Kwaku Danso
dbddf17e3b
When a guest submitted via their invitation and then forwarded the link
(or someone copied the URL), the recipient was shown the original guest's
response and a "Change my response" button. Two real problems:
- Privacy leak: the original guest's reply was visible
- Integrity: the recipient could silently overwrite the response
The fix is two layered defences plus a recovery path, matching the
industry pattern used by Eventbrite / Partiful / Lu.ma:
Backend
- GET /access/{token} now compares the device fingerprint of the
current request to the fingerprint stored on the existing RSVP.
When they don't match, the rsvp field is omitted from the
response and a new rsvp_submitted_elsewhere flag is set instead.
The original guest's reply stays private.
- PATCH /rsvp/{token} runs the same gate before scoring. A foreign
device gets 403 with a hint to request an edit link.
- The fingerprint check is intentionally narrow (user_agent only),
so a guest jumping between Wi-Fi and mobile data on the same
phone still sails through.
Recovery path
- New POST /access/{token}/request-edit-link mints a short-lived
edit nonce (Redis, 30-min TTL, SHA-256-hashed), then emails it
to the guest's address on file via the existing EmailSender.
Rate-limited to 3 per token per hour.
- GET /access/{token}?edit=<nonce> and PATCH /rsvp with edit_nonce
in the body both accept the nonce as a bypass for the
same-device check. Lets the real guest edit from a new phone
when their original device is gone.
- New SendRSVPEditLink method on auth.EmailSender, implemented by
every concrete sender (log stub / Resend / SMTP / SES), with a
branded HTML+text template that explains the "we sent this
because we didn't recognise the device" framing.
Frontend
- rsvp/[token].vue learns the new "responded elsewhere" state.
Renders "This invitation has already been used" + a
"Send me an edit link" CTA when the access response says we
have somewhere to deliver it. Empty-state copy reads "If you
forwarded the link, please ask the original guest to reach
out to the host".
- When the URL carries ?edit=<nonce>, the page passes it on the
/access call (so the backend unhides the RSVP), opens the edit
form pre-populated, and forwards the nonce on PATCH.
- Removed two leftover leaks from earlier — the page no longer
shows internal "Risk score N · band" to confirmed or blocked
guests; the blocked-attempt copy now reads "Something about
this attempt looked off" rather than "suspicious access
attempt".
Defensive nil-guard
- The access handler's NATS publish goroutine now skips when
deps.AccessPublisher is nil (matches the rsvp publisher's
existing guard); without it the handler nil-panicked in tests
that don't wire NATS.
Tests
- TestFingerprintsSimilar (unit) covers the same-UA / different-UA
/ missing-UA matrix.
- TestForwardedInvitationLinkDefence (integration) walks the full
flow: submit from UA-A, hide on UA-B, request link, follow nonce
from UA-B and edit, then verify a UA-C with a forged nonce is
still refused.
- Full integration suite passes (183.5s).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
162 lines
5.1 KiB
Go
162 lines
5.1 KiB
Go
package notification
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/aws"
|
|
awsconfig "github.com/aws/aws-sdk-go-v2/config"
|
|
"github.com/aws/aws-sdk-go-v2/service/sesv2"
|
|
"github.com/aws/aws-sdk-go-v2/service/sesv2/types"
|
|
)
|
|
|
|
// SESConfig is the surface area for picking an SES sender. ConfigurationSet
|
|
// is optional but recommended in production — it's where bounce + complaint
|
|
// SNS topics get wired so the webhook handler has something to consume.
|
|
type SESConfig struct {
|
|
Region string
|
|
FromEmail string
|
|
FromName string
|
|
ConfigurationSet string
|
|
PublicBaseURL string // for unsubscribe links in templates
|
|
}
|
|
|
|
// SESEmailSender sends transactional emails (verification + reset for the
|
|
// auth flows, plus invitation/confirmation/reminder for guests) via Amazon
|
|
// SESv2. The same client serves both audiences so callers don't end up
|
|
// with two SES configurations to maintain.
|
|
type SESEmailSender struct {
|
|
client *sesv2.Client
|
|
tpls *Templates
|
|
from string
|
|
configSet *string
|
|
baseURL string
|
|
}
|
|
|
|
// NewSESEmailSender returns a configured SES sender, or an error if the
|
|
// AWS SDK can't bootstrap. The caller typically constructs this once at
|
|
// startup and reuses it for the lifetime of the process.
|
|
func NewSESEmailSender(ctx context.Context, cfg SESConfig, tpls *Templates) (*SESEmailSender, error) {
|
|
if cfg.FromEmail == "" {
|
|
return nil, fmt.Errorf("ses: FromEmail required")
|
|
}
|
|
if cfg.Region == "" {
|
|
cfg.Region = "us-east-1"
|
|
}
|
|
|
|
awsCfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(cfg.Region))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("ses: load aws config: %w", err)
|
|
}
|
|
client := sesv2.NewFromConfig(awsCfg)
|
|
|
|
from := cfg.FromEmail
|
|
if cfg.FromName != "" {
|
|
from = fmt.Sprintf("%s <%s>", cfg.FromName, cfg.FromEmail)
|
|
}
|
|
var cs *string
|
|
if cfg.ConfigurationSet != "" {
|
|
cs = aws.String(cfg.ConfigurationSet)
|
|
}
|
|
|
|
return &SESEmailSender{
|
|
client: client,
|
|
tpls: tpls,
|
|
from: from,
|
|
configSet: cs,
|
|
baseURL: strings.TrimRight(cfg.PublicBaseURL, "/"),
|
|
}, nil
|
|
}
|
|
|
|
// --- auth.EmailSender implementation ---
|
|
|
|
// SendVerification renders the verification template and posts it to SES.
|
|
func (s *SESEmailSender) SendVerification(ctx context.Context, to, name, link string) error {
|
|
return s.sendTemplated(ctx, to, "Verify your GuestGuard email",
|
|
TmplVerification, map[string]any{
|
|
"Name": name,
|
|
"Link": link,
|
|
})
|
|
}
|
|
|
|
// SendPasswordReset renders the reset template and posts it to SES.
|
|
func (s *SESEmailSender) SendPasswordReset(ctx context.Context, to, name, link string) error {
|
|
return s.sendTemplated(ctx, to, "Reset your GuestGuard password",
|
|
TmplPasswordReset, map[string]any{
|
|
"Name": name,
|
|
"Link": link,
|
|
"ExpiryHumane": "1 hour",
|
|
})
|
|
}
|
|
|
|
// SendCollaboratorInvite renders the team-invite template and posts it to SES.
|
|
func (s *SESEmailSender) SendCollaboratorInvite(ctx context.Context, to, inviterName, eventName, role, link string) error {
|
|
return s.sendTemplated(ctx, to,
|
|
inviterName+" invited you to "+eventName,
|
|
TmplCollaboratorInvite, map[string]any{
|
|
"InviterName": inviterName,
|
|
"EventName": eventName,
|
|
"Role": role,
|
|
"Link": link,
|
|
})
|
|
}
|
|
|
|
// SendRSVPEditLink delivers a one-time edit link to a guest who opened
|
|
// their invitation from a device the Gate didn't recognise.
|
|
func (s *SESEmailSender) SendRSVPEditLink(ctx context.Context, to, guestName, eventName, link string) error {
|
|
return s.sendTemplated(ctx, to,
|
|
"Edit your RSVP for "+eventName,
|
|
TmplRSVPEditLink, map[string]any{
|
|
"GuestName": guestName,
|
|
"EventName": eventName,
|
|
"Link": link,
|
|
})
|
|
}
|
|
|
|
// SendGuest is used by the notifier worker for invitation / confirmation /
|
|
// reminder emails — anything addressed at a guest.
|
|
func (s *SESEmailSender) SendGuest(ctx context.Context, to, subject string, name TemplateName, data map[string]any) (providerMessageID string, err error) {
|
|
return s.sendTemplatedReturnID(ctx, to, subject, name, data)
|
|
}
|
|
|
|
// --- internals ---
|
|
|
|
func (s *SESEmailSender) sendTemplated(ctx context.Context, to, subject string, name TemplateName, data map[string]any) error {
|
|
_, err := s.sendTemplatedReturnID(ctx, to, subject, name, data)
|
|
return err
|
|
}
|
|
|
|
func (s *SESEmailSender) sendTemplatedReturnID(ctx context.Context, to, subject string, name TemplateName, data map[string]any) (string, error) {
|
|
if data == nil {
|
|
data = map[string]any{}
|
|
}
|
|
data["Subject"] = subject
|
|
html, text, err := s.tpls.Render(name, data)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
out, err := s.client.SendEmail(ctx, &sesv2.SendEmailInput{
|
|
FromEmailAddress: aws.String(s.from),
|
|
Destination: &types.Destination{ToAddresses: []string{to}},
|
|
ConfigurationSetName: s.configSet,
|
|
Content: &types.EmailContent{
|
|
Simple: &types.Message{
|
|
Subject: &types.Content{Data: aws.String(subject), Charset: aws.String("UTF-8")},
|
|
Body: &types.Body{
|
|
Html: &types.Content{Data: aws.String(html), Charset: aws.String("UTF-8")},
|
|
Text: &types.Content{Data: aws.String(text), Charset: aws.String("UTF-8")},
|
|
},
|
|
},
|
|
},
|
|
})
|
|
if err != nil {
|
|
return "", fmt.Errorf("ses: send: %w", err)
|
|
}
|
|
if out.MessageId == nil {
|
|
return "", nil
|
|
}
|
|
return *out.MessageId, nil
|
|
}
|