Source of truth
Follow-up from #782. Public content, gateway, auth, and webhook routes are expected for a GeeSome node, but they need abuse-case coverage because they do not require bearer-token authorization.
Scope
- Add tests for public content/gateway size, range, path, storage-miss, and stream-error behavior.
- Review public auth-message/login routes for replay, expiry, signature-domain separation, and error shape.
- Review Telegram webhook token-in-path behavior for logging exposure, brute-force resistance, and route exposure.
- Update
docs/security-review.md with any concrete findings.
Verification
- Targeted public-route tests.
npm run test:docker before merging broad public-route hardening.
Source of truth
Follow-up from #782. Public content, gateway, auth, and webhook routes are expected for a GeeSome node, but they need abuse-case coverage because they do not require bearer-token authorization.
Scope
docs/security-review.mdwith any concrete findings.Verification
npm run test:dockerbefore merging broad public-route hardening.