feat: download token utility (HMAC-SHA256, 1h expiry) #202

Merged

pook merged 1 commit from feat/download-token-utility into main 2026-04-09 06:15:02 -04:00

Conversation 0 Commits 1 Files changed 2 +148

pook commented 2026-04-09 02:54:40 -04:00

Owner

Copy link

Summary

• Add generateDownloadToken(documentId) and validateDownloadToken(token, documentId) utility functions
• HMAC-SHA256 signing with API_SECRET, 1-hour expiry encoded in token payload
• Timing-safe comparison to prevent timing attacks
• 8 unit tests covering: happy path, wrong document ID, expired token, tampered signature, malformed input

Refs

Closes #96, #197

Test plan

• bun test packages/api/tests/unit/download-token.test.ts — 8/8 pass
• TypeScript type-check passes (no new errors)

🤖 Generated with Claude Code

## Summary - Add `generateDownloadToken(documentId)` and `validateDownloadToken(token, documentId)` utility functions - HMAC-SHA256 signing with `API_SECRET`, 1-hour expiry encoded in token payload - Timing-safe comparison to prevent timing attacks - 8 unit tests covering: happy path, wrong document ID, expired token, tampered signature, malformed input ## Refs Closes #96, #197 ## Test plan - [x] `bun test packages/api/tests/unit/download-token.test.ts` — 8/8 pass - [x] TypeScript type-check passes (no new errors) 🤖 Generated with [Claude Code](https://claude.com/claude-code)

pook added 1 commit 2026-04-09 02:54:40 -04:00

feat: add download token utility with HMAC-SHA256 signing ... 0ac6a62e95

Add generateDownloadToken and validateDownloadToken functions for
secure document download links with 1-hour expiry. Uses HMAC-SHA256
with API_SECRET for signing, timing-safe comparison for validation.

Refs: #96, #197

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pook referenced this pull request 2026-04-09 03:45:36 -04:00

Close stale #96 as superseded by #200 with active PR #202 #211

pook referenced this pull request 2026-04-09 03:46:16 -04:00

Add generated document download token with expiry to prevent unauthorized access #96

pook referenced this pull request 2026-04-09 03:46:24 -04:00

[Agent] Issue #211: problem issue 96 add generated document #215

pook referenced this pull request 2026-04-09 04:00:36 -04:00

Close 7 housekeeping issues that only require gh CLI commands #221

pook referenced this pull request 2026-04-09 04:02:52 -04:00

Add generated document download token with expiry to prevent unauthorized access #96

pook referenced this pull request 2026-04-09 04:03:02 -04:00

Close stale #96 as superseded by #200 with active PR #202 #211

pook referenced this pull request 2026-04-09 04:03:08 -04:00

[Agent] Issue #221: issues 212 211 205 196 185 184 155 154 a #224

pook referenced this pull request 2026-04-09 04:23:55 -04:00

Add generated document download token with expiry to prevent unauthorized access #96

pook referenced this pull request 2026-04-09 05:34:35 -04:00

Add batch PR close for stalled agent PRs with housekeeping loops #246

pook merged commit 349b2973fc into main 2026-04-09 06:15:02 -04:00

pook referenced this pull request from a commit 2026-04-09 06:15:02 -04:00

Merge pull request 'feat: download token utility (HMAC-SHA256, 1h expiry)' (#202) from feat/download-token-utility into main

pook referenced this pull request 2026-04-09 06:15:40 -04:00

PR pipeline unblocked: 18 PRs merged, 48 remaining need rebase #254

pook referenced this pull request 2026-04-10 00:24:53 -04:00

Add GET /api/documents/:id/download endpoint with HMAC token verification #276

pook referenced this pull request 2026-04-10 00:33:26 -04:00

Batch close 22 stale issues with matching open PRs #279

pook referenced this pull request 2026-04-10 01:14:59 -04:00

Add HMAC download token expiry and tamper rejection test suite #286

pook referenced this pull request 2026-04-10 02:04:52 -04:00

Close 6 stale compliancebot issues with matching merged/existing PRs #293

pook referenced this pull request 2026-04-10 04:25:00 -04:00

Close 5 stale issues with matching PRs or merged PRs (#262, #260, #214, #213, #200) #300

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!202

No description provided.