Skip to content

Add inquiry-notifier service for EPK forms#67

Open
magent-cryptograss wants to merge 2 commits into
cryptograss:mainfrom
magent-cryptograss:inquiry-notifier
Open

Add inquiry-notifier service for EPK forms#67
magent-cryptograss wants to merge 2 commits into
cryptograss:mainfrom
magent-cryptograss:inquiry-notifier

Conversation

@magent-cryptograss

Copy link
Copy Markdown
Contributor

Summary

Express.js notification service for the Justin Holmes EPK contact form and mailing list.

Endpoints

  • POST /inquiry - Booking inquiries → Telegram notification
  • POST /subscribe - Mailing list signups → Telegram notification
  • GET /health - Status check

Security

  • Rate limiting: 5 requests/min per IP
  • Honeypot field detection (bots fill hidden field, humans don't)
  • Input sanitization and HTML escaping
  • Email validation
  • CORS whitelist for allowed origins
  • 10kb request size limit

Deployment Steps

  1. Create Telegram bot via @Botfather, get token
  2. Create channel/group, get chat ID
  3. Add to vault secrets:
    • TELEGRAM_BOT_TOKEN
    • TELEGRAM_CHAT_ID
  4. Add to docker-compose.maybelle.yml
  5. Add Caddy route for api.cryptograss.live

Related

Test plan

  • Run locally with npm start
  • Test /health endpoint
  • Test /inquiry with valid data
  • Test /subscribe with valid data
  • Verify rate limiting kicks in after 5 requests
  • Verify honeypot field triggers silent success

Express.js service that handles:
- POST /inquiry - booking inquiries → Telegram notification
- POST /subscribe - mailing list signups → Telegram notification

Security features:
- Rate limiting (5 requests/min per IP)
- Honeypot field detection
- Input sanitization and validation
- CORS whitelist
- Request size limits

Requires deployment:
- Add to docker-compose with TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID
- Add Caddy route for api.cryptograss.live
- Block disposable email domains (tempmail, mailinator, etc.)
- Detect script injection attempts (<script>, onclick=, etc.)
- Limit URLs in messages (max 3, catches link spam)
- Time-based validation (form must be open 3+ seconds)
- Silent failures for bot detection (return fake success)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants