Kwaku Danso
dbddf17e3b
When a guest submitted via their invitation and then forwarded the link
(or someone copied the URL), the recipient was shown the original guest's
response and a "Change my response" button. Two real problems:
- Privacy leak: the original guest's reply was visible
- Integrity: the recipient could silently overwrite the response
The fix is two layered defences plus a recovery path, matching the
industry pattern used by Eventbrite / Partiful / Lu.ma:
Backend
- GET /access/{token} now compares the device fingerprint of the
current request to the fingerprint stored on the existing RSVP.
When they don't match, the rsvp field is omitted from the
response and a new rsvp_submitted_elsewhere flag is set instead.
The original guest's reply stays private.
- PATCH /rsvp/{token} runs the same gate before scoring. A foreign
device gets 403 with a hint to request an edit link.
- The fingerprint check is intentionally narrow (user_agent only),
so a guest jumping between Wi-Fi and mobile data on the same
phone still sails through.
Recovery path
- New POST /access/{token}/request-edit-link mints a short-lived
edit nonce (Redis, 30-min TTL, SHA-256-hashed), then emails it
to the guest's address on file via the existing EmailSender.
Rate-limited to 3 per token per hour.
- GET /access/{token}?edit=<nonce> and PATCH /rsvp with edit_nonce
in the body both accept the nonce as a bypass for the
same-device check. Lets the real guest edit from a new phone
when their original device is gone.
- New SendRSVPEditLink method on auth.EmailSender, implemented by
every concrete sender (log stub / Resend / SMTP / SES), with a
branded HTML+text template that explains the "we sent this
because we didn't recognise the device" framing.
Frontend
- rsvp/[token].vue learns the new "responded elsewhere" state.
Renders "This invitation has already been used" + a
"Send me an edit link" CTA when the access response says we
have somewhere to deliver it. Empty-state copy reads "If you
forwarded the link, please ask the original guest to reach
out to the host".
- When the URL carries ?edit=<nonce>, the page passes it on the
/access call (so the backend unhides the RSVP), opens the edit
form pre-populated, and forwards the nonce on PATCH.
- Removed two leftover leaks from earlier — the page no longer
shows internal "Risk score N · band" to confirmed or blocked
guests; the blocked-attempt copy now reads "Something about
this attempt looked off" rather than "suspicious access
attempt".
Defensive nil-guard
- The access handler's NATS publish goroutine now skips when
deps.AccessPublisher is nil (matches the rsvp publisher's
existing guard); without it the handler nil-panicked in tests
that don't wire NATS.
Tests
- TestFingerprintsSimilar (unit) covers the same-UA / different-UA
/ missing-UA matrix.
- TestForwardedInvitationLinkDefence (integration) walks the full
flow: submit from UA-A, hide on UA-B, request link, follow nonce
from UA-B and edit, then verify a UA-C with a forged nonce is
still refused.
- Full integration suite passes (183.5s).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
112 lines
3.6 KiB
Go
112 lines
3.6 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"errors"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/redis/go-redis/v9"
|
|
)
|
|
|
|
// RSVP-edit nonce store. When a guest revisits their invitation from a
|
|
// device that doesn't match the one they originally responded from, we
|
|
// hide their RSVP details from the access response so a forwarded link
|
|
// can't leak (or alter) their reply. They can request a one-time edit
|
|
// link sent to their email/SMS; that link carries a short-lived nonce
|
|
// stored here.
|
|
//
|
|
// We store sha256(raw) so a database snapshot of Redis doesn't give an
|
|
// attacker working nonces; the raw value only ever lives in the email
|
|
// link the guest receives.
|
|
|
|
const (
|
|
editNonceTTL = 30 * time.Minute
|
|
editNonceKeyPrefix = "gg:rsvp_edit:"
|
|
)
|
|
|
|
type editNonceStore struct {
|
|
rdb *redis.Client
|
|
}
|
|
|
|
// newEditNonceStore returns nil when Redis isn't configured — the calling
|
|
// handler treats nil as "edit-link flow disabled" and falls back to the
|
|
// strict same-device rule.
|
|
func newEditNonceStore(rdb *redis.Client) *editNonceStore {
|
|
if rdb == nil {
|
|
return nil
|
|
}
|
|
return &editNonceStore{rdb: rdb}
|
|
}
|
|
|
|
// Mint creates a fresh nonce bound to guestID, stores its hash with a
|
|
// 30-minute TTL, and returns the raw value for embedding in the email
|
|
// link. Hex-encoded so it survives URL transit without further escaping.
|
|
func (s *editNonceStore) Mint(ctx context.Context, guestID uuid.UUID) (raw string, err error) {
|
|
if s == nil {
|
|
return "", errors.New("edit nonce store not configured")
|
|
}
|
|
buf := make([]byte, 24)
|
|
if _, err := rand.Read(buf); err != nil {
|
|
return "", err
|
|
}
|
|
raw = hex.EncodeToString(buf)
|
|
sum := sha256.Sum256([]byte(raw))
|
|
key := editNonceKeyPrefix + hex.EncodeToString(sum[:])
|
|
if err := s.rdb.Set(ctx, key, guestID.String(), editNonceTTL).Err(); err != nil {
|
|
return "", err
|
|
}
|
|
return raw, nil
|
|
}
|
|
|
|
// Verify reports whether raw is a still-valid nonce for guestID.
|
|
// Doesn't consume the nonce; expiry happens naturally via TTL so the
|
|
// guest can refresh the edit page or briefly close + reopen the link
|
|
// during the half-hour window without losing their session.
|
|
func (s *editNonceStore) Verify(ctx context.Context, raw string, guestID uuid.UUID) (bool, error) {
|
|
if s == nil || raw == "" {
|
|
return false, nil
|
|
}
|
|
sum := sha256.Sum256([]byte(raw))
|
|
key := editNonceKeyPrefix + hex.EncodeToString(sum[:])
|
|
val, err := s.rdb.Get(ctx, key).Result()
|
|
if err != nil {
|
|
if errors.Is(err, redis.Nil) {
|
|
return false, nil
|
|
}
|
|
return false, err
|
|
}
|
|
return val == guestID.String(), nil
|
|
}
|
|
|
|
// fingerprintsSimilar reports whether two device fingerprints look like
|
|
// the same browser. The check is intentionally narrow: just `user_agent`,
|
|
// because it's the strongest signal of "same browser" and the one least
|
|
// affected by normal day-to-day variation (changing networks, switching
|
|
// rooms, etc).
|
|
//
|
|
// Conservative-by-default: when either side lacks a user_agent string we
|
|
// return false, which causes the access handler to hide the RSVP. The
|
|
// legitimate guest in that edge case can still recover via the
|
|
// request-edit-link flow.
|
|
//
|
|
// Two fingerprints with the same user_agent but different IPs are
|
|
// considered the same device. This is on purpose: a guest jumping
|
|
// between Wi-Fi and mobile data is the same person on the same phone.
|
|
// The Gate's full scoring (run on submit/edit, not on access) catches
|
|
// the more sophisticated mismatches.
|
|
func fingerprintsSimilar(stored, current map[string]any) bool {
|
|
if stored == nil || current == nil {
|
|
return false
|
|
}
|
|
s, _ := stored["user_agent"].(string)
|
|
c, _ := current["user_agent"].(string)
|
|
if s == "" || c == "" {
|
|
return false
|
|
}
|
|
return s == c
|
|
}
|