sync: 2026-03-15 22:00 — 33 files from Alexandria

RoadChain-SHA2048: 2867f1c5c7b75253 RoadChain-Identity: alexa@sovereign RoadChain-Full: 2867f1c5c7b75253f424feccd6bc0ca63474c4af16caab7c3067b501a8743b73868caa3468453e496cf5a883d0cd7ac2e3e0c4671c1f507f6973a7a81b6ba2a67cf432e61099d82d1862493cd627bbfcd5667f98aa51d6573436778b7255e1f02566fdd7b226ac767cab1ff8d6f74a2872ad8374678723f75d62e8cebf5aacc9c4b7e2153b65e1254175a98899b0a602b58808acd14d63bc09c14063116b5ae67097c59a5970734bec7805a1f122201568a4624707d168301a4c71050fc3c2d248036b82c7590a7316da65cb2828ffa2d5d1791a8f4caeabecaab0915cffa0814b9c76f1eead115756ddf0ddaa5b122e347343da28ae60680983be30b1ec8d50
2026-03-15 22:00:02 -05:00
parent 0962fa9ace
commit f3fe40170e
33 changed files with 325 additions and 300 deletions
--- a/workers/road-search-src/worker.js
+++ b/workers/road-search-src/worker.js
@@ -395,11 +395,25 @@ async function handleStats(env) {
 // ─── Index page (add to search index) ─────────────────────────────────
 async function handleIndex(request, env) {
  const auth = request.headers.get('Authorization');
-  if (!auth || auth !== `Bearer ${env.INDEX_KEY}`) {
+  if (!auth || !env.INDEX_KEY) {
+    return Response.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  // Constant-time comparison via HMAC to prevent timing attacks
+  const enc = new TextEncoder();
+  const key = await crypto.subtle.importKey('raw', enc.encode('auth-check'), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+  const expectedMac = await crypto.subtle.sign('HMAC', key, enc.encode(`Bearer ${env.INDEX_KEY}`));
+  const actualMac = await crypto.subtle.sign('HMAC', key, enc.encode(auth));
+  const expectedArr = new Uint8Array(expectedMac);
+  const actualArr = new Uint8Array(actualMac);
+  let match = expectedArr.length === actualArr.length;
+  for (let i = 0; i < expectedArr.length; i++) match &= expectedArr[i] === actualArr[i];
+  if (!match) {
    return Response.json({ error: 'Unauthorized' }, { status: 401 });
  }

-  const pages = await request.json();
+  let pages;
+  try { pages = await request.json(); }
+  catch { return Response.json({ error: 'Invalid JSON' }, { status: 400 }); }
  const toIndex = Array.isArray(pages) ? pages : [pages];
  let indexed = 0;

@@ -433,16 +447,10 @@ async function handleIndex(request, env) {

 // ─── Rebuild FTS Index ───────────────────────────────────────────────
 async function handleRebuild(env) {
-  await env.DB.prepare('DELETE FROM pages_fts').run();
-  const rows = await env.DB.prepare('SELECT rowid, title, description, content, tags FROM pages').all();
-  let rebuilt = 0;
-  for (const r of (rows.results || [])) {
-    await env.DB.prepare(
-      'INSERT INTO pages_fts(rowid, title, description, content, tags) VALUES (?, ?, ?, ?, ?)'
-    ).bind(r.rowid, r.title, r.description, r.content, r.tags).run();
-    rebuilt++;
-  }
-  return Response.json({ ok: true, rebuilt });
+  // Drop and recreate FTS table
+  try { await env.DB.prepare("INSERT INTO pages_fts(pages_fts) VALUES('rebuild')").run(); } catch {}
+  const count = await env.DB.prepare('SELECT COUNT(*) as c FROM pages').first();
+  return Response.json({ ok: true, rebuilt: count?.c || 0, note: 'FTS rebuild triggered' });
 }

 // ─── Lucky (I'm Feeling Lucky — redirect to top result) ──────────────
@@ -463,6 +471,15 @@ async function handleLucky(request, env) {
  }

  if (result?.url) {
+    // Validate redirect URL — only allow blackroad.io domains to prevent open redirect
+    try {
+      const target = new URL(result.url);
+      if (!target.hostname.endsWith('blackroad.io') && !target.hostname.endsWith('blackroad.company') && !target.hostname.endsWith('lucidia.earth')) {
+        return Response.json({ error: 'External redirect blocked', url: result.url }, { status: 403 });
+      }
+    } catch {
+      return Response.json({ error: 'Invalid URL in index' }, { status: 500 });
+    }
    return Response.redirect(result.url, 302);
  }
  return Response.json({ error: 'No results found' }, { status: 404 });