refactor: comprehensive code review fixes (security, performance, QA)
## Security Improvements - Fix timing attack in verifyApiKey with fixed 256-byte buffer - Fix sortOrder SQL injection with whitelist validation - Fix rate limiting bypass for non-Cloudflare traffic (fail-closed) - Remove stack trace exposure in error responses - Add request_id for audit trail (X-Request-ID header) - Sanitize origin header to prevent log injection - Add content-length validation for /sync endpoint (10KB limit) - Replace Math.random() with crypto.randomUUID() for sync IDs - Expand sensitive data masking patterns (8 → 18) ## Performance Improvements - Reduce rate limiter KV reads from 3 to 1 per request (66% reduction) - Increase sync batch size from 100 to 500 (80% fewer batches) - Fix health check N+1 query with efficient JOINs - Fix COUNT(*) Cartesian product with COUNT(DISTINCT) - Implement shared logger cache pattern across repositories - Add CacheService singleton pattern in recommend.ts - Add composite index for recommendation queries - Implement Anvil pricing query batching (100 per chunk) ## QA Improvements - Add BATCH_SIZE bounds validation (1-1000) - Add pagination bounds (page >= 1, MAX_OFFSET = 100000) - Add min/max range consistency validation - Add DB reference validation for singleton services - Add type guards for database result validation - Add timeout mechanism for external API calls (10-60s) - Use SUPPORTED_PROVIDERS constant instead of hardcoded list ## Removed - Remove Vault integration (using Wrangler secrets) - Remove 6-hour pricing cron (daily sync only) ## Configuration - Add idx_instance_types_specs_filter composite index - Add CORS Access-Control-Expose-Headers Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kappa
@@ -33,6 +33,23 @@ interface RecommendRequestBody {
|
||||
*/
|
||||
const SUPPORTED_SCALES: readonly ScaleType[] = ['small', 'medium', 'large'] as const;
|
||||
|
||||
/**
|
||||
* Cached CacheService instance for singleton pattern
|
||||
*/
|
||||
let cachedCacheService: CacheService | null = null;
|
||||
|
||||
/**
|
||||
* Get or create CacheService singleton
|
||||
*
|
||||
* @returns CacheService instance with INSTANCES TTL
|
||||
*/
|
||||
function getCacheService(): CacheService {
|
||||
if (!cachedCacheService) {
|
||||
cachedCacheService = new CacheService(CACHE_TTL.INSTANCES);
|
||||
}
|
||||
return cachedCacheService;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle POST /recommend endpoint
|
||||
*
|
||||
@@ -157,7 +174,7 @@ export async function handleRecommend(request: Request, env: Env): Promise<Respo
|
||||
// 7. Initialize cache service and generate cache key
|
||||
logger.info('[Recommend] Validation passed', { stack, scale, budgetMax });
|
||||
|
||||
const cacheService = new CacheService(CACHE_TTL.INSTANCES);
|
||||
const cacheService = getCacheService();
|
||||
|
||||
// Generate cache key from sorted stack, scale, and budget
|
||||
// Sort stack to ensure consistent cache keys regardless of order
|
||||
@@ -270,7 +287,8 @@ export async function handleRecommend(request: Request, env: Env): Promise<Respo
|
||||
success: false,
|
||||
error: {
|
||||
code: 'INTERNAL_ERROR',
|
||||
message: error instanceof Error ? error.message : 'Unknown error',
|
||||
message: 'Recommendation request failed. Please try again later.',
|
||||
request_id: crypto.randomUUID(),
|
||||
details: {
|
||||
duration_ms: duration,
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user