Security Fixes
This commit is contained in:
Eric Gullickson
@@ -12,8 +12,8 @@ Complete database schema for MotoVaultPro Modified Feature Capsule architecture.
|
||||
|
||||
### Migration Tracking
|
||||
- **Table**: `_migrations`
|
||||
- **Purpose**: Tracks executed migrations per feature
|
||||
- **Location**: Created by `backend/src/_system/migrations/run-all.ts`
|
||||
- **Purpose**: Created by `backend/src/_system/migrations/run-all.ts` (not yet used for skipping executed files)
|
||||
- **Note**: Some SQL files use `IF NOT EXISTS`. Re-running all migrations may fail on indexes without `IF NOT EXISTS`.
|
||||
|
||||
## Core Tables
|
||||
|
||||
@@ -183,17 +183,7 @@ npm run migrate:all
|
||||
# Via Docker
|
||||
make migrate
|
||||
```
|
||||
|
||||
### Run Single Feature
|
||||
```bash
|
||||
# In container
|
||||
npm run migrate:feature vehicles
|
||||
|
||||
# Individual features
|
||||
npm run migrate:feature fuel-logs
|
||||
npm run migrate:feature maintenance
|
||||
npm run migrate:feature stations
|
||||
```
|
||||
Single-feature migration is not implemented yet.
|
||||
|
||||
### Migration Files
|
||||
- **Location**: `backend/src/features/[feature]/migrations/`
|
||||
@@ -226,4 +216,4 @@ npm run migrate:feature stations
|
||||
- Regular pg_dump backups
|
||||
- Point-in-time recovery
|
||||
- Read replicas for analytics
|
||||
- Connection pooling (PgBouncer)
|
||||
- Connection pooling (PgBouncer)
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
|
||||
## Authentication & Authorization
|
||||
|
||||
### Protected Endpoints
|
||||
### Current State (MVP / Dev)
|
||||
- Backend uses a Fastify authentication plugin that injects a mock user for development/test.
|
||||
- JWT validation via Auth0 is not yet enabled on the backend; the frontend Auth0 flow works independently.
|
||||
|
||||
### Intended Production Behavior
|
||||
All vehicle CRUD operations require JWT authentication via Auth0:
|
||||
- `POST /api/vehicles` - Create vehicle
|
||||
- `GET /api/vehicles` - Get user vehicles
|
||||
@@ -37,7 +41,7 @@ GET /api/vehicles/dropdown/trims
|
||||
4. **Information Disclosure**: Exposes system capabilities to unauthenticated users
|
||||
|
||||
**Recommended Mitigations for Production:**
|
||||
1. **Rate Limiting**: Implement express-rate-limit (e.g., 100 requests/hour per IP)
|
||||
1. **Rate Limiting**: Implement request rate limiting (e.g., 100 requests/hour per IP)
|
||||
2. **Input Validation**: Sanitize make parameter in controller
|
||||
3. **CORS Restrictions**: Limit to application domain
|
||||
4. **Monitoring**: Add abuse detection logging
|
||||
@@ -74,4 +78,4 @@ GET /api/vehicles/dropdown/trims
|
||||
- Separate authenticated/unauthenticated HTTP clients
|
||||
- Request/response interceptors for error handling
|
||||
- Timeout configurations to prevent hanging requests
|
||||
- Auth token handling via Auth0 wrapper
|
||||
- Auth token handling via Auth0 wrapper
|
||||
|
||||
@@ -27,7 +27,7 @@ backend/src/features/[name]/tests/
|
||||
make test
|
||||
```
|
||||
|
||||
This executes: `docker-compose exec backend npm test`
|
||||
This executes: `docker compose exec backend npm test`
|
||||
|
||||
### Feature-Specific Testing
|
||||
```bash
|
||||
@@ -45,9 +45,9 @@ npm test -- features/vehicles --coverage
|
||||
|
||||
### Test Environment Setup
|
||||
1. **Container-Based**: All tests run inside Docker containers
|
||||
2. **Test Database**: Isolated test database per feature
|
||||
3. **Mock External APIs**: No real API calls during testing
|
||||
4. **Cleanup**: Automatic test data cleanup after each test
|
||||
2. **Database**: Uses the development database in the stack (`motovaultpro`)
|
||||
3. **Mock External APIs**: No real API calls during testing (where implemented)
|
||||
4. **Cleanup**: Prefer transactions/cleanup per test; see feature tests for patterns
|
||||
|
||||
## Test Types
|
||||
|
||||
@@ -149,10 +149,14 @@ make clean && make dev
|
||||
**Coverage**: Exclude node_modules, include src only
|
||||
|
||||
### Database Testing
|
||||
- **Test DB**: Same as development (motovaultpro)
|
||||
- **Transactions**: Each test runs in transaction, rolled back after
|
||||
- **Isolation**: Tests cannot interfere with each other
|
||||
- **Seeding**: Minimal seed data, test-specific fixtures
|
||||
- **DB**: Same as development (`motovaultpro`) within Docker
|
||||
- **Transactions**: Recommended pattern is one transaction per test
|
||||
- **Isolation**: Keep tests independent; avoid shared state
|
||||
- **Seeding**: Use feature-level fixtures when needed
|
||||
|
||||
### Coverage and Availability
|
||||
- Full test suite exists for `vehicles`.
|
||||
- Other features (e.g., `fuel-logs`, `stations`, `maintenance`) have placeholders and are being built out.
|
||||
|
||||
### Mock Strategy
|
||||
- **External APIs**: Completely mocked (vPIC, Google Maps)
|
||||
@@ -214,7 +218,7 @@ make rebuild
|
||||
#### Database Connection Issues
|
||||
```bash
|
||||
# Check postgres container
|
||||
docker-compose logs postgres
|
||||
docker compose logs postgres
|
||||
|
||||
# Reset database
|
||||
make clean && make dev
|
||||
@@ -288,4 +292,4 @@ describe('Error Handling', () => {
|
||||
- Mock API failures to test error handling
|
||||
- Test timeout scenarios
|
||||
- Test network connectivity issues
|
||||
- Verify graceful degradation paths
|
||||
- Verify graceful degradation paths
|
||||
|
||||
Reference in New Issue
Block a user