fix(embed): add middleware to authorize embed create document (with hard rate limit)

Author: btouchard

README.md

@@ -181,20 +181,24 @@ User authenticates via OAuth2 and signs with one click.
 
 **iFrame**:
 ```html
-<iframe src="https://your-domain.com/?doc=policy_2025"
+<iframe src="https://your-domain.com/embed?doc=policy_2025"
         width="600" height="200" frameborder="0"></iframe>
 ```
 
 **oEmbed** (Notion, Outline, Confluence):
 ```
-Just paste the URL - automatic embed via oEmbed discovery
+Paste the embed URL: https://your-domain.com/embed?doc=policy_2025
+Automatic embed via oEmbed discovery
 ```
 
 **Open Graph** (Slack, Teams):
 ```
+Paste direct URL: https://your-domain.com/?doc=policy_2025
 URL unfurls automatically with signature count
 ```
 
+> **Important**: Use `/embed?doc=...` for iframe integrations (Notion, Outline) and `/?doc=...` for direct links (emails, Slack).
+
 See [docs/en/features/embedding.md](docs/en/features/embedding.md) for details.
 
 ---

README_FR.md

@@ -181,20 +181,24 @@ L'utilisateur s'authentifie via OAuth2 et signe en un clic.
 
 **iFrame** :
 ```html
-<iframe src="https://votre-domaine.com/?doc=politique_2025"
+<iframe src="https://votre-domaine.com/embed?doc=politique_2025"
         width="600" height="200" frameborder="0"></iframe>
 ```
 
 **oEmbed** (Notion, Outline, Confluence) :
 ```
-Collez simplement l'URL - embed automatique via oEmbed discovery
+Collez l'URL embed : https://votre-domaine.com/embed?doc=politique_2025
+Embed automatique via oEmbed discovery
 ```
 
 **Open Graph** (Slack, Teams) :
 ```
+Collez l'URL directe : https://votre-domaine.com/?doc=politique_2025
 L'URL se déploie automatiquement avec le nombre de signatures
 ```
 
+> **Important** : Utilisez `/embed?doc=...` pour les intégrations iframe (Notion, Outline) et `/?doc=...` pour les liens directs (emails, Slack).
+
 Voir [docs/fr/features/embedding.md](docs/fr/features/embedding.md) pour les détails.
 
 ---

backend/internal/domain/models/document.go

@@ -44,3 +44,18 @@ func (d *Document) GetExpectedChecksumLength() int {
 		return 0
 	}
 }
+
+// GetDocID returns the document ID
+func (d *Document) GetDocID() string {
+	return d.DocID
+}
+
+// GetTitle returns the document title
+func (d *Document) GetTitle() string {
+	return d.Title
+}
+
+// GetURL returns the document URL
+func (d *Document) GetURL() string {
+	return d.URL
+}

backend/pkg/web/middleware_embed.go

@@ -0,0 +1,157 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+package web
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/btouchard/ackify-ce/backend/internal/domain/models"
+	"github.com/btouchard/ackify-ce/backend/pkg/logger"
+)
+
+type docService interface {
+	FindOrCreateDocument(ctx context.Context, ref string) (*models.Document, bool, error)
+}
+
+// webhookPublisher defines minimal publish capability
+type webhookPublisher interface {
+	Publish(ctx context.Context, eventType string, payload map[string]interface{}) error
+}
+
+// EmbedDocumentMiddleware creates documents on /embed access with strict rate limiting
+// This ensures documents exist before the SPA renders, without requiring authentication
+// The docServiceFn should be a function that calls FindOrCreateDocument
+func EmbedDocumentMiddleware(
+	docService docService,
+	publisher webhookPublisher,
+) func(http.Handler) http.Handler {
+	rateLimiter := newEmbedRateLimiter(2, time.Minute)
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Only intercept /embed path
+			if !strings.HasPrefix(r.URL.Path, "/embed") {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Check rate limit
+			ip := getClientIP(r)
+			if !rateLimiter.Allow(ip) {
+				logger.Logger.Warn("Embed rate limit exceeded",
+					"ip", ip,
+					"path", r.URL.Path)
+				// Let the request continue to SPA - frontend will handle the error display
+				// The frontend can check for rate limit errors via API calls
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Get doc ID from query parameter
+			docID := r.URL.Query().Get("doc")
+			if docID == "" {
+				// No doc parameter, let SPA handle it
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Try to create document if it doesn't exist
+			ctx := r.Context()
+			doc, isNew, err := docService.FindOrCreateDocument(ctx, docID)
+			if err != nil {
+				logger.Logger.Error("Failed to find/create document for embed",
+					"doc_id", docID,
+					"error", err.Error(),
+					"ip", ip)
+				// Continue to SPA anyway - it will handle the error
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			if isNew {
+				logger.Logger.Info("Document auto-created via embed view",
+					"doc_id", docID,
+					"ip", ip)
+
+				// Publish webhook event for auto-created documents
+				if publisher != nil {
+					_ = publisher.Publish(ctx, "document.created", map[string]interface{}{
+						"doc_id": doc.GetDocID(),
+						"title":  doc.GetTitle(),
+						"url":    doc.GetURL(),
+						"source": "embed_view",
+					})
+				}
+			}
+
+			// Continue to SPA
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// embedRateLimiter implements a simple IP-based rate limiter
+type embedRateLimiter struct {
+	attempts *sync.Map
+	limit    int
+	window   time.Duration
+}
+
+func newEmbedRateLimiter(limit int, window time.Duration) *embedRateLimiter {
+	return &embedRateLimiter{
+		attempts: &sync.Map{},
+		limit:    limit,
+		window:   window,
+	}
+}
+
+func (rl *embedRateLimiter) Allow(ip string) bool {
+	now := time.Now()
+
+	// Check current attempts
+	if val, ok := rl.attempts.Load(ip); ok {
+		attempts := val.([]time.Time)
+
+		// Filter out old attempts
+		var valid []time.Time
+		for _, t := range attempts {
+			if now.Sub(t) < rl.window {
+				valid = append(valid, t)
+			}
+		}
+
+		if len(valid) >= rl.limit {
+			return false
+		}
+
+		valid = append(valid, now)
+		rl.attempts.Store(ip, valid)
+	} else {
+		rl.attempts.Store(ip, []time.Time{now})
+	}
+
+	return true
+}
+
+func getClientIP(r *http.Request) string {
+	// Try X-Forwarded-For first (for proxies)
+	if forwarded := r.Header.Get("X-Forwarded-For"); forwarded != "" {
+		ips := strings.Split(forwarded, ",")
+		return strings.TrimSpace(ips[0])
+	}
+
+	// Try X-Real-IP
+	if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
+		return realIP
+	}
+
+	// Fallback to RemoteAddr
+	ip := r.RemoteAddr
+	if idx := strings.LastIndex(ip, ":"); idx != -1 {
+		ip = ip[:idx]
+	}
+	return ip
+}

backend/pkg/web/server.go

@@ -126,6 +126,13 @@ func NewServer(ctx context.Context, cfg *config.Config, frontend embed.FS, versi
 
 	router.Use(i18n.Middleware(i18nService))
 
+	// Embed middleware: intercepts /embed to ensure document exists (with strict rate limit)
+	// This runs BEFORE the SPA is served, allowing Notion/Outline embeds to work
+	router.Use(EmbedDocumentMiddleware(
+		documentService,
+		webhookPublisher,
+	))
+
 	apiConfig := api.RouterConfig{
 		AuthService:               authService,
 		SignatureService:          signatureService,

docs/en/features/embedding.md

@@ -2,6 +2,47 @@
 
 Integrate Ackify into your tools (Notion, Outline, Google Docs, etc.).
 
+## URL Formats: When to Use What
+
+Ackify provides two URL formats depending on your use case:
+
+### `/?doc=<id>` - Full Page Experience
+
+**Use for**:
+- Direct links in emails, chat messages
+- Standalone signature pages
+- When you want full navigation and context
+
+**Behavior**:
+- Full page with header, navigation, and footer
+- Optimized for direct user access
+- Complete branding and organization context
+
+**Example**:
+```
+https://sign.company.com/?doc=policy_2025
+```
+
+### `/embed?doc=<id>` - Embed-Optimized View
+
+**Use for**:
+- iFrame embeds in Notion, Outline, Confluence
+- Widget integrations in third-party platforms
+- When you want a clean, minimal interface
+
+**Behavior**:
+- Minimal interface without navigation
+- Optimized for small iframe containers
+- Focuses only on signature status and action button
+- No automatic redirects
+
+**Example**:
+```
+https://sign.company.com/embed?doc=policy_2025
+```
+
+> **Important**: For embedding in Notion/Outline, always use `/embed?doc=...` to avoid unwanted redirections and get the optimal embed experience.
+
 ## Integration Methods
 
 ### 1. Direct Link
@@ -27,7 +68,7 @@ https://sign.company.com/?doc=policy_2025
 To integrate in a web page:
 
 ```html
-<iframe src="https://sign.company.com/?doc=policy_2025"
+<iframe src="https://sign.company.com/embed?doc=policy_2025"
         width="600"
         height="200"
         frameborder="0"
@@ -113,26 +154,37 @@ Ackify automatically generates meta tags for previews:
 
 ### Notion
 
+**Method 1: Auto-embed (Recommended)**
+
 1. Paste URL in a Notion page:
    ```
-   https://sign.company.com/?doc=policy_2025
+   https://sign.company.com/embed?doc=policy_2025
    ```
 
 2. Notion auto-detects oEmbed
 3. Widget appears with signature button
 
-**Alternative**: Create manual embed
-- `/embed` → Paste URL
+**Method 2: Manual embed**
+
+1. Type `/embed` in Notion
+2. Paste the embed URL:
+   ```
+   https://sign.company.com/embed?doc=policy_2025
+   ```
+
+> **Tip**: Use `/embed?doc=...` instead of `/?doc=...` to get the optimal embed view without navigation elements.
 
 ### Outline
 
 1. In an Outline document, paste:
    ```
-   https://sign.company.com/?doc=policy_2025
+   https://sign.company.com/embed?doc=policy_2025
    ```
 
 2. Outline automatically loads the widget
 
+> **Note**: Using `/embed?doc=...` ensures you get the clean widget view without redirects.
+
 ### Google Docs
 
 Google Docs doesn't support iframes directly, but:
@@ -160,9 +212,11 @@ See [docs/integrations/google-doc/](../integrations/google-doc/) for more detail
 2. Insert "oEmbed" or "HTML Embed" macro
 3. Paste:
    ```
-   https://sign.company.com/?doc=policy_2025
+   https://sign.company.com/embed?doc=policy_2025
    ```
 
+> **Note**: Use `/embed?doc=...` for the best iframe experience.
+
 ### Slack
 
 **Link Unfurling**: