Security Fixes
This commit is contained in:
Eric Gullickson
@@ -2,7 +2,11 @@
|
||||
|
||||
## Authentication & Authorization
|
||||
|
||||
### Protected Endpoints
|
||||
### Current State (MVP / Dev)
|
||||
- Backend uses a Fastify authentication plugin that injects a mock user for development/test.
|
||||
- JWT validation via Auth0 is not yet enabled on the backend; the frontend Auth0 flow works independently.
|
||||
|
||||
### Intended Production Behavior
|
||||
All vehicle CRUD operations require JWT authentication via Auth0:
|
||||
- `POST /api/vehicles` - Create vehicle
|
||||
- `GET /api/vehicles` - Get user vehicles
|
||||
@@ -37,7 +41,7 @@ GET /api/vehicles/dropdown/trims
|
||||
4. **Information Disclosure**: Exposes system capabilities to unauthenticated users
|
||||
|
||||
**Recommended Mitigations for Production:**
|
||||
1. **Rate Limiting**: Implement express-rate-limit (e.g., 100 requests/hour per IP)
|
||||
1. **Rate Limiting**: Implement request rate limiting (e.g., 100 requests/hour per IP)
|
||||
2. **Input Validation**: Sanitize make parameter in controller
|
||||
3. **CORS Restrictions**: Limit to application domain
|
||||
4. **Monitoring**: Add abuse detection logging
|
||||
@@ -74,4 +78,4 @@ GET /api/vehicles/dropdown/trims
|
||||
- Separate authenticated/unauthenticated HTTP clients
|
||||
- Request/response interceptors for error handling
|
||||
- Timeout configurations to prevent hanging requests
|
||||
- Auth token handling via Auth0 wrapper
|
||||
- Auth token handling via Auth0 wrapper
|
||||
|
||||
Reference in New Issue
Block a user