fix: address critical security and reliability issues

Address all critical issues identified in code review:

Security fixes:
- Add UUID validation for recordingId parameters (prevents path traversal)
- Improve platform detection to only fallback to title-based when URL unavailable
- Add warning logs when using title-only detection

Reliability improvements:
- Set sdkInitialized flag early to prevent race conditions
- Add check for existing posthogClient to prevent duplicate initialization
- Improve error messages in IPC handlers with actionable guidance
- Add SDK state checks alongside client checks

These changes eliminate potential attack vectors and improve
robustness of the Recall SDK integration.

Author: lucasheriques

src/api/posthogClient.ts

@@ -251,6 +251,20 @@ export class PostHogAPIClient {
   }
 
   // Desktop Recordings API
+  private validateRecordingId(recordingId: string): void {
+    if (!recordingId || typeof recordingId !== "string") {
+      throw new Error("Recording ID is required");
+    }
+    // UUID format validation (PostHog uses UUIDs for recording IDs)
+    if (
+      !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(
+        recordingId,
+      )
+    ) {
+      throw new Error("Invalid recording ID format");
+    }
+  }
+
   async createDesktopRecordingUpload(platform: string = "desktop_audio") {
     const teamId = await this.getTeamId();
     const url = new URL(
@@ -275,6 +289,7 @@ export class PostHogAPIClient {
   }
 
   async getDesktopRecording(recordingId: string) {
+    this.validateRecordingId(recordingId);
     const teamId = await this.getTeamId();
     const url = new URL(
       `${this.api.baseUrl}/api/environments/${teamId}/desktop_recordings/${recordingId}/`,
@@ -293,6 +308,7 @@ export class PostHogAPIClient {
   }
 
   async getDesktopRecordingTranscript(recordingId: string) {
+    this.validateRecordingId(recordingId);
     const teamId = await this.getTeamId();
     const url = new URL(
       `${this.api.baseUrl}/api/environments/${teamId}/desktop_recordings/${recordingId}/transcript/`,
@@ -341,6 +357,7 @@ export class PostHogAPIClient {
   }
 
   async deleteDesktopRecording(recordingId: string) {
+    this.validateRecordingId(recordingId);
     const teamId = await this.getTeamId();
     const url = new URL(
       `${this.api.baseUrl}/api/environments/${teamId}/desktop_recordings/${recordingId}/`,
@@ -365,6 +382,7 @@ export class PostHogAPIClient {
       video_url?: string;
     },
   ) {
+    this.validateRecordingId(recordingId);
     const teamId = await this.getTeamId();
     const url = new URL(
       `${this.api.baseUrl}/api/environments/${teamId}/desktop_recordings/${recordingId}/`,

src/main/services/recallRecording.ts

@@ -22,11 +22,20 @@ export function initializeRecallSDK(
   posthogHost: string,
 ) {
   if (sdkInitialized) {
+    console.warn("[Recall SDK] Already initialized, skipping");
+    return;
+  }
+
+  if (posthogClient) {
+    console.warn(
+      "[Recall SDK] Client already exists, preventing re-initialization",
+    );
     return;
   }
 
   console.log("[Recall SDK] Initializing...");
 
+  sdkInitialized = true;
   posthogClient = new PostHogAPIClient(posthogKey, posthogHost);
 
   RecallAiSdk.init({
@@ -39,8 +48,6 @@ export function initializeRecallSDK(
     restartOnError: true,
   });
 
-  sdkInitialized = true;
-
   console.log("[Recall SDK] Ready. Listening for meetings...");
 
   RecallAiSdk.addEventListener("permissions-granted", async () => {
@@ -199,28 +206,50 @@ function detectPlatform(window: { url?: string; title?: string }): string {
     // Invalid URL, fall back to title-based detection only
   }
 
-  if (
-    hostname === "zoom.us" ||
-    hostname.endsWith(".zoom.us") ||
-    title.includes("zoom")
-  ) {
+  if (hostname === "zoom.us" || hostname.endsWith(".zoom.us")) {
     return "zoom";
   }
 
   if (
     hostname === "teams.microsoft.com" ||
-    hostname.endsWith(".teams.microsoft.com") ||
-    title.includes("teams")
+    hostname.endsWith(".teams.microsoft.com")
   ) {
     return "teams";
   }
 
-  if (hostname === "meet.google.com" || title.includes("google meet")) {
+  if (hostname === "meet.google.com") {
     return "meet";
   }
 
-  if (title.includes("slack")) {
-    return "slack";
+  // Fallback to title-based detection only if URL is unavailable
+  if (!hostname) {
+    if (title.includes("zoom")) {
+      console.warn(
+        "[Recall SDK] Detecting Zoom via window title only (no URL available)",
+      );
+      return "zoom";
+    }
+
+    if (title.includes("teams")) {
+      console.warn(
+        "[Recall SDK] Detecting Teams via window title only (no URL available)",
+      );
+      return "teams";
+    }
+
+    if (title.includes("google meet")) {
+      console.warn(
+        "[Recall SDK] Detecting Meet via window title only (no URL available)",
+      );
+      return "meet";
+    }
+
+    if (title.includes("slack")) {
+      console.warn(
+        "[Recall SDK] Detecting Slack via window title only (no URL available)",
+      );
+      return "slack";
+    }
   }
 
   return "desktop_audio";
@@ -262,21 +291,36 @@ export function registerRecallIPCHandlers() {
 
   ipcMain.handle("notetaker:get-recordings", async () => {
     if (!posthogClient) {
-      throw new Error("PostHog client not initialized");
+      throw new Error(
+        "PostHog client not initialized. Please authenticate first.",
+      );
+    }
+    if (!sdkInitialized) {
+      throw new Error("Recall SDK not initialized");
     }
     return await posthogClient.listDesktopRecordings();
   });
 
   ipcMain.handle("notetaker:get-recording", async (_event, recordingId) => {
     if (!posthogClient) {
-      throw new Error("PostHog client not initialized");
+      throw new Error(
+        "PostHog client not initialized. Please authenticate first.",
+      );
+    }
+    if (!sdkInitialized) {
+      throw new Error("Recall SDK not initialized");
     }
     return await posthogClient.getDesktopRecording(recordingId);
   });
 
   ipcMain.handle("notetaker:delete-recording", async (_event, recordingId) => {
     if (!posthogClient) {
-      throw new Error("PostHog client not initialized");
+      throw new Error(
+        "PostHog client not initialized. Please authenticate first.",
+      );
+    }
+    if (!sdkInitialized) {
+      throw new Error("Recall SDK not initialized");
     }
     return await posthogClient.deleteDesktopRecording(recordingId);
   });