Security Fixes

2025-08-24 14:39:50 -05:00
parent 000e71a026
commit e22d643ae3
19 changed files with 187 additions and 8838 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -25,7 +25,8 @@
      "Bash(git add:*)",
      "Bash(git commit:*)",
      "Bash(git tag:*)",
-      "Bash(docker build:*)"
+      "Bash(docker build:*)",
+      "Bash(docker run:*)"
    ],
    "deny": []
  }
--- a/AI_PROJECT_GUIDE.md
+++ b/AI_PROJECT_GUIDE.md
@@ -4,7 +4,12 @@
 Vehicle management platform using Modified Feature Capsules. Each feature in backend/src/features/[name]/ is 100% self-contained with API, domain, data, migrations, external integrations, tests, and docs. Single directory load gives complete context. No shared business logic, only pure utilities in shared-minimal/.

 ## Architecture Philosophy
-Each feature is a complete, self-contained capsule. Load ONE directory for 100% context. Evaluate every feature if it should be in it's own Docker container. This is a microservices based archiecture where production will be run on k8s. 
+- Each feature is a complete, self-contained capsule. 
+- Load ONE directory for 100% context. 
+- Evaluate every feature if it should be in it's own Docker container. 
+- This is a microservices based archiecture where production will be run on k8s.
+- This is a production only application architecture.
+- Always assume this application is going into production when you are done. All security and linting should pass.  

 ## Navigation & Quick Tasks

@@ -36,25 +41,26 @@ cd backend/src/features/[feature-name]/
 # Creates complete capsule structure with all subdirectories
 ```

-### Running Feature Migrations
+### Running Migrations
 ```bash
-# Single feature
-npm run migrate:feature [feature-name]
-
-# All features (respects dependencies)
+# All features (in dependency order)
 npm run migrate:all
+
+# From project root using Docker
+make migrate
 ```
+Note: Single-feature migration is not implemented yet. Run the full migration set.

 ### Testing Strategy
 ```bash
-# Test single feature (complete isolation)
+# Run all tests (from project root)
+make test
+
+# In backend container shell
+make shell-backend
+npm test                 # all tests
 npm test -- features/[feature-name]
-
-# Test feature integration
 npm test -- features/[feature-name]/tests/integration
-
-# Test everything
-npm test
 ```

 ### Docker Development Workflow
@@ -128,10 +134,14 @@ features/[name]/

 ## Development Environment
 All development happens in Docker containers:
- **Development**: Dockerfile.dev with npm install during container build
- **Testing**: make test runs tests in container
- **Rebuilding**: make rebuild for code changes
- **Package changes**: Container rebuild required
+- **Development**: `make dev` builds and runs the stack
+- **Testing**: `make test` runs backend tests in the container
+- **Rebuilding**: `make rebuild` for code/dependency changes
+- **Package changes**: Rebuild backend/frontend containers as needed
+
+## Authentication (Current State)
+- Backend uses a Fastify auth plugin that injects a mock user in development/test.
+- JWT validation via Auth0 is planned; production configuration will enforce it.

 ## External Services
 - **PostgreSQL**: Primary database (port 5432)
--- a/15
+++ b/15
@@ -1,10 +1,10 @@
-.PHONY: help setup dev stop clean test logs shell-backend shell-frontend migrate rebuild
+.PHONY: help setup start dev stop clean test logs shell-backend shell-frontend migrate rebuild

 help:
-	@echo "MotoVaultPro - Fully Containerized Modified Feature Capsule Architecture"
+	@echo "MotoVaultPro - Production-Ready Modified Feature Capsule Architecture"
 	@echo "Commands:"
 	@echo "  make setup         - Initial project setup"
-	@echo "  make dev           - Start all services in development mode"
+	@echo "  make start         - Start all services"
 	@echo "  make rebuild       - Rebuild and restart containers (for code changes)"
 	@echo "  make stop          - Stop all services"
 	@echo "  make clean         - Clean all data and volumes"
@@ -27,14 +27,17 @@ setup:
 	@echo "Backend: http://localhost:3001"
 	@echo "MinIO Console: http://localhost:9001"

-dev:
-	@echo "Starting development environment..."
+start:
+	@echo "Starting application services..."
 	@docker compose up -d --build
-	@echo "✅ Development environment running!"
+	@echo "✅ Application running!"
 	@echo "Frontend: http://localhost:3000"
 	@echo "Backend: http://localhost:3001/health"
 	@echo "View logs with: make logs"

+# Alias for backward compatibility
+dev: start
+
 stop:
 	@docker compose down

--- a/README.md
+++ b/README.md
@@ -32,11 +32,17 @@ Load `docs/database-schema.md` for complete schema overview
 Load `docs/testing.md` for Docker-based testing workflow
 Only use docker containers for testing. Never install local tools if they do not exist already. 

-### 4. Development Environment (1 command)
+### 4. Development Environment (Docker-first)
 ```bash
-make dev  # Starts complete Docker environment
+# One-time setup (copies .env and builds containers)
+make setup
+
+# Start/rebuild the full environment
+make dev
 ```

+Note: The frontend runs behind nginx with HTTPS in dev. You must provide local certificates in `./certs` (see SSL section below) or the frontend container will fail to start.
+
 ### 5. Key Principles
 - **Docker-First**: All development in containers, no local installs
 - **Feature Independence**: Each feature is completely isolated
@@ -45,12 +51,16 @@ make dev  # Starts complete Docker environment

 ### 6. Common Tasks
 ```bash
-# Test specific feature
-npm test -- features/vehicles
-
-# Run migrations  
+# Run all migrations (inside containers)
 make migrate

+# Run all backend tests (inside containers)
+make test
+
+# Run tests for a specific feature (from backend container shell)
+make shell-backend
+npm test -- features/vehicles
+
 # View logs
 make logs

@@ -60,10 +70,21 @@ make shell-backend

 ### 7. Feature Status
 - **vehicles**: Complete (primary entity, VIN decoding)
- **fuel-logs**: Implemented (depends on vehicles)
+- **fuel-logs**: Implemented (depends on vehicles); tests pending
 - **maintenance**: Scaffolded (depends on vehicles) 
 - **stations**: Partial (Google Maps integration)

+## SSL for Frontend (Local Dev)
+- Place `motovaultpro.com.crt` and `motovaultpro.com.key` in `./certs`.
+- To generate self-signed dev certs:
+  ```bash
+  openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -keyout certs/motovaultpro.com.key \
+    -out certs/motovaultpro.com.crt \
+    -subj "/CN=localhost"
+  ```
+- Access frontend at `https://localhost:3443` (HTTP on `:3000` redirects to HTTPS).
+
 ## Architecture Summary
 Vehicle management platform using Modified Feature Capsule design where each feature is self-contained with API, domain logic, database layer, migrations, external integrations, tests, and documentation in a single directory. Built for AI maintainability with Docker-first development.

--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -19,7 +19,7 @@ RUN npm install && npm cache clean --force
 COPY . .

 # Build the application
-RUN npm run build:docker
+RUN npm run build

 # Stage 2: Production runtime
 FROM node:20-alpine AS production
@@ -30,8 +30,9 @@ RUN apk add --no-cache dumb-init
 # Set working directory
 WORKDIR /app

-# Copy package files
+# Copy package files and any lock file generated in builder stage
 COPY package*.json ./
+COPY --from=builder /app/package-lock.json ./

 # Install only production dependencies
 RUN npm ci --omit=dev && npm cache clean --force
--- a/backend/README.md
+++ b/backend/README.md
@@ -56,8 +56,8 @@ make test
 - `database.ts` - PostgreSQL connection pool
 - `redis.ts` - Redis client and cache service

-### Security (`src/core/security/`)
- `auth.middleware.ts` - JWT authentication via Auth0
+### Security (Fastify Plugin)
+- `src/core/plugins/auth.plugin.ts` - Auth plugin (mock user in dev; plan for Auth0 JWT)

 ### Logging (`src/core/logging/`)
 - `logger.ts` - Structured logging with Winston
@@ -89,7 +89,7 @@ Run tests:
 npm test

 # Specific feature
-npm run test:feature -- --feature=vehicles
+npm test -- features/vehicles

 # Watch mode
 npm run test:watch
@@ -100,5 +100,5 @@ npm run test:watch
 See `.env.example` for required variables. Key variables:
 - Database connection (DB_*)
 - Redis connection (REDIS_*)
- Auth0 configuration (AUTH0_*)
+- Auth0 configuration (AUTH0_*) — backend currently uses mock auth; JWT enforcement planned
 - External API keys
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@@ -5,8 +5,7 @@
  "main": "dist/index.js",
  "scripts": {
    "dev": "nodemon --watch src --exec ts-node src/index.ts",
-    "build": "tsc",
-    "build:docker": "tsc --project tsconfig.build.json",
+    "build": "tsc --project tsconfig.build.json",
    "start": "node dist/index.js",
    "test": "jest",
    "test:watch": "jest --watch",
@@ -39,7 +38,8 @@
    "@fastify/type-provider-typebox": "^4.0.0",
    "@sinclair/typebox": "^0.31.28",
    "fastify-plugin": "^4.5.1",
-    "@fastify/autoload": "^5.8.0"
+    "@fastify/autoload": "^5.8.0",
+    "get-jwks": "^9.0.0"
  },
  "devDependencies": {
    "@types/node": "^20.10.0",
--- a/backend/src/core/config/environment.ts
+++ b/backend/src/core/config/environment.ts
@@ -8,7 +8,7 @@ import * as dotenv from 'dotenv';
 dotenv.config();

 const envSchema = z.object({
-  NODE_ENV: z.enum(['development', 'test', 'production']).default('development'),
+  NODE_ENV: z.string().default('development'),
  PORT: z.string().transform(Number).default('3001'),
  
  // Database
@@ -22,11 +22,11 @@ const envSchema = z.object({
  REDIS_HOST: z.string().default('localhost'),
  REDIS_PORT: z.string().transform(Number).default('6379'),
  
-  // Auth0
-  AUTH0_DOMAIN: z.string().default('localhost'),
-  AUTH0_CLIENT_ID: z.string().default('development'),
-  AUTH0_CLIENT_SECRET: z.string().default('development'),
-  AUTH0_AUDIENCE: z.string().default('https://api.motovaultpro.com'),
+  // Auth0 - Required for JWT validation
+  AUTH0_DOMAIN: z.string().min(1, 'AUTH0_DOMAIN is required for JWT authentication'),
+  AUTH0_CLIENT_ID: z.string().min(1, 'AUTH0_CLIENT_ID is required'),
+  AUTH0_CLIENT_SECRET: z.string().min(1, 'AUTH0_CLIENT_SECRET is required'),
+  AUTH0_AUDIENCE: z.string().min(1, 'AUTH0_AUDIENCE is required for JWT validation'),
  
  // External APIs
  GOOGLE_MAPS_API_KEY: z.string().default('development'),
@@ -45,7 +45,4 @@ export type Environment = z.infer<typeof envSchema>;
 // Validate and export - now with defaults for build-time compilation
 export const env = envSchema.parse(process.env);

-// Convenience exports
-export const isDevelopment = env.NODE_ENV === 'development';
-export const isProduction = env.NODE_ENV === 'production';
-export const isTest = env.NODE_ENV === 'test';
+// Environment configuration validated and exported
--- a/backend/src/core/logging/logger.ts
+++ b/backend/src/core/logging/logger.ts
@@ -3,10 +3,9 @@
 * @ai-context All features use this for consistent logging
 */
 import * as winston from 'winston';
-import { env, isDevelopment } from '../config/environment';

 export const logger = winston.createLogger({
-  level: isDevelopment ? 'debug' : 'info',
+  level: 'info',
  format: winston.format.combine(
    winston.format.timestamp(),
    winston.format.errors({ stack: true }),
@@ -14,16 +13,10 @@ export const logger = winston.createLogger({
  ),
  defaultMeta: {
    service: 'motovaultpro-backend',
-    environment: env.NODE_ENV,
  },
  transports: [
    new winston.transports.Console({
-      format: isDevelopment
-        ? winston.format.combine(
-            winston.format.colorize(),
-            winston.format.simple()
-          )
-        : winston.format.json(),
+      format: winston.format.json(),
    }),
  ],
 });
--- a/backend/src/core/plugins/auth.plugin.ts
+++ b/backend/src/core/plugins/auth.plugin.ts
@@ -1,9 +1,10 @@
 /**
 * @ai-summary Fastify JWT authentication plugin using Auth0
- * @ai-context Validates JWT tokens in production, mocks in development
+ * @ai-context Validates JWT tokens against Auth0 JWKS endpoint
 */
 import { FastifyPluginAsync, FastifyRequest, FastifyReply } from 'fastify';
 import fp from 'fastify-plugin';
+import buildGetJwks from 'get-jwks';
 import { env } from '../config/environment';
 import { logger } from '../logging/logger';

@@ -11,20 +12,67 @@ declare module 'fastify' {
  interface FastifyInstance {
    authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
  }
+  interface FastifyRequest {
+    jwtVerify(): Promise<void>;
+    user?: any;
+  }
 }

 const authPlugin: FastifyPluginAsync = async (fastify) => {
-  // For now, use mock authentication in all environments
-  // The frontend Auth0 flow should work independently
-  // TODO: Implement proper JWKS validation when needed for API security
+  // Initialize JWKS client for Auth0 public key retrieval
+  const getJwks = buildGetJwks({
+    ttl: 60 * 60 * 1000, // 1 hour cache
+  });

-  fastify.decorate('authenticate', async (request: FastifyRequest, _reply: FastifyReply) => {
-    (request as any).user = { sub: 'dev-user-123' };
+  // Register @fastify/jwt with Auth0 JWKS validation
+  await fastify.register(require('@fastify/jwt'), {
+    decode: { complete: true },
+    secret: async (_request: FastifyRequest, token: any) => {
+      try {
+        const { header: { kid, alg }, payload: { iss } } = token;
        
-    if (env.NODE_ENV === 'development') {
-      logger.debug('Using mock user for development', { userId: 'dev-user-123' });
-    } else {
-      logger.info('Using mock authentication - Auth0 handled by frontend', { userId: 'dev-user-123' });
+        // Validate issuer matches Auth0 domain
+        const expectedIssuer = `https://${env.AUTH0_DOMAIN}/`;
+        if (iss !== expectedIssuer) {
+          throw new Error(`Invalid issuer: ${iss}`);
+        }
+
+        // Get public key from Auth0 JWKS endpoint
+        return getJwks.getPublicKey({ kid, domain: env.AUTH0_DOMAIN, alg });
+      } catch (error) {
+        logger.error('JWKS key retrieval failed', { 
+          error: error instanceof Error ? error.message : 'Unknown error',
+          domain: env.AUTH0_DOMAIN 
+        });
+        throw error;
+      }
+    },
+    verify: {
+      allowedIss: `https://${env.AUTH0_DOMAIN}/`,
+      allowedAud: env.AUTH0_AUDIENCE,
+    },
+  });
+
+  // Decorate with authenticate function that validates JWT
+  fastify.decorate('authenticate', async function(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      
+      logger.info('JWT authentication successful', { 
+        userId: request.user?.sub?.substring(0, 8) + '...',
+        audience: env.AUTH0_AUDIENCE
+      });
+    } catch (error) {
+      logger.warn('JWT authentication failed', {
+        path: request.url,
+        method: request.method,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      });
+      
+      reply.code(401).send({ 
+        error: 'Unauthorized', 
+        message: 'Invalid or missing JWT token' 
+      });
    }
  });
 };
--- a/backend/src/core/plugins/error.plugin.ts
+++ b/backend/src/core/plugins/error.plugin.ts
@@ -17,7 +17,6 @@ const errorPlugin: FastifyPluginAsync = async (fastify) => {

    reply.status(500).send({
      error: 'Internal server error',
-      message: process.env.NODE_ENV === 'development' ? error.message : undefined,
    });
  });
 };
--- a/backend/src/features/vehicles/tests/integration/vehicles.integration.test.ts
+++ b/backend/src/features/vehicles/tests/integration/vehicles.integration.test.ts
@@ -10,13 +10,17 @@ import { cacheService } from '../../../../core/config/redis';
 import { readFileSync } from 'fs';
 import { join } from 'path';

-// Mock auth middleware to bypass JWT validation in tests
-jest.mock('../../../../core/security/auth.middleware', () => ({
-  authMiddleware: (req: any, _res: any, next: any) => {
-    req.user = { sub: 'test-user-123' };
-    next();
-  }
-}));
+// Mock auth plugin to bypass JWT validation in tests
+jest.mock('../../../../core/plugins/auth.plugin', () => {
+  const fastifyPlugin = require('fastify-plugin');
+  return {
+    default: fastifyPlugin(async function(fastify) {
+      fastify.decorate('authenticate', async function(request, _reply) {
+        request.user = { sub: 'test-user-123' };
+      });
+    }, { name: 'auth-plugin' })
+  };
+});

 // Mock external VIN decoder
 jest.mock('../../external/vpic/vpic.client', () => ({
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -57,7 +57,6 @@ services:
        - node:20-alpine
    container_name: mvp-backend
    environment:
-      NODE_ENV: development
      PORT: 3001
      DB_HOST: postgres
      DB_PORT: 5432
@@ -104,7 +103,6 @@ services:
        VITE_API_BASE_URL: ${VITE_API_BASE_URL:-http://backend:3001/api}
    container_name: mvp-frontend
    environment:
-      NODE_ENV: development
      VITE_API_BASE_URL: http://backend:3001/api
      VITE_AUTH0_DOMAIN: ${VITE_AUTH0_DOMAIN:-motovaultpro.us.auth0.com}
      VITE_AUTH0_CLIENT_ID: ${VITE_AUTH0_CLIENT_ID:-yspR8zdnSxmV8wFIghHynQ08iXAPoQJ3}
--- a/docs/database-schema.md
+++ b/docs/database-schema.md
@@ -12,8 +12,8 @@ Complete database schema for MotoVaultPro Modified Feature Capsule architecture.

 ### Migration Tracking
 - **Table**: `_migrations`
- **Purpose**: Tracks executed migrations per feature
- **Location**: Created by `backend/src/_system/migrations/run-all.ts`
+- **Purpose**: Created by `backend/src/_system/migrations/run-all.ts` (not yet used for skipping executed files)
+- **Note**: Some SQL files use `IF NOT EXISTS`. Re-running all migrations may fail on indexes without `IF NOT EXISTS`.

 ## Core Tables

@@ -183,17 +183,7 @@ npm run migrate:all
 # Via Docker
 make migrate
 ```
-
-### Run Single Feature
-```bash
-# In container
-npm run migrate:feature vehicles
-
-# Individual features
-npm run migrate:feature fuel-logs
-npm run migrate:feature maintenance  
-npm run migrate:feature stations
-```
+Single-feature migration is not implemented yet.

 ### Migration Files
 - **Location**: `backend/src/features/[feature]/migrations/`
--- a/docs/security.md
+++ b/docs/security.md
@@ -2,7 +2,11 @@

 ## Authentication & Authorization

-### Protected Endpoints
+### Current State (MVP / Dev)
+- Backend uses a Fastify authentication plugin that injects a mock user for development/test.
+- JWT validation via Auth0 is not yet enabled on the backend; the frontend Auth0 flow works independently.
+
+### Intended Production Behavior
 All vehicle CRUD operations require JWT authentication via Auth0:
 - `POST /api/vehicles` - Create vehicle
 - `GET /api/vehicles` - Get user vehicles  
@@ -37,7 +41,7 @@ GET /api/vehicles/dropdown/trims
 4. **Information Disclosure**: Exposes system capabilities to unauthenticated users

 **Recommended Mitigations for Production:**
-1. **Rate Limiting**: Implement express-rate-limit (e.g., 100 requests/hour per IP)
+1. **Rate Limiting**: Implement request rate limiting (e.g., 100 requests/hour per IP)
 2. **Input Validation**: Sanitize make parameter in controller
 3. **CORS Restrictions**: Limit to application domain
 4. **Monitoring**: Add abuse detection logging
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -27,7 +27,7 @@ backend/src/features/[name]/tests/
 make test
 ```

-This executes: `docker-compose exec backend npm test`
+This executes: `docker compose exec backend npm test`

 ### Feature-Specific Testing
 ```bash
@@ -45,9 +45,9 @@ npm test -- features/vehicles --coverage

 ### Test Environment Setup
 1. **Container-Based**: All tests run inside Docker containers
-2. **Test Database**: Isolated test database per feature
-3. **Mock External APIs**: No real API calls during testing
-4. **Cleanup**: Automatic test data cleanup after each test
+2. **Database**: Uses the development database in the stack (`motovaultpro`)
+3. **Mock External APIs**: No real API calls during testing (where implemented)
+4. **Cleanup**: Prefer transactions/cleanup per test; see feature tests for patterns

 ## Test Types

@@ -149,10 +149,14 @@ make clean && make dev
 **Coverage**: Exclude node_modules, include src only

 ### Database Testing
- **Test DB**: Same as development (motovaultpro)
- **Transactions**: Each test runs in transaction, rolled back after
- **Isolation**: Tests cannot interfere with each other
- **Seeding**: Minimal seed data, test-specific fixtures
+- **DB**: Same as development (`motovaultpro`) within Docker
+- **Transactions**: Recommended pattern is one transaction per test
+- **Isolation**: Keep tests independent; avoid shared state
+- **Seeding**: Use feature-level fixtures when needed
+
+### Coverage and Availability
+- Full test suite exists for `vehicles`.
+- Other features (e.g., `fuel-logs`, `stations`, `maintenance`) have placeholders and are being built out.

 ### Mock Strategy
 - **External APIs**: Completely mocked (vPIC, Google Maps)
@@ -214,7 +218,7 @@ make rebuild
 #### Database Connection Issues
 ```bash
 # Check postgres container
-docker-compose logs postgres
+docker compose logs postgres

 # Reset database
 make clean && make dev
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -4,8 +4,7 @@
  "type": "module",
  "scripts": {
    "dev": "vite",
-    "build": "tsc && vite build",
-    "build:docker": "tsc --project tsconfig.build.json && vite build",
+    "build": "tsc --project tsconfig.build.json && vite build",
    "preview": "vite preview",
    "test": "vitest",
    "test:ui": "vitest --ui",
--- a/scripts/generate-feature-capsule.sh
+++ b/scripts/generate-feature-capsule.sh
@@ -59,8 +59,8 @@ cat > "$BACKEND_DIR/README.md" << EOF
 # Run feature tests
 npm test -- features/$FEATURE_NAME

-# Run feature migrations
-npm run migrate:feature $FEATURE_NAME
+# Run migrations (all features)
+npm run migrate:all
 \`\`\`
 EOF