fix: improve code quality, security & reliability across extension and server

Extension:
- Add AbortController with 10s timeout to fetchStats/fetchLeaderboard
- Clear provider loading state on fetch errors to avoid stuck spinners
- Fix XSS vulnerability in leaderboard tooltip (isTrusted=false, appendText)
- Fix setLoading() to always fire tree refresh in both providers
- Replace local StatsData interface with UserStatsDTO from shared package
Server:
- Strengthen GITHUB_WEBHOOK_SECRET validation (trim + min 32 chars)
- Add max-length validation (255) to session language/project fields
- Extract parseStreakData helper to deduplicate streak parsing logic
- Fix Lua streak script timezone issue with UTC yesterday comparison
- Fix comment numbering consistency in stats route
- Add cursor-based pagination to /achievements endpoint
- Fix streak achievements to award all applicable milestones (not just highest)
- Fail fast on missing rawBody in webhooks (no re-serialization fallback)
- Minimize GitHub push payload schema (remove PII: email, author, pusher)
- Harden signature verification (sha256= prefix, getHeader helper, utf8)
- Add delivery-id deduplication to prevent duplicate webhook processing
- Fix achievement race condition with P2002 error handling
Shared:
- Add webhookDelivery Redis key for deduplication

Author: senutpal

apps/extension/src/extension.ts

@@ -311,6 +311,11 @@ class DevRadarExtension implements vscode.Disposable {
 
   /** Fetch user stats from the server. */
   private async fetchStats(): Promise<void> {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => {
+      controller.abort();
+    }, 10_000);
+
     try {
       const token = this.authService.getToken();
       if (!token) return;
@@ -321,21 +326,35 @@ class DevRadarExtension implements vscode.Disposable {
           Authorization: `Bearer ${token}`,
           'Content-Type': 'application/json',
         },
+        signal: controller.signal,
       });
 
       if (response.ok) {
         const json = (await response.json()) as { data: UserStatsDTO };
         this.statsProvider.updateStats(json.data);
       } else {
         this.logger.warn('Failed to fetch stats', { status: response.status });
+        this.statsProvider.setLoading(false);
       }
     } catch (error) {
-      this.logger.warn('Failed to fetch stats', error);
+      if (error instanceof Error && error.name === 'AbortError') {
+        this.logger.warn('Stats fetch timed out after 10s');
+      } else {
+        this.logger.warn('Failed to fetch stats', error);
+      }
+      this.statsProvider.setLoading(false);
+    } finally {
+      clearTimeout(timeout);
     }
   }
 
   /** Fetch friends leaderboard from the server. */
   private async fetchLeaderboard(): Promise<void> {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => {
+      controller.abort();
+    }, 10_000);
+
     try {
       const token = this.authService.getToken();
       if (!token) return;
@@ -346,6 +365,7 @@ class DevRadarExtension implements vscode.Disposable {
           Authorization: `Bearer ${token}`,
           'Content-Type': 'application/json',
         },
+        signal: controller.signal,
       });
 
       if (response.ok) {
@@ -355,9 +375,17 @@ class DevRadarExtension implements vscode.Disposable {
         this.leaderboardProvider.updateLeaderboard(json.data.leaderboard, json.data.myRank);
       } else {
         this.logger.warn('Failed to fetch leaderboard', { status: response.status });
+        this.leaderboardProvider.setLoading(false);
       }
     } catch (error) {
-      this.logger.warn('Failed to fetch leaderboard', error);
+      if (error instanceof Error && error.name === 'AbortError') {
+        this.logger.warn('Leaderboard fetch timed out after 10s');
+      } else {
+        this.logger.warn('Failed to fetch leaderboard', error);
+      }
+      this.leaderboardProvider.setLoading(false);
+    } finally {
+      clearTimeout(timeout);
     }
   }
 

apps/extension/src/views/index.ts

@@ -2,6 +2,5 @@ export { FriendsProvider, type FriendInfo } from './friendsProvider';
 export { FriendRequestsProvider } from './friendRequestsProvider';
 export { ActivityProvider, type ActivityEvent } from './activityProvider';
 export { StatusBarManager } from './statusBarItem';
-export { StatsProvider, type StatsData } from './statsProvider';
+export { StatsProvider } from './statsProvider';
 export { LeaderboardProvider } from './leaderboardProvider';
-

apps/extension/src/views/leaderboardProvider.ts

@@ -58,10 +58,15 @@ class LeaderboardTreeItem extends vscode.TreeItem {
   /** Build rich tooltip with details. */
   private buildTooltip(entry: LeaderboardEntry): vscode.MarkdownString {
     const md = new vscode.MarkdownString();
-    md.isTrusted = true;
+    md.isTrusted = false;
 
-    md.appendMarkdown(`### ${entry.displayName ?? entry.username}\n\n`);
-    md.appendMarkdown(`**@${entry.username}**\n\n`);
+    md.appendMarkdown(`### `);
+    md.appendText(entry.displayName ?? entry.username);
+    md.appendMarkdown(`\n\n`);
+
+    md.appendMarkdown(`**@`);
+    md.appendText(entry.username);
+    md.appendMarkdown(`**\n\n`);
     md.appendMarkdown(`📊 **Rank:** #${String(entry.rank)}\n\n`);
     md.appendMarkdown(`⏱️ **This Week:** ${this.formatScore(entry.score)}\n\n`);
 
@@ -168,9 +173,7 @@ export class LeaderboardProvider
   /** Set loading state. */
   setLoading(loading: boolean): void {
     this.isLoading = loading;
-    if (loading) {
-      this.onDidChangeTreeDataEmitter.fire(undefined);
-    }
+    this.onDidChangeTreeDataEmitter.fire(undefined);
   }
 
   /** Clear leaderboard data. */

apps/extension/src/views/statsProvider.ts

@@ -8,15 +8,7 @@
 import * as vscode from 'vscode';
 
 import type { Logger } from '../utils/logger';
-import type { StreakInfo, WeeklyStatsDTO, AchievementDTO } from '@devradar/shared';
-
-/** Stats data structure matching API response. */
-export interface StatsData {
-  streak: StreakInfo;
-  todaySession: number;
-  weeklyStats: WeeklyStatsDTO | null;
-  recentAchievements: AchievementDTO[];
-}
+import type { UserStatsDTO } from '@devradar/shared';
 
 /** Tree item for stats display. */
 class StatsTreeItem extends vscode.TreeItem {
@@ -38,7 +30,7 @@ export class StatsProvider implements vscode.TreeDataProvider<StatsTreeItem>, vs
   private readonly onDidChangeTreeDataEmitter = new vscode.EventEmitter<
     StatsTreeItem | undefined
   >();
-  private stats: StatsData | null = null;
+  private stats: UserStatsDTO | null = null;
   private isLoading = true;
 
   readonly onDidChangeTreeData = this.onDidChangeTreeDataEmitter.event;
@@ -133,7 +125,7 @@ export class StatsProvider implements vscode.TreeDataProvider<StatsTreeItem>, vs
   }
 
   /** Updates the stats data and triggers a tree refresh. */
-  updateStats(stats: StatsData): void {
+  updateStats(stats: UserStatsDTO): void {
     this.stats = stats;
     this.isLoading = false;
     this.onDidChangeTreeDataEmitter.fire(undefined);
@@ -143,9 +135,7 @@ export class StatsProvider implements vscode.TreeDataProvider<StatsTreeItem>, vs
   /** Set loading state. */
   setLoading(loading: boolean): void {
     this.isLoading = loading;
-    if (loading) {
-      this.onDidChangeTreeDataEmitter.fire(undefined);
-    }
+    this.onDidChangeTreeDataEmitter.fire(undefined);
   }
 
   /** Clear stats (e.g., on logout). */

apps/server/src/config.ts

@@ -34,7 +34,11 @@ const envSchema = z.object({
   GITHUB_CLIENT_SECRET: z.string().min(1, 'GITHUB_CLIENT_SECRET is required'),
   GITHUB_CALLBACK_URL: z.string().url(),
   /* GitHub Webhooks (optional - for Gamification feature) */
-  GITHUB_WEBHOOK_SECRET: z.string().min(8).optional(),
+  GITHUB_WEBHOOK_SECRET: z
+    .string()
+    .trim()
+    .min(32, 'GITHUB_WEBHOOK_SECRET must be at least 32 characters')
+    .optional(),
   /* Logging */
   LOG_LEVEL: z.enum(['fatal', 'error', 'warn', 'info', 'debug', 'trace']).default('info'),
 });

apps/server/src/routes/stats.ts

@@ -28,8 +28,14 @@ import { broadcastToUsers } from '@/ws/handler';
 /** Schema for session recording payload. */
 const SessionPayloadSchema = z.object({
   sessionDuration: z.number().int().min(0).max(86400), // Max 24 hours
-  language: z.string().optional(),
-  project: z.string().optional(),
+  language: z.string().max(255).optional(),
+  project: z.string().max(255).optional(),
+});
+
+/** Schema for achievements query with pagination. */
+const AchievementsQuerySchema = z.object({
+  limit: z.coerce.number().int().min(1).max(100).default(50),
+  cursor: z.string().optional(),
 });
 
 /** Allowlist of known programming languages to prevent unbounded Redis hash growth. */
@@ -103,6 +109,30 @@ function calculateStreakStatus(lastActiveDate: string | null): StreakInfo['strea
   return 'broken';
 }
 
+/** Get yesterday's date in YYYY-MM-DD format (UTC) for Lua script timezone safety. */
+function getYesterdayDate(): string {
+  const yesterday = new Date();
+  yesterday.setUTCDate(yesterday.getUTCDate() - 1);
+  const parts = yesterday.toISOString().split('T');
+  return parts[0] ?? '';
+}
+
+/** Parse streak data from Redis hgetall result into StreakInfo. */
+function parseStreakData(data: Record<string, string> | null): StreakInfo {
+  const currentStreak = parseInt(data?.count ?? '0', 10);
+  const longestStreak = parseInt(data?.longest ?? '0', 10);
+  const lastActiveDate = data?.lastDate ?? null;
+  const streakStatus = calculateStreakStatus(lastActiveDate);
+
+  return {
+    currentStreak,
+    longestStreak,
+    lastActiveDate,
+    isActiveToday: streakStatus === 'active',
+    streakStatus,
+  };
+}
+
 /** Registers stats routes on the Fastify instance. */
 export function statsRoutes(app: FastifyInstance): void {
   const db = getDb();
@@ -137,19 +167,8 @@ export function statsRoutes(app: FastifyInstance): void {
       const todaySessionStr = results?.[1]?.[1] as string | null;
       const todaySession = todaySessionStr ? parseInt(todaySessionStr, 10) : 0;
 
-      // Build streak info
-      const currentStreak = parseInt(streakData?.count ?? '0', 10);
-      const longestStreak = parseInt(streakData?.longest ?? '0', 10);
-      const lastActiveDate = streakData?.lastDate ?? null;
-      const streakStatus = calculateStreakStatus(lastActiveDate);
-
-      const streak: StreakInfo = {
-        currentStreak,
-        longestStreak,
-        lastActiveDate,
-        isActiveToday: streakStatus === 'active',
-        streakStatus,
-      };
+      // Build streak info using shared helper
+      const streak = parseStreakData(streakData);
 
       // Get weekly stats from PostgreSQL
       const weekStart = getWeekStart();
@@ -210,19 +229,7 @@ export function statsRoutes(app: FastifyInstance): void {
       const redis = getRedis();
 
       const streakData = await redis.hgetall(REDIS_KEYS.streakData(userId));
-
-      const currentStreak = parseInt(streakData.count ?? '0', 10);
-      const longestStreak = parseInt(streakData.longest ?? '0', 10);
-      const lastActiveDate = streakData.lastDate ?? null;
-      const streakStatus = calculateStreakStatus(lastActiveDate);
-
-      const streak: StreakInfo = {
-        currentStreak,
-        longestStreak,
-        lastActiveDate,
-        isActiveToday: streakStatus === 'active',
-        streakStatus,
-      };
+      const streak = parseStreakData(streakData);
 
       return reply.send({ data: streak });
     }
@@ -247,14 +254,16 @@ export function statsRoutes(app: FastifyInstance): void {
 
       const { sessionDuration, language, project } = result.data;
       const today = getTodayDate();
+      const yesterday = getYesterdayDate();
       const redis = getRedis();
 
-      // Lua script for atomic streak update
+      // Lua script for atomic streak update (UTC-safe: uses string comparison)
       // Returns: [newStreak, shouldCheckAchievements] - 1 if streak was updated, 0 otherwise
       const STREAK_UPDATE_SCRIPT = `
       local streakKey = KEYS[1]
       local today = ARGV[1]
       local streakTtl = tonumber(ARGV[2])
+      local yesterday = ARGV[3]
 
       -- Read current streak data
       local lastDate = redis.call('HGET', streakKey, 'lastDate')
@@ -266,21 +275,12 @@ export function statsRoutes(app: FastifyInstance): void {
         return {count, 0}
       end
 
-      -- Calculate new streak
+      -- Calculate new streak using UTC-safe string comparison
       local newStreak = 1
-      if lastDate then
-        -- Parse dates and calculate difference
-        local ly, lm, ld = lastDate:match('(%d+)-(%d+)-(%d+)')
-        local ty, tm, td = today:match('(%d+)-(%d+)-(%d+)')
-        local lastTime = os.time({year=ly, month=lm, day=ld})
-        local todayTime = os.time({year=ty, month=tm, day=td})
-        local daysDiff = math.floor((todayTime - lastTime) / 86400)
-
-        if daysDiff == 1 then
-          newStreak = count + 1
-        end
-        -- daysDiff > 1 means streak broken, reset to 1
+      if lastDate == yesterday then
+        newStreak = count + 1
       end
+      -- Any other date means streak broken, reset to 1
 
       local newLongest = math.max(newStreak, longest)
 
@@ -298,7 +298,8 @@ export function statsRoutes(app: FastifyInstance): void {
         1,
         streakKey,
         today,
-        (STREAK_TTL_SECONDS * 2).toString()
+        (STREAK_TTL_SECONDS * 2).toString(), // 50h TTL: 25h grace + 25h safety buffer
+        yesterday
       )) as [number, number];
 
       const newStreak = streakResult[0];
@@ -320,7 +321,7 @@ export function statsRoutes(app: FastifyInstance): void {
       pipeline.hincrby(REDIS_KEYS.networkIntensity(minute), 'count', 1);
       pipeline.expire(REDIS_KEYS.networkIntensity(minute), NETWORK_ACTIVITY_TTL_SECONDS);
 
-      // 5. Track language if provided (validate to prevent unbounded hash growth)
+      // 4. Track language if provided (validate to prevent unbounded hash growth)
       if (language) {
         const normalizedLang = language.toLowerCase().trim();
         const safeLang = LANGUAGE_ALLOWLIST.has(normalizedLang) ? normalizedLang : 'other';
@@ -395,28 +396,52 @@ export function statsRoutes(app: FastifyInstance): void {
   );
 
   /**
-   * GET /stats/achievements - Get all user achievements
+   * GET /stats/achievements - Get all user achievements (paginated)
    */
   app.get(
     '/achievements',
     { onRequest: [app.authenticate] },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { userId } = request.user as { userId: string };
+      const queryResult = AchievementsQuerySchema.safeParse(request.query);
+
+      if (!queryResult.success) {
+        return reply.status(400).send({
+          error: { code: 'INVALID_QUERY', message: 'Invalid query parameters' },
+        });
+      }
+
+      const { limit, cursor } = queryResult.data;
 
       const achievementRecords = await db.achievement.findMany({
         where: { userId },
         orderBy: { earnedAt: 'desc' },
+        take: limit + 1, // Fetch one extra to check if there's more
+        ...(cursor && {
+          cursor: { id: cursor },
+          skip: 1, // Skip the cursor item itself
+        }),
       });
 
-      const achievements: AchievementDTO[] = achievementRecords.map((a) => ({
+      const hasMore = achievementRecords.length > limit;
+      const items = hasMore ? achievementRecords.slice(0, limit) : achievementRecords;
+      const nextCursor = hasMore ? items[items.length - 1]?.id : undefined;
+
+      const achievements: AchievementDTO[] = items.map((a) => ({
         id: a.id,
         type: a.type as AchievementDTO['type'],
         title: a.title,
         description: a.description,
         earnedAt: a.earnedAt.toISOString(),
       }));
 
-      return reply.send({ data: achievements });
+      return reply.send({
+        data: achievements,
+        pagination: {
+          hasMore,
+          nextCursor,
+        },
+      });
     }
   );
 
@@ -477,7 +502,7 @@ export function statsRoutes(app: FastifyInstance): void {
             logger.info({ userId, streak, type: milestone.type }, 'Streak achievement earned');
           }
         }
-        break; // Only one achievement per streak update
+        // Continue checking for lower milestones that may not have been awarded
       }
     }
   }