Security

Admin sign-in uses Google OAuth via NextAuth v5. Sessions are JWT-based with an 8-hour expiry and are revalidated against the database on every request.

CLI authentication issues ud_-prefixed tokens with a 90-day default expiry. Non-interactive environments (Claude Code, Codex, CI) use an RFC 8628-inspired device authorization flow with 8-character user codes (~39 bits of entropy), 20-minute expiry, and a 5-attempt lockout.

Submission API keys start with pk_ and are scoped per-app. They never reach the browser — the feedback form resolves keys server-side through a proxy endpoint.

All MCP tools enforce org ownership and role checks. Destructive operations — delete app, remove member, rotate key — require the owner role. Non-owners can only update their own member record.

Sensitive fields (notification_email, enable_log_upload) are restricted to owners. Attachment access is scoped to the requesting admin's org through an authenticated proxy — raw blob URLs are never exposed.

Every response includes a nonce-based Content Security Policy with strict-dynamic. HSTS is enabled with the preload directive, and a restrictive Permissions-Policy disables unnecessary browser APIs.

All API inputs are validated through Zod schemas. Detailed field errors are only returned in development — production responses use generic messages with no stack traces or internal paths.

API tokens (ud_) are SHA-256 hashed before storage. The raw token value is displayed exactly once at creation and cannot be retrieved afterward.

Token comparison uses a constant-time XOR-based algorithm padded to the maximum length, preventing timing side-channels. Tokens default to a 90-day expiry. Deleting an admin cascades to revoke all their tokens.

The CLI writes tokens to .env (auto-added to .gitignore) and never logs or transmits them beyond the initial auth exchange.

Uploaded files are validated by reading magic bytes — the actual file header — not just the MIME type or extension. A blocklist rejects text/html, image/svg+xml, and application/xhtml+xml to prevent stored XSS through disguised uploads.

Attachments are served through an authenticated proxy scoped to the requesting admin's org. Images use Content-Disposition: inline; all other file types force a download. Raw blob URLs are never exposed to the browser.

A PostgreSQL-backed fixed-window rate limiter uses atomic upserts, ensuring consistent enforcement across all serverless instances.

Webhook replay protection deduplicates events using svix-id (Resend) and MessageSid (Twilio) over a 24-hour window.

All admin POST/PATCH/DELETE routes require Content-Type: application/json or multipart/form-data. This prevents cross-site form submissions that rely on cookies.

Apps can configure allowed_origins to restrict which domains can submit feedback. When set, the Origin header must match. Dynamic CORS headers are returned with Vary: Origin.