Kwaku Danso
dbddf17e3b
When a guest submitted via their invitation and then forwarded the link
(or someone copied the URL), the recipient was shown the original guest's
response and a "Change my response" button. Two real problems:
- Privacy leak: the original guest's reply was visible
- Integrity: the recipient could silently overwrite the response
The fix is two layered defences plus a recovery path, matching the
industry pattern used by Eventbrite / Partiful / Lu.ma:
Backend
- GET /access/{token} now compares the device fingerprint of the
current request to the fingerprint stored on the existing RSVP.
When they don't match, the rsvp field is omitted from the
response and a new rsvp_submitted_elsewhere flag is set instead.
The original guest's reply stays private.
- PATCH /rsvp/{token} runs the same gate before scoring. A foreign
device gets 403 with a hint to request an edit link.
- The fingerprint check is intentionally narrow (user_agent only),
so a guest jumping between Wi-Fi and mobile data on the same
phone still sails through.
Recovery path
- New POST /access/{token}/request-edit-link mints a short-lived
edit nonce (Redis, 30-min TTL, SHA-256-hashed), then emails it
to the guest's address on file via the existing EmailSender.
Rate-limited to 3 per token per hour.
- GET /access/{token}?edit=<nonce> and PATCH /rsvp with edit_nonce
in the body both accept the nonce as a bypass for the
same-device check. Lets the real guest edit from a new phone
when their original device is gone.
- New SendRSVPEditLink method on auth.EmailSender, implemented by
every concrete sender (log stub / Resend / SMTP / SES), with a
branded HTML+text template that explains the "we sent this
because we didn't recognise the device" framing.
Frontend
- rsvp/[token].vue learns the new "responded elsewhere" state.
Renders "This invitation has already been used" + a
"Send me an edit link" CTA when the access response says we
have somewhere to deliver it. Empty-state copy reads "If you
forwarded the link, please ask the original guest to reach
out to the host".
- When the URL carries ?edit=<nonce>, the page passes it on the
/access call (so the backend unhides the RSVP), opens the edit
form pre-populated, and forwards the nonce on PATCH.
- Removed two leftover leaks from earlier — the page no longer
shows internal "Risk score N · band" to confirmed or blocked
guests; the blocked-attempt copy now reads "Something about
this attempt looked off" rather than "suspicious access
attempt".
Defensive nil-guard
- The access handler's NATS publish goroutine now skips when
deps.AccessPublisher is nil (matches the rsvp publisher's
existing guard); without it the handler nil-panicked in tests
that don't wire NATS.
Tests
- TestFingerprintsSimilar (unit) covers the same-UA / different-UA
/ missing-UA matrix.
- TestForwardedInvitationLinkDefence (integration) walks the full
flow: submit from UA-A, hide on UA-B, request link, follow nonce
from UA-B and edit, then verify a UA-C with a forged nonce is
still refused.
- Full integration suite passes (183.5s).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
260 lines
7.1 KiB
Go
260 lines
7.1 KiB
Go
package notification
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/smtp"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// SMTPConfig describes one SMTP relay. Username/Password are optional —
|
|
// local relays like Mailpit accept anonymous SMTP. TLS modes:
|
|
//
|
|
// - "starttls" upgrade after EHLO (most relays, default)
|
|
// - "implicit" TLS handshake before SMTP (port 465)
|
|
// - "none" plain socket — only acceptable on a trusted LAN
|
|
type SMTPConfig struct {
|
|
Host string
|
|
Port int
|
|
Username string
|
|
Password string
|
|
FromEmail string
|
|
FromName string
|
|
TLS string
|
|
}
|
|
|
|
// SMTPEmailSender implements auth.EmailSender (verification/reset) AND
|
|
// GuestEmailDispatcher (invitation/confirmation/reminder) on top of any
|
|
// SMTP relay. Used for Mailpit in dev; works against Gmail, Fastmail, etc.
|
|
// in production if the user prefers plain SMTP over an HTTP API.
|
|
type SMTPEmailSender struct {
|
|
cfg SMTPConfig
|
|
tpls *Templates
|
|
from string
|
|
}
|
|
|
|
func NewSMTPEmailSender(cfg SMTPConfig, tpls *Templates) (*SMTPEmailSender, error) {
|
|
if cfg.Host == "" {
|
|
return nil, errors.New("smtp: Host required")
|
|
}
|
|
if cfg.Port <= 0 {
|
|
cfg.Port = 587
|
|
}
|
|
if cfg.FromEmail == "" {
|
|
return nil, errors.New("smtp: FromEmail required")
|
|
}
|
|
if cfg.TLS == "" {
|
|
cfg.TLS = "starttls"
|
|
}
|
|
from := cfg.FromEmail
|
|
if cfg.FromName != "" {
|
|
from = fmt.Sprintf("%s <%s>", cfg.FromName, cfg.FromEmail)
|
|
}
|
|
return &SMTPEmailSender{cfg: cfg, tpls: tpls, from: from}, nil
|
|
}
|
|
|
|
// --- auth.EmailSender ---
|
|
|
|
func (s *SMTPEmailSender) SendVerification(ctx context.Context, to, name, link string) error {
|
|
return s.sendTemplated(ctx, to, "Verify your GuestGuard email",
|
|
TmplVerification, map[string]any{"Name": name, "Link": link})
|
|
}
|
|
|
|
func (s *SMTPEmailSender) SendPasswordReset(ctx context.Context, to, name, link string) error {
|
|
return s.sendTemplated(ctx, to, "Reset your GuestGuard password",
|
|
TmplPasswordReset, map[string]any{"Name": name, "Link": link, "ExpiryHumane": "1 hour"})
|
|
}
|
|
|
|
func (s *SMTPEmailSender) SendCollaboratorInvite(ctx context.Context, to, inviterName, eventName, role, link string) error {
|
|
return s.sendTemplated(ctx, to,
|
|
inviterName+" invited you to "+eventName,
|
|
TmplCollaboratorInvite, map[string]any{
|
|
"InviterName": inviterName,
|
|
"EventName": eventName,
|
|
"Role": role,
|
|
"Link": link,
|
|
})
|
|
}
|
|
|
|
func (s *SMTPEmailSender) SendRSVPEditLink(ctx context.Context, to, guestName, eventName, link string) error {
|
|
return s.sendTemplated(ctx, to,
|
|
"Edit your RSVP for "+eventName,
|
|
TmplRSVPEditLink, map[string]any{
|
|
"GuestName": guestName,
|
|
"EventName": eventName,
|
|
"Link": link,
|
|
})
|
|
}
|
|
|
|
// --- GuestEmailDispatcher ---
|
|
|
|
func (s *SMTPEmailSender) SendGuest(ctx context.Context, to, subject string, name TemplateName, data map[string]any) (string, error) {
|
|
return s.sendTemplatedReturnID(ctx, to, subject, name, data)
|
|
}
|
|
|
|
// --- internals ---
|
|
|
|
func (s *SMTPEmailSender) sendTemplated(ctx context.Context, to, subject string, name TemplateName, data map[string]any) error {
|
|
_, err := s.sendTemplatedReturnID(ctx, to, subject, name, data)
|
|
return err
|
|
}
|
|
|
|
func (s *SMTPEmailSender) sendTemplatedReturnID(ctx context.Context, to, subject string, name TemplateName, data map[string]any) (string, error) {
|
|
if data == nil {
|
|
data = map[string]any{}
|
|
}
|
|
data["Subject"] = subject
|
|
html, text, err := s.tpls.Render(name, data)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
msgID := generateMessageID(s.cfg.FromEmail)
|
|
body := buildMIMEMessage(mimeMessage{
|
|
MessageID: msgID,
|
|
From: s.from,
|
|
To: to,
|
|
Subject: subject,
|
|
Text: text,
|
|
HTML: html,
|
|
})
|
|
if err := s.dial(ctx, []string{to}, body); err != nil {
|
|
return "", err
|
|
}
|
|
return msgID, nil
|
|
}
|
|
|
|
func (s *SMTPEmailSender) dial(ctx context.Context, to []string, body []byte) error {
|
|
addr := net.JoinHostPort(s.cfg.Host, strconv.Itoa(s.cfg.Port))
|
|
d := &net.Dialer{Timeout: 10 * time.Second}
|
|
deadline, ok := ctx.Deadline()
|
|
if ok {
|
|
d.Deadline = deadline
|
|
}
|
|
|
|
var (
|
|
conn net.Conn
|
|
err error
|
|
)
|
|
switch strings.ToLower(s.cfg.TLS) {
|
|
case "implicit":
|
|
conn, err = tls.DialWithDialer(d, "tcp", addr, &tls.Config{ServerName: s.cfg.Host})
|
|
default:
|
|
conn, err = d.DialContext(ctx, "tcp", addr)
|
|
}
|
|
if err != nil {
|
|
return fmt.Errorf("smtp: dial: %w", err)
|
|
}
|
|
|
|
c, err := smtp.NewClient(conn, s.cfg.Host)
|
|
if err != nil {
|
|
conn.Close()
|
|
return fmt.Errorf("smtp: new client: %w", err)
|
|
}
|
|
defer c.Close()
|
|
|
|
if strings.ToLower(s.cfg.TLS) == "starttls" {
|
|
if ok, _ := c.Extension("STARTTLS"); ok {
|
|
if err := c.StartTLS(&tls.Config{ServerName: s.cfg.Host}); err != nil {
|
|
return fmt.Errorf("smtp: starttls: %w", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
if s.cfg.Username != "" {
|
|
auth := smtp.PlainAuth("", s.cfg.Username, s.cfg.Password, s.cfg.Host)
|
|
if err := c.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp: auth: %w", err)
|
|
}
|
|
}
|
|
|
|
if err := c.Mail(s.cfg.FromEmail); err != nil {
|
|
return fmt.Errorf("smtp: MAIL FROM: %w", err)
|
|
}
|
|
for _, rcpt := range to {
|
|
if err := c.Rcpt(rcpt); err != nil {
|
|
return fmt.Errorf("smtp: RCPT TO %s: %w", rcpt, err)
|
|
}
|
|
}
|
|
w, err := c.Data()
|
|
if err != nil {
|
|
return fmt.Errorf("smtp: DATA: %w", err)
|
|
}
|
|
if _, err := w.Write(body); err != nil {
|
|
_ = w.Close()
|
|
return fmt.Errorf("smtp: write body: %w", err)
|
|
}
|
|
if err := w.Close(); err != nil {
|
|
return fmt.Errorf("smtp: close body: %w", err)
|
|
}
|
|
return c.Quit()
|
|
}
|
|
|
|
type mimeMessage struct {
|
|
MessageID string
|
|
From string
|
|
To string
|
|
Subject string
|
|
Text string
|
|
HTML string
|
|
}
|
|
|
|
// buildMIMEMessage assembles an RFC 5322 message with a multipart/alternative
|
|
// body so receiving clients pick HTML when they can and fall back to text
|
|
// otherwise.
|
|
func buildMIMEMessage(m mimeMessage) []byte {
|
|
boundary := randomBoundary()
|
|
var b strings.Builder
|
|
b.WriteString("Message-ID: <" + m.MessageID + ">\r\n")
|
|
b.WriteString("Date: " + time.Now().UTC().Format(time.RFC1123Z) + "\r\n")
|
|
b.WriteString("From: " + m.From + "\r\n")
|
|
b.WriteString("To: " + m.To + "\r\n")
|
|
b.WriteString("Subject: " + m.Subject + "\r\n")
|
|
b.WriteString("MIME-Version: 1.0\r\n")
|
|
b.WriteString("Content-Type: multipart/alternative; boundary=" + boundary + "\r\n")
|
|
b.WriteString("\r\n")
|
|
|
|
b.WriteString("--" + boundary + "\r\n")
|
|
b.WriteString("Content-Type: text/plain; charset=UTF-8\r\n")
|
|
b.WriteString("Content-Transfer-Encoding: 8bit\r\n")
|
|
b.WriteString("\r\n")
|
|
b.WriteString(m.Text)
|
|
if !strings.HasSuffix(m.Text, "\n") {
|
|
b.WriteString("\r\n")
|
|
}
|
|
|
|
b.WriteString("--" + boundary + "\r\n")
|
|
b.WriteString("Content-Type: text/html; charset=UTF-8\r\n")
|
|
b.WriteString("Content-Transfer-Encoding: 8bit\r\n")
|
|
b.WriteString("\r\n")
|
|
b.WriteString(m.HTML)
|
|
if !strings.HasSuffix(m.HTML, "\n") {
|
|
b.WriteString("\r\n")
|
|
}
|
|
|
|
b.WriteString("--" + boundary + "--\r\n")
|
|
return []byte(b.String())
|
|
}
|
|
|
|
func randomBoundary() string {
|
|
var buf [16]byte
|
|
_, _ = rand.Read(buf[:])
|
|
return "gg=" + hex.EncodeToString(buf[:])
|
|
}
|
|
|
|
func generateMessageID(from string) string {
|
|
var buf [12]byte
|
|
_, _ = rand.Read(buf[:])
|
|
domain := "guestguard.local"
|
|
if at := strings.LastIndexByte(from, '@'); at >= 0 && at+1 < len(from) {
|
|
domain = from[at+1:]
|
|
}
|
|
return hex.EncodeToString(buf[:]) + "@" + domain
|
|
}
|