v3: added index default tab selection setting, fixed notification pages not loading, reduced invite token length, global player state survives page reloads, many visual fixes
All checks were successful
Build and Publish Docker Image / build-and-push (push) Successful in 44s

This commit is contained in:
khannurien
2026-06-27 19:44:35 +00:00
parent 88f1eb3d03
commit c29f45fbc8
25 changed files with 733 additions and 278 deletions

View File

@@ -1,9 +1,15 @@
import { randomBytes } from "node:crypto";
import { APIErrorCode, APIException } from "../model/interfaces.ts";
import { db, isInviteRow } from "../model/db.ts";
import { createInviteToken, verifyInviteToken } from "../lib/jwt.ts";
import { UNUSED_INVITES_RETENTION_DAYS } from "../config.ts";
export async function createInvite(inviterId: string): Promise<string> {
const token = await createInviteToken(inviterId);
/** Short, opaque, URL-safe invite token (128 bits of entropy → 22 chars). */
function generateInviteToken(): string {
return randomBytes(16).toString("base64url");
}
export function createInvite(inviterId: string): string {
const token = generateInviteToken();
db.prepare(
`INSERT INTO invites (token, inviter_id, created_at) VALUES (?, ?, ?);`,
).run(token, inviterId, new Date().toISOString());
@@ -11,25 +17,25 @@ export async function createInvite(inviterId: string): Promise<string> {
}
/**
* Verifies the JWT signature + expiry and checks the token exists and has not
* been used. Returns the inviterId on success; throws APIException otherwise.
* Looks the token up, checks it has not been used and has not expired (same
* 7-day window as the startup cleanup). Returns the inviterId on success;
* throws APIException otherwise.
*
* Tokens are opaque random strings stored as the row's primary key. Invites
* created before this scheme (full JWTs) are still stored verbatim in the
* token column, so they continue to validate by direct lookup.
*/
export async function validateInvite(token: string): Promise<string> {
const payload = await verifyInviteToken(token);
if (!payload) {
throw new APIException(
APIErrorCode.NOT_FOUND,
404,
"Invalid or expired invite",
);
}
export function validateInvite(token: string): string {
const row = db.prepare(
`SELECT token, inviter_id, used_at, created_at FROM invites WHERE token = ?;`,
).get(token);
if (!row || !isInviteRow(row)) {
throw new APIException(APIErrorCode.NOT_FOUND, 404, "Invite not found");
throw new APIException(
APIErrorCode.NOT_FOUND,
404,
"Invalid or expired invite",
);
}
if (row.used_at !== null) {
@@ -40,7 +46,17 @@ export async function validateInvite(token: string): Promise<string> {
);
}
return payload.inviterId;
const expiresAt = new Date(row.created_at).getTime() +
UNUSED_INVITES_RETENTION_DAYS * 24 * 60 * 60 * 1000;
if (Date.now() > expiresAt) {
throw new APIException(
APIErrorCode.NOT_FOUND,
404,
"Invalid or expired invite",
);
}
return row.inviter_id;
}
/**