starred/documenso

Fork 0

mirror of https://github.com/documenso/documenso.git synced 2026-04-24 21:36:01 +03:00

origin-hit spam #691

New issue

Open

opened 2026-02-26 18:48:05 +03:00 by kerem · 1 comment

kerem commented

2026-02-26 18:48:05 +03:00

Owner

Originally created by @Judel777 on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/documenso/documenso/issues/2484

Issue Description

Requesting a non-existent QR share link returns HTTP 500 Internal Server Error instead of a safe 404/redirect.
The /share/:slug route calls getDocumentByAccessToken() when slug starts with qr_. That function uses prisma.envelope.findFirstOrThrow(), and the “not found” exception bubbles to the root error boundary, producing a 500 page.

Likely code path

apps/remix/app/routes/share+/share.$slug.tsx (qr branch)
packages/lib/server-only/document/get-document-by-access-token.ts (findFirstOrThrow)
apps/remix/app/root.tsx (ErrorBoundary => Generic 500 layout)

Steps to Reproduce

Generate a random QR token and request it:

TOK="qr_$(tr -dc 'abcdefhiklmnorstuvwxyz' </dev/urandom | head -c16)"
URL="https://app.documenso.com/share/$TOK"
curl -sk -D- -o /dev/null "$URL"

Show repeatability and headers:

for i in $(seq 1 10); do
  echo "== $i =="
  curl -sk -D- -o /dev/null "$URL" | rg -i "HTTP/|x-cache|age|via:|x-amz-cf-id"
done

Optional: show timing consistency (suggests origin work each time):

for i in $(seq 1 10); do
  curl -sk -o /dev/null -w "i=$i code=%{http_code} time_total=%{time_total}\n" "$URL"
done

Control case (non-qr slug redirects as expected):

curl -sk -o /dev/null -w "code=%{http_code}\n" https://app.documenso.com/share/test

Expected Behavior

Invalid/non-existent qr_* token should return 404 or redirect (e.g., / or https://documenso.com), not 500.
Ideally, the endpoint should not throw unhandled exceptions for normal “not found” conditions.

Current Behavior

GET /share/qr_ returns HTTP 500 with a rendered “500 Internal Server Error” page.
Response headers commonly show:
x-cache: Error from cloudfront
varying x-amz-cf-id per request
no Age header
This allows an unauthenticated actor to spam requests that repeatedly trigger server errors (reliability + logging/alert noise; potentially repeated origin hits).

Screenshots (optional)

documenso_qr_body.html
documenso_qr_headers.txt

Operating System [e.g., Windows 10]

Kali Linux (VM)

Browser [e.g., Chrome, Firefox]

N/A (curl reproduction)

Version [e.g., 2.0.1]

app.documenso.com

Please check the boxes that apply to this issue report.

I have searched the existing issues to make sure this is not a duplicate.
I have provided steps to reproduce the issue.
I have included relevant environment information.
I have included any relevant screenshots.
I understand that this is a voluntary contribution and that there is no guarantee of resolution.
I want to work on creating a PR for this issue if approved

Originally created by @Judel777 on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/documenso/documenso/issues/2484 ### Issue Description Requesting a non-existent QR share link returns HTTP 500 Internal Server Error instead of a safe 404/redirect. The /share/:slug route calls getDocumentByAccessToken() when slug starts with qr_. That function uses prisma.envelope.findFirstOrThrow(), and the “not found” exception bubbles to the root error boundary, producing a 500 page. Likely code path - apps/remix/app/routes/_share+/share.$slug.tsx (qr_ branch) - packages/lib/server-only/document/get-document-by-access-token.ts (findFirstOrThrow) - apps/remix/app/root.tsx (ErrorBoundary => Generic 500 layout) ### Steps to Reproduce 1. Generate a random QR token and request it: ``` TOK="qr_$(tr -dc 'abcdefhiklmnorstuvwxyz' </dev/urandom | head -c16)" URL="https://app.documenso.com/share/$TOK" curl -sk -D- -o /dev/null "$URL" ``` 2. Show repeatability and headers: ``` for i in $(seq 1 10); do echo "== $i ==" curl -sk -D- -o /dev/null "$URL" | rg -i "HTTP/|x-cache|age|via:|x-amz-cf-id" done ``` 3. Optional: show timing consistency (suggests origin work each time): ``` for i in $(seq 1 10); do curl -sk -o /dev/null -w "i=$i code=%{http_code} time_total=%{time_total}\n" "$URL" done ``` 4. Control case (non-qr slug redirects as expected): ``` curl -sk -o /dev/null -w "code=%{http_code}\n" https://app.documenso.com/share/test ``` ### Expected Behavior - Invalid/non-existent qr_* token should return 404 or redirect (e.g., / or https://documenso.com), not 500. - Ideally, the endpoint should not throw unhandled exceptions for normal “not found” conditions. ### Current Behavior - GET /share/qr_<random> returns HTTP 500 with a rendered “500 Internal Server Error” page. - Response headers commonly show: - [ ] x-cache: Error from cloudfront - [ ] varying x-amz-cf-id per request - [ ] no Age header - This allows an unauthenticated actor to spam requests that repeatedly trigger server errors (reliability + logging/alert noise; potentially repeated origin hits). ### Screenshots (optional) [documenso_qr_body.html](https://github.com/user-attachments/files/25252363/documenso_qr_body.html) [documenso_qr_headers.txt](https://github.com/user-attachments/files/25252362/documenso_qr_headers.txt) ### Operating System [e.g., Windows 10] Kali Linux (VM) ### Browser [e.g., Chrome, Firefox] N/A (curl reproduction) ### Version [e.g., 2.0.1] app.documenso.com ### Please check the boxes that apply to this issue report. - [x] I have searched the existing issues to make sure this is not a duplicate. - [x] I have provided steps to reproduce the issue. - [x] I have included relevant environment information. - [x] I have included any relevant screenshots. - [x] I understand that this is a voluntary contribution and that there is no guarantee of resolution. - [ ] I want to work on creating a PR for this issue if approved

kerem added the

status: triage

label

2026-02-26 18:48:05 +03:00

kerem commented

2026-02-26 18:48:05 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Feb 12, 2026):

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

@github-actions[bot] commented on GitHub (Feb 12, 2026): Thank you for opening your first issue and for being a part of the open signing revolution! <br /> One of our team members will review it and get back to you as soon as it possible 💚 <br /> Meanwhile, please feel free to hop into our community in [Discord](https://documen.so/discord)

kerem referenced this issue

2026-02-26 19:31:55 +03:00

[PR #691] [MERGED] feat: add link to homepage on the complete sign page for logged in users #1121

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/documenso#691

No description provided.

Rows
Columns