• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

decentraland / comms-gatekeeper
85%
main: 85%

Build:
Build:
LAST BUILD BRANCH: 2.28.0
DEFAULT BRANCH: main
Repo Added 17 Oct 2024 08:45PM UTC
Token H9CF0YzviAGXBYzx8ZZY8Lv8V4wtqKxTm regen
Build 828 Last
Files 151
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH 2.28.0
branch: 2.28.0
CHANGE BRANCH
x
Reset
Sync Branches
  • 2.28.0
  • 1.1.0
  • 1.1.1
  • 1.2.0
  • 1.2.1
  • 1.3.0
  • 2.0.0
  • 2.0.1
  • 2.1.0
  • 2.1.1
  • 2.10.0
  • 2.11.0
  • 2.12.0
  • 2.13.0
  • 2.13.1
  • 2.13.2
  • 2.14.0
  • 2.15.0
  • 2.16.0
  • 2.17.0
  • 2.17.1
  • 2.18.0
  • 2.19.0
  • 2.19.1
  • 2.19.2
  • 2.19.3
  • 2.2.0
  • 2.2.1
  • 2.20.0
  • 2.20.1
  • 2.21.0
  • 2.21.1
  • 2.22.0
  • 2.23.0
  • 2.24.0
  • 2.25.0
  • 2.26.0
  • 2.26.1
  • 2.26.2
  • 2.26.3
  • 2.26.4
  • 2.27.0
  • 2.27.1
  • 2.3.0
  • 2.4.0
  • 2.6.0
  • 2.6.1
  • 2.7.0
  • 2.8.0
  • 2.9.0
  • add-ai-agent-context-to-readme
  • chore/WKC-presentation
  • chore/add-agents-file
  • chore/add-debugging-logs-for-room-started-handler
  • chore/bump-node
  • chore/bump-upstream-fetch-http-server
  • chore/pin-node-24-base-image
  • chore/update-dcl-schemas
  • chore/update-node-24
  • chore/use-docs-generic-action
  • coverage
  • dependabot/npm_and_yarn/dcl/analytics-component-0.2.3
  • dependabot/npm_and_yarn/dcl/analytics-component-0.2.4
  • dependabot/npm_and_yarn/dcl/analytics-component-0.2.5
  • dependabot/npm_and_yarn/dcl/analytics-component-0.2.6
  • dependabot/npm_and_yarn/dcl/analytics-component-0.2.7
  • dependabot/npm_and_yarn/dcl/analytics-component-0.2.8
  • dependabot/npm_and_yarn/dcl/analytics-component-1.0.5
  • dependabot/npm_and_yarn/dcl/crypto-3.7.0
  • dependabot/npm_and_yarn/dcl/crypto-middleware-5.0.0
  • dependabot/npm_and_yarn/dcl/eslint-config-2.2.1
  • dependabot/npm_and_yarn/dcl/eslint-config-2.3.0
  • dependabot/npm_and_yarn/dcl/eslint-config-2.3.1
  • dependabot/npm_and_yarn/dcl/eslint-config-2.4.3
  • dependabot/npm_and_yarn/dcl/features-component-1.0.2
  • dependabot/npm_and_yarn/dcl/http-server-2.2.1
  • dependabot/npm_and_yarn/dcl/platform-crypto-middleware-1.1.0
  • dependabot/npm_and_yarn/dcl/platform-server-commons-1.0.1
  • dependabot/npm_and_yarn/dcl/schemas-16.11.0
  • dependabot/npm_and_yarn/dcl/schemas-16.12.0
  • dependabot/npm_and_yarn/dcl/schemas-16.13.0
  • dependabot/npm_and_yarn/dcl/schemas-16.14.0
  • dependabot/npm_and_yarn/dcl/schemas-16.6.4
  • dependabot/npm_and_yarn/dcl/schemas-16.9.0
  • dependabot/npm_and_yarn/dcl/schemas-17.0.0
  • dependabot/npm_and_yarn/dcl/schemas-17.1.0
  • dependabot/npm_and_yarn/dcl/schemas-17.2.0
  • dependabot/npm_and_yarn/dcl/schemas-18.0.0
  • dependabot/npm_and_yarn/dcl/schemas-18.3.0
  • dependabot/npm_and_yarn/dcl/schemas-18.8.0
  • dependabot/npm_and_yarn/dcl/schemas-19.0.0
  • dependabot/npm_and_yarn/dcl/schemas-19.3.0
  • dependabot/npm_and_yarn/dcl/schemas-19.4.0
  • dependabot/npm_and_yarn/dcl/schemas-19.4.1
  • dependabot/npm_and_yarn/dcl/schemas-19.6.0
  • dependabot/npm_and_yarn/dcl/schemas-19.8.0
  • dependabot/npm_and_yarn/dcl/schemas-20.2.0
  • dependabot/npm_and_yarn/dcl/schemas-20.3.0
  • dependabot/npm_and_yarn/dcl/schemas-22.0.0
  • dependabot/npm_and_yarn/dcl/sns-component-3.0.1
  • dependabot/npm_and_yarn/dcl/sns-component-3.0.2
  • dependabot/npm_and_yarn/well-known-components/fetch-component-3.0.0
  • dependabot/npm_and_yarn/well-known-components/interfaces-1.4.3
  • dependabot/npm_and_yarn/well-known-components/interfaces-1.5.1
  • dependabot/npm_and_yarn/well-known-components/interfaces-1.5.2
  • dependabot/npm_and_yarn/well-known-components/test-helpers-1.5.8
  • docs-update
  • docs/adapt-to-new-docs-workflow
  • docs/add-endpoint-docs
  • docs/ai
  • docs/ai-context
  • docs/banned-name-is-optional
  • docs/confusing-required-props-for-bans-and-admins
  • docs/fix-docs-workflow-usage
  • docs/fix-publish
  • docs/force-publish
  • docs/forcing-re-deploy
  • docs/improve-openapi-description
  • docs/rename-api-spec
  • docs/standarize-readme-schemas-and-agent-context
  • docs/test-api-reference-file
  • docs/update-list-bans-response
  • docs/use-docs-generic-action
  • docs/users-can-also-be-banned-by-name
  • feat/add-analytics
  • feat/add-generate-links
  • feat/add-logs
  • feat/add-names-to-get-admins
  • feat/add-owner-and-operators-in-list-admins
  • feat/add-private-voice-chat
  • feat/add-profile-to-metadata
  • feat/add-scene-room-creds-to-cast
  • feat/add-schema-validator-component
  • feat/add-support-for-multi-world-scenes
  • feat/add-support-for-world-rooms
  • feat/add-tracing
  • feat/add-try-catch
  • feat/add-world-bans-check
  • feat/all-active-voice-chats-endpoint
  • feat/allow-adding-scene-admins-by-name
  • feat/allow-banning-unbanning-by-name
  • feat/authorative-server
  • feat/ban-user-from-scene
  • feat/bans-check
  • feat/bot-presenter-handler
  • feat/bump-crypto-middleware-4.1.0
  • feat/cache-deny-list
  • feat/cache-response-of-fetch-entity-by-id
  • feat/cast-endpoints
  • feat/catch-ingress-not-found
  • feat/change-manual-deploy
  • feat/check-community-calls-ongoing
  • feat/communities-voice-actions
  • feat/communities-voice-chat-store-role
  • feat/community-voice-chat
  • feat/componenterize-blocklist
  • feat/end-community-call
  • feat/enhance-handler
  • feat/expire-rooms
  • feat/filter-local-preview-realm
  • feat/forward-livekit-messages-to-dwh
  • feat/generate-stream-link-get
  • feat/get-private-conversations-room-token
  • feat/get-scene-adapter-should-fail-for-banned-users
  • feat/get-social-privacy-settings-for-metadata
  • feat/get-stream-info-endpoint
  • feat/http-server-for-http2
  • feat/identity
  • feat/identity-handling
  • feat/kick-banned-users
  • feat/land-validation
  • feat/linker-server
  • feat/list-and-revoke-stream-access
  • feat/listen-livekit-webhook
  • feat/livekit-receive-webhook
  • feat/livekit-webhook-handler
  • feat/livekit-webhook-handler-2
  • feat/logs
  • feat/moderator-token-auth
  • feat/move-user-joined-event-to-event-joining-process
  • feat/mute-metadata
  • feat/notifications
  • feat/notify-moderation-events
  • feat/patch-social-privacy-settings
  • feat/places-checker
  • feat/platform-bans-check
  • feat/player-connection-info-device-ip-bans
  • feat/prevent-request-from-being-blocked
  • feat/publish-all-room-join-and-left-events
  • feat/publish-community-streaming-ended-event
  • feat/publish-user-left-room-event
  • feat/re-discovery-changes
  • feat/reject-request-to-speak
  • feat/remove-bans-from-disabled-places
  • feat/remove-old-key
  • feat/reset-logs
  • feat/reset-streaming-key
  • feat/return-world-other-permissions-addresses
  • feat/revoke-endpoint
  • feat/save-speaker-in-metadata
  • feat/scene-admins-for-multiplayer
  • feat/send-notifications-when-ban-unban-from-scene
  • feat/send-the-disconnection-reason-to-analytics
  • feat/setup-scene-admin-addapters-and-controllers
  • feat/sns-component
  • feat/sqs-message
  • feat/store-is-speaker-in-metadata-by-default
  • feat/stream-acces-migretion-adapter
  • feat/stream-link-gen
  • feat/streaming-image
  • feat/streaming-key-ttl-checker
  • feat/streaming-ttl-checker
  • feat/support-getting-community-voice-chat-status-in-bulk
  • feat/support-http2
  • feat/support-listing-bans-from-a-scene
  • feat/support-unban-user-from-scene
  • feat/update-explorer-url
  • feat/update-livekit-metadata-with-bans-info
  • feat/update-metadata-with-bans-after-room-creation
  • feat/upgrade-livekit-sdk
  • feat/use-admin-smart-item-world-scene-wise
  • feat/use-token-middleware
  • feat/user-moderation
  • feat/validate-world-stream-permissions
  • feature/ip-banning
  • fix/active-community-calls-endpoint
  • fix/add-debugging-voice-chat-logs
  • fix/add-metadata-validator-to-bans
  • fix/add-missing-update-operators
  • fix/add-more-voice-logging
  • fix/allow-owners-to-access-their-worlds
  • fix/avoid-fetching-places-using-undefined-parcels
  • fix/banned-users-cannot-be-admins
  • fix/bans
  • fix/cache-effectiveness-across-adapters
  • fix/cache-instance-per-call
  • fix/cancel-undrained-response-bodies
  • fix/cast-and-streaming-access-generations-for-multi-scene-worlds
  • fix/cast-expiration-time
  • fix/cast-room-id
  • fix/cast-stream-access-missing-ingress
  • fix/change-auth-token
  • fix/check-world-owner
  • fix/community-voice-chats-expiring-job
  • fix/community-voice-stale-participant-left
  • fix/correctly-check-for-body-user-metadata
  • fix/denylist
  • fix/ends-time
  • fix/env-var-auth-server
  • fix/expired-query
  • fix/failing-tests
  • fix/github-actions
  • fix/ingress-id-unique-error
  • fix/ingress-not-being-deleted
  • fix/ingress-options
  • fix/kick
  • fix/land-lease-multiple-authorizations-bug
  • fix/livekit-handler
  • fix/livekit-host
  • fix/livekit-host-procol
  • fix/lowercase-address
  • fix/metadata
  • fix/metadata-profile
  • fix/only-fire-end-event-on-closing-call
  • fix/parcels-endpoint-throwing
  • fix/participant-id
  • fix/place-search-response
  • fix/place-world-migration
  • fix/places-id-migration
  • fix/preserve-player-connection-info-on-null-upsert
  • fix/preview-room-name-uses-scene-id
  • fix/print-status-code-on-fetch-error
  • fix/privacy-settings-fetching
  • fix/remove-streaming-key
  • fix/remove-unused-handler
  • fix/resolve-world-scene-id-before-checking-ban
  • fix/respond-with-404-when-name-owner-not-found
  • fix/respond-with-livekit-connection-url
  • fix/restful-moderation
  • fix/return-created_at-as-number
  • fix/scene-admin-500-when-no-profiles-resolve
  • fix/security-audit-findings
  • fix/streaming-key
  • fix/suppress-preview-room-events
  • fix/test
  • fix/test-voice-chat-room-hook
  • fix/tests
  • fix/update-readme
  • fix/use-correct-metadata-validator
  • fix/use-improved-lamb2-land-api
  • fix/use-webhook-event-room-when-room-started
  • fix/voice-chat-room-deletion
  • fix/world-streaming
  • fix/wss-adapter
  • gonpombo8-patch-1
  • main
  • pentreathm-patch-1
  • pentreathm-patch-2
  • refactor/add-scene-ban-input-camel-cased
  • refactor/change-terminlogy-blacklister-to-denylister
  • refactor/localpreview-fallback-cleanup
  • refactor/native-fetch-migration
  • refactor/replace-wkc-with-dcl-components
  • refactor/room-metadata-sync
  • refs/tags/1.0.0
  • refs/tags/1.0.1
  • revert-logging
  • test/duplicate-instance-for-testing-purposes
  • test/livekit
  • update/list-admins

02 Jul 2026 07:26PM UTC coverage: 85.372% (+0.03%) from 85.347%
28883399890

push

github

web-flow
fix: address security audit findings (access control, disclosure, hardening) (#276)

* fix: address security audit findings across access control and hardening

Resolves the findings from a full-codebase security review.

Access control (HIGH):
- Bind LiveKit streaming-key issuance and scene-ban checks to the sceneId that
  forms the room, not a separately-supplied parcel. Previously the admin/ban
  check ran against a place resolved from an unvalidated parcel while the
  room/key was derived from sceneId, allowing cross-scene stream injection and
  a scene-ban bypass via mismatched parcel/sceneId.
- generate-stream-link resolves a world-name-as-sceneId to the real content
  hash so the room and place stay consistent (mirrors comms-scene-handler).
- Require signed-fetch auth on /cast/watcher-token and enforce scene bans on the
  viewer, so a banned user can't rejoin a scene's comms room as a watcher.

Disclosure & secrets (MEDIUM):
- /users/:address/bans (unauthenticated) now returns only user-facing fields
  (isBanned, expiresAt, customMessage), not moderator identity, device id, or
  reason.
- Stop logging the ingress streamKey / ingest URL.
- Remove the committed COMMS_GATEKEEPER_AUTH_TOKEN default from .env.default so
  requireString fails fast; tests get a fixture value via jest setup.
- Add encodeURIComponent to user-influenced URL segments in places/worlds/social.

Robustness & hardening (LOW):
- Close a duplicate-active-ban race with a transaction-scoped advisory lock.
- Add a non-unique partial index on scene_stream_access(ingress_id) (dropped
  with the old unique constraint); guard streaming writes against empty ingress_id.
- Lowercase address in the private voice-chat status lookup.
- Dedup + ON CONFLICT in createVoiceChatRoom; bound bulk community_ids (maxItems).
- Overlap guard on the streaming-key TTL cron; deactivate empty-ingress expired
  rows by place in the streaming TTL cron.
- Protect land-lease holders from scene bans; return 40... (continued)

1121 of 1436 branches covered (78.06%)

Branch coverage included in aggregate %.

85 of 94 new or added lines in 21 files covered. (90.43%)

4 existing lines in 1 file now uncovered.

3081 of 3486 relevant lines covered (88.38%)

75.03 hits per line

Relevant lines Covered
Build:
Build:
3486 RELEVANT LINES 3081 COVERED LINES
75.03 HITS PER LINE
Source Files on 2.28.0
  • Tree
  • List 151
  • Changed 100
  • Source Changed 22
  • Coverage Changed 100
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
28883399890 2.28.0 fix: address security audit findings (access control, disclosure, hardening) (#276) * fix: address security audit findings across access control and hardening Resolves the findings from a full-codebase security review. Access control (HIGH): - ... push 07 Jul 2026 04:51PM UTC web-flow github
85.37
See All Builds (825)

Badge your Repo: comms-gatekeeper

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Could not find badge in README.

Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

Refresh
  • Settings
  • Repo on GitHub
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc