The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openai	Ready	Preview, Comment	Mar 12, 2026 0:50am

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and architecture of internal service communication by introducing a dedicated internal service token. It refactors the auth-worker to clearly delineate public and internal API routes, ensuring that sensitive worker-to-worker interactions are properly authenticated. Furthermore, ESPN onboarding processes have been shifted to the Next.js server, streamlining the deployment and access patterns for platform workers. These changes collectively improve the robustness and maintainability of the system's internal boundaries.

Highlights

• Internal Service Authentication: Introduced a new INTERNAL_SERVICE_TOKEN for secure, worker-to-worker communication, hardening internal API boundaries across the system.
• Auth-Worker Refactor: Split auth-worker routes into public (Clerk-only) and internal (requiring INTERNAL_SERVICE_TOKEN in addition to user authentication) endpoints, enhancing security and clarity of access control.
• ESPN Onboarding Migration: Moved ESPN manual onboarding logic (auto-pull and discover seasons) from the espn-client worker to Next.js server routes, allowing platform workers to be binding-only in production/preview environments.
• Platform Worker Updates: All platform workers (ESPN, Yahoo, Sleeper) were updated to utilize the new internal service token for secure communication with the auth-worker and other internal services.
• Cloudflare Rate Limiting: Migrated auth-worker rate limit configurations to Cloudflare native ratelimits in wrangler.jsonc for improved performance and validation, ensuring constant-time internal token checks.

PR Review: Harden internal worker boundaries

Good security-focused refactor. Separating public Clerk-only routes from internal X-Flaim-Internal-Token-gated routes is sound, and the constant-time comparison for the internal token is a nice touch.

BUGS / CORRECTNESS

1. discover-seasons/route.ts sport guard is inconsistent with runEspnDiscoverSeasons

The route still restricts to baseball/football only, but runEspnDiscoverSeasons accepts all four sports via normalizeSport. Basketball/hockey discovery is silently blocked at the route layer while the underlying logic supports it. If intentional, add a comment; if not, remove or align the guard.

2. Duplicate retry block in runEspnDiscoverSeasons (espn-onboarding.ts ~lines 978-1046)

The success/save/error-handling block after the one-second retry is an exact copy (~70 lines) of the first-try block. Extract a helper like processDiscoveredSeason(info, year, ...) to eliminate the duplication and reduce future divergence risk.

3. Fragile 403 vs 401 status determination via string matching

This pattern appears in at least 5 handlers in index-hono.ts. The 403/401 choice is determined by whether authError string contains the header name or a specific phrase. Any wording change silently breaks the status code. Consider adding an isInternalAuthFailure boolean field to AuthResult returned by getInternalUserId, and key off that flag instead.

SECURITY

4. leagueId interpolated into URL path without encoding

In espn-onboarding.ts, patchLeagueTeam builds its URL with leagueId directly interpolated into the path. leagueId comes from user-supplied request body. If it contains / or ? the path is malformed. Use encodeURIComponent(leagueId) here and in the equivalent call in yahoo-client resolveUserTeamKey.

5. ESPN raw credentials now flow through the Next.js server

web/lib/server/espn-onboarding.ts now fetches raw SWID/S2 cookies server-side and forwards them directly to ESPN. This is a broader trust boundary than the old worker-only path. Acceptable given INTERNAL_SERVICE_TOKEN gates the credential fetch, but worth a comment near fetchEspnCredentials documenting the trade-off.

CODE QUALITY / MAINTAINABILITY

6. requireInternalService is copy-pasted across three workers

The same ~20-line helper appears in espn-client/src/index.ts, sleeper-client/src/index.ts, and yahoo-client/src/index.ts. It belongs in workers/shared/src/internal-service.ts as an exported factory or Hono middleware.

7. Rate limit config duplicated 3x in auth-worker/wrangler.jsonc

The ratelimits block is identical across prod, preview, and dev. Wrangler supports a top-level ratelimits key that environments can override, reducing drift risk.

8. workers_dev: false - confirm dev environments still work locally

Disabling .workers.dev is correct for prod isolation. The authWorkerFetch URL fallback now throws in production-like environments (good fail-closed design). Confirm dev environment configs retain workers_dev: true for espn-client, sleeper-client, and yahoo-client so local wrangler dev still functions.

POSITIVE HIGHLIGHTS

• constantTimeEqual in internal-service.ts is correctly implemented with SHA-256 digests.
• isProductionLikeEnvironment throwing on a missing binding in prod/preview is correct fail-closed design.
• Removing authHeader from the JSON body of /execute requests in favor of the HTTP Authorization header is cleaner and more standard.
• The CI wrangler dry-run validation step with Unexpected fields detection is a useful config regression safeguard.
• Tests for internal token rejection across auth-worker and platform workers are comprehensive.

MINOR NIT

In auto-pull/route.ts, the console.error log before returning 401 on a missing bearer token was removed. Probably intentional, but worth confirming since it helped debug token issues in production.

PR Review: Harden internal worker boundaries

This is a solid and well-scoped security PR. The core ideas — moving authHeader out of the request body, splitting public/internal routes, requiring X-Flaim-Internal-Token on all worker-to-worker paths, and disabling workers_dev — are all the right moves. Test coverage is good and the espn-onboarding.ts migration is clean. A few things worth examining before merge:

🔴 Potential Routing Bug — Verify Service Binding Path

workers/fantasy-mcp/src/index.ts and mcp/tools.ts

The service binding URL changed from https://internal/auth/introspect → https://internal/internal/introspect.

The auth-worker eval tests make requests to /auth/internal/introspect, which implies the api sub-router is mounted at /auth in the root Hono app. If that's the case, the full path to api.get('/internal/introspect') is /auth/internal/introspect, not /internal/introspect. A service binding call to https://internal/internal/introspect would receive a 404.

The integration tests mock AUTH_WORKER, so they don't exercise the auth-worker's internal routing. Please confirm that either:

• The auth-worker has a separate root-level mount at /internal/... for service binding access, or
• The service binding path should be https://internal/auth/internal/introspect

If this is wrong, the introspect call will silently fail closed (returns non-OK → 401 to the user).

🟡 CI Validation Assertions Are Silent Failures

.github/workflows/deploy-workers.yml lines 19–20

printf '%s\n' "$output" | grep -q 'env.TOKEN_RATE_LIMITER'
printf '%s\n' "$output" | grep -q 'env.CREDENTIALS_RATE_LIMITER'

Neither line has || exit 1. Without set -e, a failing grep -q just returns a non-zero exit code and the step continues. These assertions are currently no-ops if the pattern is missing.

Fix:

printf '%s\n' "$output" | grep -q 'env.TOKEN_RATE_LIMITER' || { echo "TOKEN_RATE_LIMITER binding missing"; exit 1; }
printf '%s\n' "$output" | grep -q 'env.CREDENTIALS_RATE_LIMITER' || { echo "CREDENTIALS_RATE_LIMITER binding missing"; exit 1; }

🟡 Duplicated requireInternalService Function

espn-client/src/index.ts, sleeper-client/src/index.ts, yahoo-client/src/index.ts

The same ~15-line Hono middleware pattern is copy-pasted verbatim into all three workers. @flaim/worker-shared already provides hasValidInternalServiceToken and INTERNAL_SERVICE_TOKEN_HEADER, but the Hono-specific wrapper isn't shared. If a fourth platform worker is added, this pattern will be duplicated again. Consider a shared createInternalAuthMiddleware helper in the shared library or a note to track this.

🟡 Duplicated "Save Season" Logic in runEspnDiscoverSeasons

web/lib/server/espn-onboarding.ts lines ~926–953 and ~997–1024

The success-path "save discovered season" block (addLeague / 409→patchLeagueTeam / 400 LIMIT_EXCEEDED) is copy-pasted for the retry path. The only difference is info vs retry. This is ~50 lines of duplicated logic. Extracting a saveDiscoveredSeason(authHeader, leagueId, targetSport, year, seasonData, correlationId) helper would make both paths cleaner and prevent divergence.

🟡 Fragile Error-Code Discrimination for 403 vs 401

workers/auth-worker/src/index-hono.ts lines ~1468, ~1607, ~1670, ~1702, ~1734

The HTTP status selection uses string matching:

const status = authError?.includes(INTERNAL_SERVICE_TOKEN_HEADER) 
  || authError?.includes('Internal service authentication') ? 403 : 401;

This pattern appears 4–5 times. If the error message in requireInternalService is ever reworded, the status logic silently breaks. A small structured discriminant (e.g., returning { userId, errorCode: 'MISSING_INTERNAL_TOKEN' | 'INVALID_USER' | ... } from getInternalUserId) would eliminate the string parsing.

🟢 Minor: Content-Type on GET Request

web/lib/server/espn-onboarding.ts line ~562 (getUserLeagues)

headers: buildAuthHeaders(authHeader, correlationId, true),  // true = includeJson

GET /leagues doesn't have a body, so setting Content-Type: application/json is technically incorrect (and could confuse some proxies/CDNs). Pass false or omit the flag here.

🟢 Minor: discover-seasons Route Sport Restriction is Inconsistent

web/app/api/espn/discover-seasons/route.ts line ~14

The route pre-validates sport !== 'baseball' && sport !== 'football', but runEspnDiscoverSeasons in espn-onboarding.ts supports all four sports via normalizeSport. The route-level gate makes discover-seasons silently unavailable for basketball/hockey. If this restriction is intentional, a comment explaining why would help future readers (and the error should say "currently only baseball and football are supported").

✅ What's Good

• Removing authHeader from request bodies is the right call — auth material should never travel in a JSON body where it could be logged or forwarded.
• Constant-time comparison (constantTimeEqual via SHA-256) in internal-service.ts is correctly implemented and consistent with the auth-worker's own implementation.
• workers_dev: false on ESPN, Sleeper, and Yahoo clients in prod/preview correctly removes the public .workers.dev URL surface from platform workers that are now binding-only.
• Test coverage for the new internal token checks is solid — the "rejects without internal token" tests in routing.test.ts and eval-api-key.test.ts are exactly what's needed.
• authWorkerFetch throwing in production when the service binding is missing (rather than falling through to a URL) is a good fail-safe.

The routing question is the main thing I'd want confirmed before merging — everything else is safe to defer or fix in follow-up.