feat(debug): harden debug routes with auth and user-scoped token access

Add GET /debug/device/:token and POST /debug/send-wakeup behind requireAuth,
scope lookups to the authenticated user (404 otherwise), and mask FCM tokens
in logs via maskToken. Mark routes for further restriction before production.
This commit is contained in:
Jose Olarte III
2026-05-19 19:42:22 +08:00
parent 8e502a2335
commit afbc2e9a57
5 changed files with 112 additions and 7 deletions

View File

@@ -1,4 +1,5 @@
import { db, type StoredRow } from "../db/fcmTokens.js";
import { maskToken } from "../util/maskToken.js";
import { messaging } from "./firebase.js";
const MS_PRODUCTION = 23 * 60 * 60 * 1000;
@@ -15,12 +16,6 @@ function lastNotifiedMs(row: StoredRow | undefined): number | undefined {
return undefined;
}
/** Short token fingerprint for logs (not the full FCM token). */
function tokenHint(token: string): string {
if (token.length <= 16) return token;
return `${token.slice(0, 8)}${token.slice(-4)}`;
}
function stringifyData(
payload: Record<string, unknown>
): Record<string, string> {
@@ -59,7 +54,7 @@ export async function sendPushToDevice(
type: "WAKEUP_PING",
};
const token = tokenHint(fcmToken);
const token = maskToken(fcmToken);
console.log("[Push] Sending to:", token);
await messaging.send({