Conversation
- Fix verify endpoint double-response race condition (responded guard) - Fix doFetch body double-consumption when reader exists - Fix .gitignore blocking *.json (was hiding package.json changes) - Add MIT LICENSE matching protocol-commons - Add SECURITY.md with vulnerability reporting policy - Add npm audit step to CI, scope triggers to main branch - Add package.json metadata (description, license, repository, engines) - Patch qs high-severity vulnerability via npm audit fix - Update docs/REVIEW.md to reflect all resolved issues https://claude.ai/code/session_01Jh9WXqejeBVXesWCkpt9an
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR refactors the
/verifyendpoint to use explicit timeout guards instead ofPromise.race(), improvesdoFetch()body handling with a fallback for runtimes lackinggetReader(), and adds security/operational documentation.Key Changes
Core Logic Improvements
Verify endpoint timeout handling: Replaced
Promise.race()pattern with asetTimeoutguard andrespondedflag to prevent double-response races. The timeout now fires independently and guards all response paths (success, error, and schema validation).Fetch body handling: Added fallback logic in
doFetch()for runtimes whereresp.body.getReader()is unavailable. Falls back toresp.text()when streaming is not supported, ensuring consistent behavior across environments.Simplified buffer concatenation: Removed conditional logic that fell back to
resp.text()after streaming; now always usesBuffer.concat()on the collected chunks.Documentation & Configuration
Added SECURITY.md: Vulnerability reporting policy, supported versions, and hardening guidance (key protection, debug route gating, CORS restriction, SSRF guard, HTTPS, dependency pinning).
Added LICENSE: MIT license matching protocol-commons.
Updated package.json: Added description, license field, repository metadata, and Node.js engine requirement (>=20.0.0).
Updated REVIEW.md: Converted from risk-focused to resolution-focused format, documenting all prior issues now addressed (CORS, debug routes, request validation, double-response race, fetch body consumption).
Enhanced CI workflow: Added branch filters and
npm auditcheck for high-severity vulnerabilities.Fixed .gitignore: Removed overly broad
*.jsonrule that blocked package.json tracking; now only ignoresnode_modules/.Implementation Details
setTimeoutthat fires afterVERIFY_MAX_MS, settingresponded = trueand sending a 500 error if no response has been sent yet.send()helper clears the timer and checks therespondedflag before sending, ensuring only one response is ever sent.fail()helper now callssend()instead of directly callingres.status().json().https://claude.ai/code/session_01Jh9WXqejeBVXesWCkpt9an