Merge pull request #131 from IAOON/fix/126-filter-future-posts

Author: dahlia

.env.sample

@@ -25,3 +25,4 @@ PLAUSIBLE=false
 LOG_QUERY=false
 # graphql requires EMAIL_FROM or MAILGUN_FROM
 EMAIL_FROM=[email protected]
+FUTURE_TIMESTAMP_TOLERANCE=300000

CONTRIBUTING.md

@@ -142,6 +142,12 @@ and set the values of the variables according to your environment.
 >     for summarizing and translating posts using LLMs.  You can use
 >     [Anthropic] and [Google Generative AI] accounts for this.  However, if
 >     you won't test these features, you can omit these variables.
+>
+>  -  `FUTURE_TIMESTAMP_TOLERANCE` is the tolerance period in milliseconds for
+>     posts with future timestamps. Posts published more than this time in the
+>     future will be filtered out from timelines. Default value is 300000 (5
+>     minutes). This helps prevent malicious or misconfigured remote servers
+>     from disrupting timeline order with posts that have future timestamps.
 
 
 Creating a database schema

models/timeline.ts

@@ -20,6 +20,25 @@ import {
   timelineItemTable,
 } from "./schema.ts";
 
+export const FUTURE_TIMESTAMP_TOLERANCE = (() => {
+  const envValue = Deno.env.get("FUTURE_TIMESTAMP_TOLERANCE");
+  if (!envValue) return 300000;
+
+  const parsed = parseInt(envValue, 10);
+  if (isNaN(parsed) || parsed < 0) {
+    console.warn(
+      `Invalid FUTURE_TIMESTAMP_TOLERANCE: "${envValue}", using default 300000`,
+    );
+    return 300000;
+  }
+
+  return parsed;
+})();
+
+function getFutureTimestampLimit(): Date {
+  return new Date(Date.now() + FUTURE_TIMESTAMP_TOLERANCE);
+}
+
 export async function addPostToTimeline(
   db: Database,
   post: Post,
@@ -235,6 +254,7 @@ export async function getPublicTimeline(
     window,
   }: PublicTimelineOptions,
 ): Promise<TimelineEntry[]> {
+  const futureTimestampLimit = getFutureTimestampLimit();
   const posts = await db.query.postTable.findMany({
     with: {
       actor: {
@@ -401,6 +421,7 @@ export async function getPublicTimeline(
           ...(withoutShares ? { sharedPostId: { isNull: true } } : undefined),
           ...(postType == null ? undefined : { type: postType }),
           ...(until == null ? undefined : { published: { lte: until } }),
+          published: { lte: futureTimestampLimit },
         },
       ],
     },
@@ -430,6 +451,7 @@ export async function getPersonalTimeline(
     window,
   }: PersonalTimelineOptions,
 ): Promise<TimelineEntry[]> {
+  const futureTimestampLimit = getFutureTimestampLimit();
   const timeline = await db.query.timelineItemTable.findMany({
     with: {
       post: {
@@ -559,6 +581,11 @@ export async function getPersonalTimeline(
           currentAccount.hideForeignLanguages && currentAccount.locales != null
             ? { language: { in: currentAccount.locales } }
             : {},
+          {
+            published: {
+              lte: futureTimestampLimit,
+            },
+          },
         ],
       },
       ...(withoutShares ? { originalAuthorId: { isNotNull: true } } : {}),