feat(debug): harden debug routes with auth and user-scoped token access
Add GET /debug/device/:token and POST /debug/send-wakeup behind requireAuth, scope lookups to the authenticated user (404 otherwise), and mask FCM tokens in logs via maskToken. Mark routes for further restriction before production.
This commit is contained in:
@@ -1,4 +1,5 @@
|
||||
import { db, type StoredRow } from "../db/fcmTokens.js";
|
||||
import { maskToken } from "../util/maskToken.js";
|
||||
import { messaging } from "./firebase.js";
|
||||
|
||||
const MS_PRODUCTION = 23 * 60 * 60 * 1000;
|
||||
@@ -15,12 +16,6 @@ function lastNotifiedMs(row: StoredRow | undefined): number | undefined {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
/** Short token fingerprint for logs (not the full FCM token). */
|
||||
function tokenHint(token: string): string {
|
||||
if (token.length <= 16) return token;
|
||||
return `${token.slice(0, 8)}…${token.slice(-4)}`;
|
||||
}
|
||||
|
||||
function stringifyData(
|
||||
payload: Record<string, unknown>
|
||||
): Record<string, string> {
|
||||
@@ -59,7 +54,7 @@ export async function sendPushToDevice(
|
||||
type: "WAKEUP_PING",
|
||||
};
|
||||
|
||||
const token = tokenHint(fcmToken);
|
||||
const token = maskToken(fcmToken);
|
||||
console.log("[Push] Sending to:", token);
|
||||
|
||||
await messaging.send({
|
||||
|
||||
Reference in New Issue
Block a user