audit

2026-04-20 18:05:36 +00:00
parent d73422555d
commit 33b1f276c6
26 changed files with 598 additions and 183 deletions
--- a/routes/bosscord.js
+++ b/routes/bosscord.js
@@ -10,7 +10,7 @@ const { getBot } = require('../api/bosscordClient');
 const { getGmailClient, sendGmailReply } = require('../services/gmail');
 const { updateTicketActivity } = require('../services/tickets');
 const { enqueueSend } = require('../services/channelQueue');
-const { extractRawEmail } = require('../utils');
+const { extractRawEmail, safeEqual } = require('../utils');
 const { CONFIG } = require('../config');

 const router = express.Router();
@@ -43,8 +43,9 @@ function authMiddleware(req, res, next) {
  }
  const auth = req.headers.authorization;
  const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
-  if (token !== key) {
-    return res.status(401).json({ error: 'Unauthorized' });
+  // Identical response body for missing vs invalid token — don't tell a probe which state it's in.
+  if (!safeEqual(token, key)) {
+    return res.status(401).json({ error: 'unauthorized' });
  }
  next();
 }
@@ -189,7 +190,9 @@ router.post('/tickets/:id/messages', express.json(), async (req, res) => {
      return res.status(404).json({ error: 'Discord channel not found' });
    }
    const discordUser = req.body.displayName || 'bOSScord';
-    await enqueueSend(channel, content);
+    // Content originates from the bOSScord web UI (staff-gated) but still crosses an HTTP boundary —
+    // allow explicit user/role mentions a staff member typed, block @everyone/@here.
+    await enqueueSend(channel, { content, allowedMentions: { parse: ['users', 'roles'] } });

    if (!ticket.gmailThreadId.startsWith('discord-')) {
      try {