Skip to content

Staging#16

Merged
PromiseFru merged 8 commits into
mainfrom
staging
Apr 29, 2026
Merged

Staging#16
PromiseFru merged 8 commits into
mainfrom
staging

Conversation

@PromiseFru
Copy link
Copy Markdown
Contributor

@PromiseFru PromiseFru commented Apr 29, 2026

No description provided.

@PromiseFru PromiseFru requested a review from Copilot April 29, 2026 17:20
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the admin web UI and backend message-send handler to support sending a single message to multiple recipients (comma-separated), alongside some permission/UX improvements and documentation updates.

Changes:

  • Add multi-recipient support in Devices UI and split/publish-per-recipient behavior in the API handler.
  • Improve Tokens page “no access” UX by showing an access-restricted card instead of an empty table message.
  • Update architecture + usage docs to reflect multi-recipient sending; refresh built web dist entrypoint reference.

Reviewed changes

Copilot reviewed 5 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/adminweb/web/src/pages/Tokens.jsx Renders an “Access Restricted” card when the user lacks tokens:read:*; formatting cleanup.
pkg/adminweb/web/src/pages/Devices.jsx Adds multi-recipient contact collection UI (chips + add button) and sends comma-joined contacts to the API.
pkg/adminweb/web/dist/index.html Updates the hashed JS asset reference for the built admin web bundle.
internal/api/v1/handlers/devices/send.go Splits comma-separated contact and publishes one RabbitMQ message per address; adjusts success message text.
docs/architecture/send-message-flow.md Updates sequence diagram to include splitting + per-address publish loop.
docs/USAGE.md Adds examples for comma-separated multi-recipient usage (JSON + multipart).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/api/v1/handlers/devices/send.go
Comment thread internal/api/v1/handlers/devices/send.go
Comment thread pkg/adminweb/web/src/pages/Devices.jsx Outdated
Comment thread internal/api/v1/handlers/devices/send.go
Comment on lines +162 to 183
addresses := strings.SplitSeq(req.Contact, ",")
for address := range addresses {
address = strings.TrimSpace(address)
if address == "" {
continue
}

if err := producer.Publish(exchangeName, routingKey, message, rabbitmq.DefaultPublishOptions()); err != nil {
logger.Error(fmt.Sprintf("RabbitMQ message publish failed: %v\n%s", err, debug.Stack()))
return echo.ErrInternalServerError
message := queuedMessage{
DeviceID: deviceID,
Contact: address,
PlatformName: req.Platform,
Text: req.Text,
Username: matrixUsername,
FileContent: fileContent,
FileExtension: fileExtension,
}

if err := producer.Publish(exchangeName, routingKey, message, rabbitmq.DefaultPublishOptions()); err != nil {
logger.Error(fmt.Sprintf("RabbitMQ message publish failed for address %s: %v\n%s", address, err, debug.Stack()))
return echo.ErrInternalServerError
}
}
Copy link
Copy Markdown
Contributor Author

@PromiseFru PromiseFru Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open an issue for this feedback tag as enhancement

Copy link
Copy Markdown
Contributor

Copilot AI Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have the capability to create GitHub issues with my available tools. You can open the issue manually using the details below:

Title: Enforce max-recipients limit on comma-separated contact field to prevent DoS

Labels: enhancement

Body:

Allowing comma-separated recipients in the POST /api/v1/devices/{device_id}/message endpoint means a single request can trigger an unbounded number of RabbitMQ publishes (one per address). This is a potential abuse/DoS vector and can cause long request times for legitimate users.

Proposed changes:

  • Define a configurable constant (e.g. maxRecipients = 50) for the maximum number of recipients allowed per request.
  • Define a configurable constant (e.g. maxContactLength = 1024) for the maximum byte length of the raw contact field.
  • Return HTTP 400 with a clear error message when either limit is exceeded.

Affected file: internal/api/v1/handlers/devices/send.go (loop starting around line 162)

PromiseFru and others added 2 commits April 29, 2026 18:32
@PromiseFru
Potential fix for pull request finding
7b13ea7 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@PromiseFru
Keep stable response message and add queued_count field
0c0354c 
Agent-Logs-Url: https://github.com/shortmesh/Interface-API/sessions/eb59f7cc-87b0-4301-af55-c5d475c56e42

Co-authored-by: PromiseFru <33162641+PromiseFru@users.noreply.github.com>
@PromiseFru PromiseFru mentioned this pull request Apr 29, 2026
Open
@PromiseFru PromiseFru merged commit 46db383 into main Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PromiseFru @Vanessa-Kris