1dcb357313
This commit addresses the remaining high-priority issues identified in the
comprehensive codebase analysis, implementing proper notification systems,
error handling, input validation, and race condition fixes.
1. CRITICAL: Implement Stripe webhook notifications
- Created new NotificationService for centralized notification handling
- Supports both in-app notifications and email queuing
- Implemented all 4 missing webhook notifications:
* Subscription downgrade notifications
* Payment success receipts
* Payment failure alerts with recovery action
* Trial ending reminders with days remaining calculation
- Notifications stored in database and emitted via Socket.io
- File: src/backend/services/notificationService.js (NEW)
- Updated: src/backend/routes/webhooks/stripeWebhook.js
2. HIGH: Add comprehensive error handling to socket event handlers
- Wrapped all socket event handlers in try-catch blocks
- Emit error events back to clients when operations fail
- Prevents server crashes from unhandled socket errors
- Provides user feedback for failed socket operations
- File: src/backend/services/socketService.js
3. HIGH: Fix race condition in Chat component
- Added activeConversationRef to track current conversation
- Check conversation ID before updating messages after async load
- Clear messages immediately when switching conversations
- Prevents stale messages from appearing when rapidly switching
- File: src/frontend/components/Chat/Chat.jsx
4. HIGH: Add input validation to messaging service
- Validate userId and conversationId are valid strings
- Ensure message content is not empty and under 10K chars
- Validate contentType against allowed types
- Validate metadata structure
- Provides clear error messages for invalid input
- File: src/backend/services/messagingService.js
5. MEDIUM: Replace hardcoded URLs with environment variables
- Updated AuthContext to use VITE_API_URL env variable
- Maintains localhost fallback for development
- File: src/frontend/contexts/AuthContext.jsx
6. Documentation: Update .env.example
- Added FRONTEND_URL configuration
- Documented ALLOW_DEV_BYPASS security flag
- Added critical warnings for TURN server configuration
- Added Stripe configuration variables
- File: .env.example
These fixes significantly improve:
- User experience (notifications for all payment events)
- System reliability (proper error handling, race condition fixes)
- Security (input validation prevents malicious input)
- Maintainability (proper environment configuration)
33 lines
No EOL
1 KiB
Text
33 lines
No EOL
1 KiB
Text
# Database Configuration
|
|
DATABASE_URL=postgresql://user:password@localhost:5432/aethex_passport
|
|
|
|
# Server Configuration
|
|
PORT=3000
|
|
NODE_ENV=development
|
|
FRONTEND_URL=http://localhost:5173
|
|
|
|
# Development Security (ONLY for development, DO NOT enable in production)
|
|
# Allows bypassing authentication - requires BOTH NODE_ENV=development AND ALLOW_DEV_BYPASS=true
|
|
ALLOW_DEV_BYPASS=true
|
|
|
|
# Blockchain Configuration (for .aethex domain verification)
|
|
RPC_ENDPOINT=https://polygon-mainnet.infura.io/v3/YOUR_INFURA_KEY
|
|
FREENAME_REGISTRY_ADDRESS=0x... # Freename contract address
|
|
|
|
# JWT Secret (for authentication)
|
|
JWT_SECRET=your-secret-key-here
|
|
|
|
# Rate Limiting
|
|
RATE_LIMIT_WINDOW_MS=900000
|
|
RATE_LIMIT_MAX_REQUESTS=100
|
|
# TURN Server Configuration (for WebRTC NAT traversal)
|
|
# CRITICAL: These MUST be set in production - no defaults allowed
|
|
TURN_SERVER_HOST=turn.example.com
|
|
TURN_SERVER_PORT=3478
|
|
TURN_SECRET=your-turn-secret-key
|
|
TURN_TTL=86400
|
|
|
|
# Stripe Configuration (for payments)
|
|
STRIPE_SECRET_KEY=sk_test_...
|
|
STRIPE_PUBLISHABLE_KEY=pk_test_...
|
|
STRIPE_WEBHOOK_SECRET=whsec_... |