spotlightcam

radziel/spotlightcam

Fork 0

Commit Graph

Author	SHA1	Message	Date
Radosław Gierwiało	b79173937b	chore: add .repl_history and .claude/ to gitignore	2025-11-29 15:05:38 +01:00
Radosław Gierwiało	bf8a9260bd	security: implement CRITICAL and MEDIUM security fixes with environment profiles This commit addresses all CRITICAL and MEDIUM security vulnerabilities identified in the security audit with environment-aware configuration. ## Docker Compose Profiles - Added docker-compose.dev.yml for development (relaxed security) - Added docker-compose.prod.yml for production (strict security) - Environment-specific configurations for rate limiting, CSRF, logging ## CRITICAL Fixes (P0) 1. Fixed insecure random number generation - Replaced Math.random() with crypto.randomBytes() for verification codes - Now cryptographically secure 2. Implemented rate limiting - express-rate-limit for all endpoints - Strict limits on auth endpoints (5 attempts in dev=off, prod=5) - Email endpoint limits (20 in dev, 3 in prod) - API-wide rate limiting 3. Added request body size limits - Development: 50MB (for testing) - Production: 10KB (security) 4. Fixed user enumeration vulnerability - Generic error message for registration - No disclosure of which field exists 5. Added security headers - helmet.js with CSP, HSTS, XSS protection - No-sniff, hide powered-by headers ## MEDIUM Fixes (P1) 6. Strengthened password policy - Environment-aware validation (8+ chars) - Production: requires uppercase, lowercase, number - Development: relaxed for testing 7. Enhanced input validation - Validation for all auth endpoints - WSDC ID validation (numeric, max 10 digits) - Name validation (safe characters only) - Email normalization 8. Added input sanitization - DOMPurify for XSS prevention - Sanitize all user inputs in emails - Timing-safe string comparison for tokens 9. Improved error handling - Generic errors in production - Detailed errors only in development - Proper error logging 10. Enhanced CORS configuration - Whitelist-based origin validation - Environment-specific allowed origins - Credentials support ## New Files - backend/src/config/security.js - Environment-aware security config - backend/src/middleware/rateLimiter.js - Rate limiting middleware - backend/src/utils/sanitize.js - Input sanitization utilities - backend/.env.example - Development environment template - backend/.env.production.example - Production environment template - docker-compose.dev.yml - Development overrides - docker-compose.prod.yml - Production configuration - docs/DEPLOYMENT.md - Complete deployment guide - docs/SECURITY_AUDIT.md - Full security audit report - .gitignore - Updated to exclude .env files ## Dependencies Added - helmet (^8.1.0) - Security headers - express-rate-limit (^8.2.1) - Rate limiting - dompurify (^3.3.0) - XSS prevention - jsdom (^27.2.0) - DOM manipulation for sanitization ## Testing - ✅ Password validation works (weak passwords rejected) - ✅ User enumeration fixed (generic error messages) - ✅ WSDC lookup functional - ✅ Registration flow working - ✅ Rate limiting active (environment-aware) - ✅ Security headers present ## Usage Development: docker compose -f docker-compose.yml -f docker-compose.dev.yml up Production: docker compose -f docker-compose.yml -f docker-compose.prod.yml up See docs/DEPLOYMENT.md for detailed instructions.	2025-11-13 16:39:27 +01:00
Radosław Gierwiało	80ff4a70bf	feat: initial project setup with frontend mockup - Docker Compose setup with nginx reverse proxy and frontend service - React + Vite + Tailwind CSS configuration - Complete mockup of all application views: - Authentication (login/register) - Events list and selection - Event chat with matchmaking - 1:1 private chat with WebRTC P2P video transfer mockup - Partner rating system - Collaboration history - Mock data for users, events, messages, matches, and ratings - All UI text and messages in English - Project documentation (CONTEXT.md, TODO.md, README.md, QUICKSTART.md)	2025-11-12 17:50:44 +01:00

Author

SHA1

Message

Date

Radosław Gierwiało

b79173937b

chore: add .repl_history and .claude/ to gitignore

2025-11-29 15:05:38 +01:00

Radosław Gierwiało

bf8a9260bd

security: implement CRITICAL and MEDIUM security fixes with environment profiles

This commit addresses all CRITICAL and MEDIUM security vulnerabilities
identified in the security audit with environment-aware configuration.

## Docker Compose Profiles

- Added docker-compose.dev.yml for development (relaxed security)
- Added docker-compose.prod.yml for production (strict security)
- Environment-specific configurations for rate limiting, CSRF, logging

## CRITICAL Fixes (P0)

1. Fixed insecure random number generation
   - Replaced Math.random() with crypto.randomBytes() for verification codes
   - Now cryptographically secure

2. Implemented rate limiting
   - express-rate-limit for all endpoints
   - Strict limits on auth endpoints (5 attempts in dev=off, prod=5)
   - Email endpoint limits (20 in dev, 3 in prod)
   - API-wide rate limiting

3. Added request body size limits
   - Development: 50MB (for testing)
   - Production: 10KB (security)

4. Fixed user enumeration vulnerability
   - Generic error message for registration
   - No disclosure of which field exists

5. Added security headers
   - helmet.js with CSP, HSTS, XSS protection
   - No-sniff, hide powered-by headers

## MEDIUM Fixes (P1)

6. Strengthened password policy
   - Environment-aware validation (8+ chars)
   - Production: requires uppercase, lowercase, number
   - Development: relaxed for testing

7. Enhanced input validation
   - Validation for all auth endpoints
   - WSDC ID validation (numeric, max 10 digits)
   - Name validation (safe characters only)
   - Email normalization

8. Added input sanitization
   - DOMPurify for XSS prevention
   - Sanitize all user inputs in emails
   - Timing-safe string comparison for tokens

9. Improved error handling
   - Generic errors in production
   - Detailed errors only in development
   - Proper error logging

10. Enhanced CORS configuration
    - Whitelist-based origin validation
    - Environment-specific allowed origins
    - Credentials support

## New Files

- backend/src/config/security.js - Environment-aware security config
- backend/src/middleware/rateLimiter.js - Rate limiting middleware
- backend/src/utils/sanitize.js - Input sanitization utilities
- backend/.env.example - Development environment template
- backend/.env.production.example - Production environment template
- docker-compose.dev.yml - Development overrides
- docker-compose.prod.yml - Production configuration
- docs/DEPLOYMENT.md - Complete deployment guide
- docs/SECURITY_AUDIT.md - Full security audit report
- .gitignore - Updated to exclude .env files

## Dependencies Added

- helmet (^8.1.0) - Security headers
- express-rate-limit (^8.2.1) - Rate limiting
- dompurify (^3.3.0) - XSS prevention
- jsdom (^27.2.0) - DOM manipulation for sanitization

## Testing

- ✅ Password validation works (weak passwords rejected)
- ✅ User enumeration fixed (generic error messages)
- ✅ WSDC lookup functional
- ✅ Registration flow working
- ✅ Rate limiting active (environment-aware)
- ✅ Security headers present

## Usage

Development:
  docker compose -f docker-compose.yml -f docker-compose.dev.yml up

Production:
  docker compose -f docker-compose.yml -f docker-compose.prod.yml up

See docs/DEPLOYMENT.md for detailed instructions.

2025-11-13 16:39:27 +01:00

Radosław Gierwiało

80ff4a70bf

feat: initial project setup with frontend mockup

- Docker Compose setup with nginx reverse proxy and frontend service
- React + Vite + Tailwind CSS configuration
- Complete mockup of all application views:
  - Authentication (login/register)
  - Events list and selection
  - Event chat with matchmaking
  - 1:1 private chat with WebRTC P2P video transfer mockup
  - Partner rating system
  - Collaboration history
- Mock data for users, events, messages, matches, and ratings
- All UI text and messages in English
- Project documentation (CONTEXT.md, TODO.md, README.md, QUICKSTART.md)

2025-11-12 17:50:44 +01:00

3 Commits