radziel/spotlightcam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement CRITICAL and MEDIUM security fixes with environment profiles

Browse Source 
This commit addresses all CRITICAL and MEDIUM security vulnerabilities
identified in the security audit with environment-aware configuration.

## Docker Compose Profiles

- Added docker-compose.dev.yml for development (relaxed security)
- Added docker-compose.prod.yml for production (strict security)
- Environment-specific configurations for rate limiting, CSRF, logging

## CRITICAL Fixes (P0)

1. Fixed insecure random number generation
   - Replaced Math.random() with crypto.randomBytes() for verification codes
   - Now cryptographically secure

2. Implemented rate limiting
   - express-rate-limit for all endpoints
   - Strict limits on auth endpoints (5 attempts in dev=off, prod=5)
   - Email endpoint limits (20 in dev, 3 in prod)
   - API-wide rate limiting

3. Added request body size limits
   - Development: 50MB (for testing)
   - Production: 10KB (security)

4. Fixed user enumeration vulnerability
   - Generic error message for registration
   - No disclosure of which field exists

5. Added security headers
   - helmet.js with CSP, HSTS, XSS protection
   - No-sniff, hide powered-by headers

## MEDIUM Fixes (P1)

6. Strengthened password policy
   - Environment-aware validation (8+ chars)
   - Production: requires uppercase, lowercase, number
   - Development: relaxed for testing

7. Enhanced input validation
   - Validation for all auth endpoints
   - WSDC ID validation (numeric, max 10 digits)
   - Name validation (safe characters only)
   - Email normalization

8. Added input sanitization
   - DOMPurify for XSS prevention
   - Sanitize all user inputs in emails
   - Timing-safe string comparison for tokens

9. Improved error handling
   - Generic errors in production
   - Detailed errors only in development
   - Proper error logging

10. Enhanced CORS configuration
    - Whitelist-based origin validation
    - Environment-specific allowed origins
    - Credentials support

## New Files

- backend/src/config/security.js - Environment-aware security config
- backend/src/middleware/rateLimiter.js - Rate limiting middleware
- backend/src/utils/sanitize.js - Input sanitization utilities
- backend/.env.example - Development environment template
- backend/.env.production.example - Production environment template
- docker-compose.dev.yml - Development overrides
- docker-compose.prod.yml - Production configuration
- docs/DEPLOYMENT.md - Complete deployment guide
- docs/SECURITY_AUDIT.md - Full security audit report
- .gitignore - Updated to exclude .env files

## Dependencies Added

- helmet (^8.1.0) - Security headers
- express-rate-limit (^8.2.1) - Rate limiting
- dompurify (^3.3.0) - XSS prevention
- jsdom (^27.2.0) - DOM manipulation for sanitization

## Testing

-  Password validation works (weak passwords rejected)
-  User enumeration fixed (generic error messages)
-  WSDC lookup functional
-  Registration flow working
-  Rate limiting active (environment-aware)
-  Security headers present

## Usage

Development:
  docker compose -f docker-compose.yml -f docker-compose.dev.yml up

Production:
  docker compose -f docker-compose.yml -f docker-compose.prod.yml up

See docs/DEPLOYMENT.md for detailed instructions.
This commit is contained in:
Radosław Gierwiało
2025-11-13 16:39:27 +01:00
parent 46224fca79
commit bf8a9260bd
17 changed files with 2620 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
backend/src/config/security.js Normal file
View File

@@ -0,0 +1,70 @@
/**
* Security Configuration
* Environment-aware security settings
*/
const isDevelopment = process.env.NODE_ENV === 'development';
const isProduction = process.env.NODE_ENV === 'production';
module.exports = {
// Rate limiting configuration
rateLimit: {
enabled: process.env.RATE_LIMIT_ENABLED === 'true' || isProduction,
// General API rate limit
api: {
windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS) || 15 * 60 * 1000, // 15 minutes
max: parseInt(process.env.RATE_LIMIT_MAX) || (isDevelopment ? 1000 : 100),
},
// Strict rate limit for authentication endpoints
auth: {
windowMs: 15 * 60 * 1000, // 15 minutes
max: parseInt(process.env.RATE_LIMIT_AUTH_MAX) || (isDevelopment ? 100 : 5),
skipSuccessfulRequests: true,
},
// Email endpoints rate limit
email: {
windowMs: 60 * 60 * 1000, // 1 hour
max: parseInt(process.env.RATE_LIMIT_EMAIL_MAX) || (isDevelopment ? 20 : 3),
},
},
// CSRF protection
csrf: {
enabled: process.env.ENABLE_CSRF === 'true' || isProduction,
},
// Request body size limits
bodyLimit: process.env.BODY_SIZE_LIMIT || (isDevelopment ? '50mb' : '10kb'),
// CORS configuration
cors: {
origin: process.env.CORS_ORIGIN ?
process.env.CORS_ORIGIN.split(',') :
['http://localhost:8080'],
credentials: true,
},
// Password policy
password: {
minLength: parseInt(process.env.PASSWORD_MIN_LENGTH) || 8,
requireUppercase: process.env.PASSWORD_REQUIRE_UPPERCASE === 'true' || isProduction,
requireLowercase: process.env.PASSWORD_REQUIRE_LOWERCASE === 'true' || isProduction,
requireNumber: process.env.PASSWORD_REQUIRE_NUMBER === 'true' || isProduction,
requireSpecial: process.env.PASSWORD_REQUIRE_SPECIAL === 'true' || false,
},
// Account lockout
accountLockout: {
enabled: process.env.ENABLE_ACCOUNT_LOCKOUT === 'true' || isProduction,
maxAttempts: parseInt(process.env.MAX_LOGIN_ATTEMPTS) || 5,
lockoutDuration: parseInt(process.env.LOCKOUT_DURATION_MINUTES) || 15, // minutes
},
// Logging
logging: {
level: process.env.LOG_LEVEL || (isDevelopment ? 'debug' : 'warn'),
},
};