) => { body += c; if (body.length > 800) r.destroy(); });
-        r.on("close", () => resolve({ status: r.statusCode, headers: r.headers, body: body.trim(), ms: Date.now() - t0 }));
-        r.on("end",  () => resolve({ status: r.statusCode, headers: r.headers, body: body.trim(), ms: Date.now() - t0 }));
-      });
-      req.on("error",   (e) => resolve({ error: e.message, ms: Date.now() - t0 }));
-      req.on("timeout", () => { req.destroy(); resolve({ error: "TIMEOUT 10s", ms: Date.now() - t0 }); });
-      if (postBody) req.write(postBody);
-      req.end();
-    });
-    (async () => {
-      // Probe A
-      lines.push("── Probe A: GET https://api.twitter.com/ ──");
-      const a = await makeProbe({ hostname: "api.twitter.com", path: "/", method: "GET",
-        headers: { "User-Agent": "curl/8.0", "Accept": "*/*" } });
-      if (a.error) {
-        lines.push(`ERROR: ${a.error}`);
-      } else {
-        lines.push(`Status : ${a.status}  (${a.ms}ms)`);
-        for (const [k, v] of Object.entries(a.headers)) lines.push(`  ${k}: ${v}`);
-        lines.push(`cf-ray in headers? : ${a.headers["cf-ray"] ? "YES → request went through Cloudflare" : "no"}`);
-        lines.push(`Body (first 300)   : ${a.body.slice(0, 300)}`);
-      }
-      // Probe B
-      lines.push("");
-      lines.push("── Probe B: POST https://api.twitter.com/oauth/access_token (no auth) ──");
-      lines.push("Expected: 400/401 JSON if IP allowed by X, 500 HTML if IP blocked");
-      const postBody = "oauth_verifier=test";
-      const b = await makeProbe({ hostname: "api.twitter.com", path: "/oauth/access_token",
-        method: "POST",
-        headers: { "User-Agent": "curl/8.0", "Content-Type": "application/x-www-form-urlencoded",
-                   "Content-Length": Buffer.byteLength(postBody) } }, postBody);
-      if (b.error) {
-        lines.push(`ERROR: ${b.error}`);
-      } else {
-        lines.push(`Status : ${b.status}  (${b.ms}ms)`);
-        for (const [k, v] of Object.entries(b.headers)) lines.push(`  ${k}: ${v}`);
-        const isHtml = b.body.includes("<html") || b.body.includes("<!DOCTYPE");
-        lines.push(`Body type : ${isHtml ? "HTML ← IP probably blocked" : "text/JSON ← IP allowed"}`);
-        lines.push(`Body (first 500) : ${b.body.slice(0, 500)}`);
-      }
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end(lines.join("\n"));
-    })();
-    return;
-  }
-  // ── /app/test-request-token — Test generateAuthLink via CF proxy ─────────
-  if (pathname === "/app/test-request-token" || pathname === "/app/test-request-token/") {
-    (async () => {
-      const lines = ["=== TEST: generateAuthLink via CF proxy ===", ""];
-      try {
-        const apiKey    = process.env.X_API_KEY    || "";
-        const apiSecret = process.env.X_API_SECRET || "";
-        lines.push(`X_API_KEY    : ${apiKey.slice(0,6)}... (len=${apiKey.length})`);
-        lines.push(`X_API_SECRET : ${apiSecret.slice(0,6)}... (len=${apiSecret.length})`);
-        lines.push(`CLOUDFLARE_PROXY_URL : ${process.env.CLOUDFLARE_PROXY_URL || "(not set)"}`);
-        lines.push(`NODE_OPTIONS : ${process.env.NODE_OPTIONS || "(not set)"}`);
-        lines.push("");
-        // Require twitter-api-v2 from Postiz's node_modules
-        const { TwitterApi } = require("/app/node_modules/twitter-api-v2");
-        const callbackUrl = (process.env.FRONTEND_URL || "https://somratpro-huggingpost.hf.space") + "/integrations/social/x";
-        lines.push(`callbackUrl : ${callbackUrl}`);
-        lines.push("Calling generateAuthLink...");
-        const client = new TwitterApi({ appKey: apiKey, appSecret: apiSecret });
-        const result = await client.generateAuthLink(callbackUrl, { authAccessType: "write", linkMode: "authenticate", forceLogin: false });
-        lines.push("");
-        lines.push(`oauth_token        : ${result.oauth_token ? result.oauth_token.slice(0,20) + "... (len=" + result.oauth_token.length + ")" : "(EMPTY!)"}`);
-        lines.push(`oauth_token_secret : ${result.oauth_token_secret ? result.oauth_token_secret.slice(0,10) + "... (len=" + result.oauth_token_secret.length + ")" : "(EMPTY!)"}`);
-        lines.push(`url                : ${result.url ? result.url.slice(0,80) : "(EMPTY!)"}`);
-        lines.push("");
-        lines.push("codeVerifier = oauth_token + ':' + oauth_token_secret:");
-        const cv = result.oauth_token + ":" + result.oauth_token_secret;
-        lines.push(`  "${cv.slice(0,40)}..." (len=${cv.length})`);
-        if (!result.oauth_token_secret) {
-          lines.push("  ⚠ EMPTY SECRET — CF proxy or X returning malformed request_token response!");
-        } else {
-          lines.push("  ✓ secret present");
-        }
-      } catch (e) {
-        lines.push(`ERROR: ${e.message}`);
-        lines.push(e.stack || "");
-      }
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end(lines.join("\n"));
-    })();
-    return;
-  }
-  // ── /app/read-x-provider — Show x.provider.ts source from container ─────
-  if (pathname === "/app/read-x-provider") {
-    try {
-      const { execSync } = require("child_process");
-      const rc = (cmd) => { try { return execSync(cmd, { timeout: 10000 }).toString().trim(); } catch(e) { return "(err: " + e.message.slice(0,120) + ")"; } };
-      // Find all x.provider files
-      const found = rc("find /app -name 'x.provider.*' -o -name 'twitter.provider.*' 2>/dev/null | grep -v node_modules | grep -v .next");
-      const lines = ["=== X/Twitter Provider Files ===", found || "(none found)", ""];
-      // Also search for 'external:' usage in backend source
-      const externalUsage = rc("grep -r 'external:' /app/apps /app/libs --include='*.ts' --include='*.js' -n 2>/dev/null | grep -v node_modules | grep -v .next | grep -v dist | head -30");
-      lines.push("=== 'external:' Redis key usage in source ===", externalUsage || "(none)", "");
-      // Show content of x.provider file
-      const xProviderFile = rc("find /app -name 'x.provider.ts' -not -path '*/node_modules/*' -not -path '*/.next/*' 2>/dev/null | head -1");
-      if (xProviderFile && !xProviderFile.startsWith("(err")) {
-        lines.push(`=== Content of ${xProviderFile} ===`);
-        const content = rc(`cat "${xProviderFile}"`);
-        lines.push(content.slice(0, 8000));
-      }
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end(lines.join("\n"));
-    } catch(e) {
-      res.writeHead(500, { "Content-Type": "text/plain" });
-      res.end("Error: " + e.message);
-    }
-    return;
-  }
-  // ── /app/debug-logs — Temporary endpoint for debugging ───────────────────
-  if (pathname === "/app/debug-logs") {
-    try {
-      // tail helper — last N lines of a file
-      const tailLines = (path, n) => {
-        if (!fs.existsSync(path)) return `(no file: ${path})`;
-        const lines = fs.readFileSync(path, "utf8").split("\n");
-        return lines.slice(-n).join("\n");
-      };
-      const errLog = tailLines("/root/.pm2/logs/backend-error.log", 150);
-      const outLog = tailLines("/root/.pm2/logs/backend-out.log", 80);
-      // masked credential diagnostics — first 6 chars + length
-      const maskCred = (val) => {
-        if (!val) return "(not set)";
-        const clean = val.trim();
-        if (clean.length === 0) return "(empty)";
-        return `${clean.slice(0, 6)}... (len=${clean.length})`;
-      };
-      const xKey    = maskCred(process.env.X_API_KEY);
-      const xSecret = maskCred(process.env.X_API_SECRET);
-      const frontendUrl = process.env.FRONTEND_URL || "(not set)";
-      // Heuristic: X Consumer Key is ~25 alphanum, Consumer Secret ~50 alphanum.
-      // OAuth 2.0 Client ID is base64url and usually longer (36+).
-      const xKeyNote = (() => {
-        const v = (process.env.X_API_KEY || "").trim();
-        if (!v) return "MISSING";
-        if (v.length > 35) return "⚠ LOOKS LIKE OAuth2 CLIENT ID (too long) — should be ~25 chars";
-        if (v.includes("=") || v.includes(":")) return "⚠ LOOKS WRONG (contains = or :)";
-        return "✓ length ok";
-      })();
-      const xSecretNote = (() => {
-        const v = (process.env.X_API_SECRET || "").trim();
-        if (!v) return "MISSING";
-        if (v.length < 40) return "⚠ TOO SHORT — Consumer Secret is ~50 chars";
-        if (v.length > 70) return "⚠ TOO LONG — might be OAuth2 Client Secret or Access Token Secret";
-        if (v.includes("=")) return "⚠ CONTAINS = — might be base64 encoded (wrong key type)";
-        return "✓ length ok";
-      })();
-      const credSection = [
-        "=== X CREDENTIAL CHECK ===",
-        `X_API_KEY    : ${xKey}  [${xKeyNote}]`,
-        `X_API_SECRET : ${xSecret}  [${xSecretNote}]`,
-        `FRONTEND_URL : ${frontendUrl}`,
-        `Expected callback URL: ${frontendUrl}/integrations/social/x`,
-      ].join("\n");
-      const cfProxyLog = fs.existsSync("/tmp/huggingpost-cloudflare-proxy.env")
-        ? fs.readFileSync("/tmp/huggingpost-cloudflare-proxy.env", "utf8").replace(/(SECRET|TOKEN)=\S+/gi, "$1=(redacted)")
-        : "(file not found — proxy not deployed; CLOUDFLARE_WORKERS_TOKEN not set?)";
-      const cfProxySection = [
-        "=== CLOUDFLARE PROXY STATUS ===",
-        `CLOUDFLARE_WORKERS_TOKEN : ${process.env.CLOUDFLARE_WORKERS_TOKEN ? "✓ set (len=" + process.env.CLOUDFLARE_WORKERS_TOKEN.length + ")" : "✗ NOT SET — proxy never deployed, X traffic goes direct"}`,
-        `CLOUDFLARE_PROXY_URL     : ${process.env.CLOUDFLARE_PROXY_URL ? maskCred(process.env.CLOUDFLARE_PROXY_URL) : "✗ NOT SET — api.twitter.com calls NOT proxied"}`,
-        `CLOUDFLARE_PROXY_DEBUG   : ${process.env.CLOUDFLARE_PROXY_DEBUG || "(not set)"}`,
-        `NODE_OPTIONS             : ${process.env.NODE_OPTIONS || "(not set — cloudflare-proxy.js NOT loaded in backend!)"}`,
-        `/opt/cloudflare-proxy.js : ${fs.existsSync("/opt/cloudflare-proxy.js") ? "✓ exists" : "✗ MISSING"}`,
-        `/tmp/huggingpost-cloudflare-proxy.env contents:`,
-        cfProxyLog,
-        `cf-proxy-banner-shown    : ${fs.existsSync("/tmp/.cf-proxy-banner-shown") ? "✓ (proxy init ran at least once)" : "(not found)"}`,
-      ].join("\n");
-      const xCallbackLog = fs.existsSync("/tmp/x-oauth-callbacks.log")
-        ? fs.readFileSync("/tmp/x-oauth-callbacks.log", "utf8")
-        : "(no X callbacks recorded yet — try adding X channel now)";
-      // Redis check: look up login:* keys and verify codeVerifier structure.
-      // Root cause check: oauth_token_secret must be present after split on ':'.
-      let redisSection = "=== REDIS codeVerifier CHECK ===\n";
-      try {
-        const { execSync } = require("child_process");
-        const rc = (cmd) => { try { return execSync(cmd, { timeout: 5000 }).toString().trim(); } catch(e) { return "(err: " + e.message.slice(0,60) + ")"; } };
-        const keyspace = rc("redis-cli -h 127.0.0.1 -p 6379 info keyspace 2>/dev/null");
-        redisSection += `Redis keyspace:\n${keyspace || "(empty)"}\n\n`;
-        // Check DB 0 (default) and DB 1 for all keys
-        // Also inspect external:* keys — Postiz stores codeVerifier under external:{oauth_token}
-        const inspectKeys = (db, pattern) => {
-          const dbFlag = db === 0 ? "" : `-n ${db}`;
-          const keys = rc(`redis-cli -h 127.0.0.1 -p 6379 ${dbFlag} keys "${pattern}" 2>/dev/null`);
-          if (!keys || keys.startsWith("(")) return `  ${pattern}: (none)\n`;
-          let out = `  ${pattern} keys found:\n`;
-          for (const key of keys.split("\n").filter(Boolean).slice(0, 5)) {
-            const type = rc(`redis-cli -h 127.0.0.1 -p 6379 ${dbFlag} type "${key}"`);
-            const ttl  = rc(`redis-cli -h 127.0.0.1 -p 6379 ${dbFlag} ttl "${key}" 2>/dev/null`);
-            let val;
-            if (type === "hash") {
-              val = rc(`redis-cli -h 127.0.0.1 -p 6379 ${dbFlag} hgetall "${key}" 2>/dev/null`);
-            } else if (type === "string") {
-              val = rc(`redis-cli -h 127.0.0.1 -p 6379 ${dbFlag} get "${key}" 2>/dev/null`);
-            } else {
-              out += `    ${key} [type=${type} TTL=${ttl}]: (unhandled type)\n`; continue;
-            }
-            if (!val) { out += `    ${key} [type=${type} TTL=${ttl}]: VALUE IS EMPTY STRING\n`; continue; }
-            if (type === "hash") {
-              out += `    ${key} [type=hash TTL=${ttl}]:\n      ${val.replace(/\n/g, "\n      ").slice(0,300)}\n`;
-              continue;
-            }
-            const colonIdx = val.indexOf(":");
-            const token  = colonIdx > 0 ? val.slice(0, colonIdx) : "";
-            const secret = colonIdx > 0 ? val.slice(colonIdx + 1) : "";
-            const extraColons = (val.match(/:/g) || []).length - 1;
-            const note = colonIdx < 0 ? "⚠ NO COLON" : extraColons > 0 ? `⚠ ${extraColons} extra colon(s)` : secret.length < 30 ? "⚠ secret short" : "✓ ok";
-            out += `    ${key} [type=string TTL=${ttl}s]\n      token: ${token.slice(0,12)}... (len=${token.length})\n      secret: ${secret.slice(0,12)}... (len=${secret.length})\n      note: ${note}\n`;
-          }
-          return out;
-        };
-        for (const db of [0, 1, 2]) {
-          const dbFlag = db === 0 ? "" : `-n ${db}`;
-          const allKeys = rc(`redis-cli -h 127.0.0.1 -p 6379 ${dbFlag} keys "*" 2>/dev/null`);
-          redisSection += `DB ${db}: total keys preview: ${allKeys ? allKeys.split("\n").slice(0,8).join(", ") : "(none)"}\n`;
-          redisSection += inspectKeys(db, "login:*");
-          redisSection += inspectKeys(db, "external:*");
-          redisSection += "\n";
-        }
-      } catch (e) {
-        redisSection += `(redis-cli error: ${e.message})`;
-      }
-      // Grep Postiz source for Redis key patterns + x.provider content
-      let sourceSection = "=== POSTIZ SOURCE: Redis key patterns ===\n";
-      try {
-        const { execSync } = require("child_process");
-        const rc2 = (cmd) => { try { return execSync(cmd, { timeout: 10000 }).toString().trim(); } catch(e) { return "(err: " + e.message.slice(0,80) + ")"; } };
-        const grepRedis = rc2("grep -rn 'ioRedis.set\\|redis.set' /app/apps/backend/src /app/libs --include='*.ts' 2>/dev/null | grep -v node_modules | grep -E 'login:|external:|refresh:' | head -20");
-        sourceSection += `Redis set calls with login:/external: prefix:\n${grepRedis || "(none found)"}\n\n`;
-        // Find and show x.provider.ts generateAuthUrl
-        const xProvFile = rc2("find /app -name 'x.provider.ts' -not -path '*/node_modules/*' -not -path '*/.next/*' 2>/dev/null | head -1");
-        sourceSection += `x.provider.ts path: ${xProvFile || "(not found)"}\n`;
-        if (xProvFile && !xProvFile.startsWith("(err")) {
-          const xContent = rc2(`grep -n 'generateAuthUrl\\|codeVerifier\\|oauth_token\\|ioRedis\\|redis' "${xProvFile}" | head -40`);
-          sourceSection += `x.provider.ts relevant lines:\n${xContent || "(none)"}\n`;
-        }
-        // Also check integrations controller
-        const ctrlSearch = rc2("grep -rn 'external:\\|login:\\|codeVerifier\\|generateAuthUrl' /app/apps/backend/src --include='*.ts' 2>/dev/null | grep -v node_modules | head -30");
-        sourceSection += `\nIntegrations controller Redis/codeVerifier usage:\n${ctrlSearch || "(none)"}\n`;
-      } catch(e) {
-        sourceSection += `(error: ${e.message})`;
-      }
-      const out = [
-        credSection,
-        "",
-        cfProxySection,
-        "",
-        "=== X OAUTH CALLBACKS (from health-server) ===",
-        xCallbackLog,
-        "",
-        redisSection,
-        "",
-        sourceSection,
-        "",
-        "=== BACKEND ERROR LOG (last 150 lines) ===",
-        errLog,
-        "",
-        "=== BACKEND OUT LOG (last 80 lines) ===",
-        outLog,
-      ].join("\n");
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end(out);
-    } catch (e) {
-      res.writeHead(500, { "Content-Type": "text/plain" });
-      res.end("Error reading logs: " + e.message);
-    }
-    return;
-  }
   // ── Dashboard at exact / ─────────────────────────────────────────────────
   if (pathname === "/" || pathname === "") {
@@ -2472,43 +2164,6 @@ const server = http.createServer((req, res) => {
   // the /app basePath prefix (e.g. /launches, /analytics, /api/...).
   // Redirect those here rather than 404-ing so the browser lands correctly.
-  // Log OAuth callbacks for debugging.
-  if (pathname === "/integrations/social/x") {
-    const oauthToken    = parsedUrl.searchParams.get("oauth_token")    || "(missing)";
-    const oauthVerifier = parsedUrl.searchParams.get("oauth_verifier") || "(MISSING!)";
-    const denied        = parsedUrl.searchParams.get("denied");
-    const ts = new Date().toISOString();
-    const msg = denied
-      ? `[${ts}] X OAuth DENIED — denied=${denied}`
-      : `[${ts}] X OAuth callback — oauth_token=${oauthToken.slice(0,20)}... oauth_verifier=${oauthVerifier === "(MISSING!)" ? "(MISSING! — X did not send verifier)" : oauthVerifier.slice(0,10) + "... (present ✓)"}`;
-    console.log(msg);
-    // Append to a file the debug-logs endpoint can read.
-    try {
-      fs.appendFileSync("/tmp/x-oauth-callbacks.log", msg + "\n");
-    } catch(_) {}
-    // Snapshot Redis 100ms, 500ms, 1500ms after callback to catch login: key before it's deleted
-    if (!denied && oauthToken !== "(missing)") {
-      const snapshots = [];
-      const doSnap = (delay) => setTimeout(() => {
-        try {
-          const { execSync } = require("child_process");
-          const rc = (cmd) => { try { return execSync(cmd, { timeout: 3000 }).toString().trim(); } catch(e) { return "(err)"; } };
-          const loginVal  = rc(`redis-cli -h 127.0.0.1 -p 6379 get "login:${oauthToken}" 2>/dev/null`);
-          const extVal    = rc(`redis-cli -h 127.0.0.1 -p 6379 get "external:${oauthToken}" 2>/dev/null`);
-          const loginTtl  = rc(`redis-cli -h 127.0.0.1 -p 6379 ttl "login:${oauthToken}" 2>/dev/null`);
-          const extTtl    = rc(`redis-cli -h 127.0.0.1 -p 6379 ttl "external:${oauthToken}" 2>/dev/null`);
-          const snap = `  [+${delay}ms] login:TOKEN=${loginVal ? loginVal.slice(0,40) + "...(len=" + loginVal.length + ")" : "(empty/missing)"} ttl=${loginTtl} | external:TOKEN=${extVal ? extVal.slice(0,40) + "...(len=" + extVal.length + ")" : "(empty/missing)"} ttl=${extTtl}`;
-          snapshots.push(snap);
-          fs.appendFileSync("/tmp/x-oauth-callbacks.log", snap + "\n");
-        } catch(_) {}
-      }, delay);
-      doSnap(100);
-      doSnap(500);
-      doSnap(1500);
-    }
-  }
   res.writeHead(302, {
     Location: "/app" + pathname + (parsedUrl.search || ""),
   });

     return;
   }
   // ── Dashboard at exact / ─────────────────────────────────────────────────
   if (pathname === "/" || pathname === "") {
   // the /app basePath prefix (e.g. /launches, /analytics, /api/...).
   // Redirect those here rather than 404-ing so the browser lands correctly.
   res.writeHead(302, {
     Location: "/app" + pathname + (parsedUrl.search || ""),
   });