security: implement CRITICAL and MEDIUM security fixes with environment profiles

This commit addresses all CRITICAL and MEDIUM security vulnerabilities
identified in the security audit with environment-aware configuration.

## Docker Compose Profiles

- Added docker-compose.dev.yml for development (relaxed security)
- Added docker-compose.prod.yml for production (strict security)
- Environment-specific configurations for rate limiting, CSRF, logging

## CRITICAL Fixes (P0)

1. Fixed insecure random number generation
   - Replaced Math.random() with crypto.randomBytes() for verification codes
   - Now cryptographically secure

2. Implemented rate limiting
   - express-rate-limit for all endpoints
   - Strict limits on auth endpoints (5 attempts in dev=off, prod=5)
   - Email endpoint limits (20 in dev, 3 in prod)
   - API-wide rate limiting

3. Added request body size limits
   - Development: 50MB (for testing)
   - Production: 10KB (security)

4. Fixed user enumeration vulnerability
   - Generic error message for registration
   - No disclosure of which field exists

5. Added security headers
   - helmet.js with CSP, HSTS, XSS protection
   - No-sniff, hide powered-by headers

## MEDIUM Fixes (P1)

6. Strengthened password policy
   - Environment-aware validation (8+ chars)
   - Production: requires uppercase, lowercase, number
   - Development: relaxed for testing

7. Enhanced input validation
   - Validation for all auth endpoints
   - WSDC ID validation (numeric, max 10 digits)
   - Name validation (safe characters only)
   - Email normalization

8. Added input sanitization
   - DOMPurify for XSS prevention
   - Sanitize all user inputs in emails
   - Timing-safe string comparison for tokens

9. Improved error handling
   - Generic errors in production
   - Detailed errors only in development
   - Proper error logging

10. Enhanced CORS configuration
    - Whitelist-based origin validation
    - Environment-specific allowed origins
    - Credentials support

## New Files

- backend/src/config/security.js - Environment-aware security config
- backend/src/middleware/rateLimiter.js - Rate limiting middleware
- backend/src/utils/sanitize.js - Input sanitization utilities
- backend/.env.example - Development environment template
- backend/.env.production.example - Production environment template
- docker-compose.dev.yml - Development overrides
- docker-compose.prod.yml - Production configuration
- docs/DEPLOYMENT.md - Complete deployment guide
- docs/SECURITY_AUDIT.md - Full security audit report
- .gitignore - Updated to exclude .env files

## Dependencies Added

- helmet (^8.1.0) - Security headers
- express-rate-limit (^8.2.1) - Rate limiting
- dompurify (^3.3.0) - XSS prevention
- jsdom (^27.2.0) - DOM manipulation for sanitization

## Testing

- ✅ Password validation works (weak passwords rejected)
- ✅ User enumeration fixed (generic error messages)
- ✅ WSDC lookup functional
- ✅ Registration flow working
- ✅ Rate limiting active (environment-aware)
- ✅ Security headers present

## Usage

Development:
  docker compose -f docker-compose.yml -f docker-compose.dev.yml up

Production:
  docker compose -f docker-compose.yml -f docker-compose.prod.yml up

See docs/DEPLOYMENT.md for detailed instructions.

docker-compose.dev.yml

@@ -0,0 +1,39 @@
+# Development environment overrides
+# Usage: docker compose -f docker-compose.yml -f docker-compose.dev.yml up
+
+services:
+  nginx:
+    ports:
+      - "8080:80"
+    restart: unless-stopped
+
+  frontend:
+    environment:
+      - NODE_ENV=development
+      - VITE_HOST=0.0.0.0
+    volumes:
+      - ./frontend:/app
+      - /app/node_modules
+    command: npm run dev
+    stdin_open: true
+    tty: true
+
+  backend:
+    environment:
+      - NODE_ENV=development
+      # Security: Relaxed for development
+      - RATE_LIMIT_ENABLED=false
+      - RATE_LIMIT_AUTH_MAX=100
+      - RATE_LIMIT_EMAIL_MAX=20
+      - ENABLE_CSRF=false
+      - BODY_SIZE_LIMIT=50mb
+      - LOG_LEVEL=debug
+    volumes:
+      - ./backend:/app
+      - /app/node_modules
+    command: npm run dev
+
+  db:
+    ports:
+      - "5432:5432"  # Expose for local tools (pgAdmin, etc.)
+    restart: unless-stopped