a35e1a3aea
Implemented 3 critical security fixes identified in audit report:
1. CRITICAL (CVSS 8.1): Replace Math.random() with crypto.randomBytes()
- Location: documents.controller.ts cryptoRandom() function
- Risk: Predictable document storage keys could allow unauthorized access
- Fix: Use crypto.randomBytes(32).toString('hex') for cryptographic security
- Impact: Document storage keys are now cryptographically unpredictable
2. HIGH (CVSS 7.5): Implement magic byte validation for file uploads
- Location: documents.controller.ts upload method
- Risk: Malicious files with spoofed Content-Type could bypass validation
- Fix: Added file-type library to validate actual file content via magic bytes
- Impact: File uploads now verify actual file type matches claimed type
- Added dependency: file-type@^19.8.0
3. HIGH (CVSS 6.5): Proxy Google Maps photos to hide API key
- Note: Implementation in progress - agent reached token limit
- Will be completed in follow-up commit
Files modified:
- backend/package.json: Added file-type dependency
- backend/src/features/documents/api/documents.controller.ts:
- Added crypto import
- Replaced insecure cryptoRandom() with secure version
- Added magic byte validation to upload method
- Added file-type and Readable imports
- SECURITY-FIXES.md: Complete implementation guide for all fixes
Security status: 2/3 P0 fixes implemented and verified
Next step: Complete Google Maps API proxy implementation
Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
MotoVaultPro — Simplified Architecture
Simplified 5-container architecture with integrated platform feature.
Requirements
- Mobile + Desktop: Implement and test every feature on both.
- Docker-first, production-only: All testing and validation in containers.
- See
CLAUDE.mdfor development partnership guidelines.
Quick Start (containers)
make setup # build + start + migrate (uses mvp-* containers)
make start # start 5 services
make rebuild # rebuild on changes
make logs # tail all logs
make migrate # run DB migrations
Documentation
- AI quickload:
AI-INDEX.md - Docs hub:
docs/README.md - Features:
backend/src/features/{name}/README.md - Frontend:
frontend/README.md - Backend core:
backend/src/core/README.md
URLs and Hosts
- Frontend:
https://motovaultpro.com - Backend health:
https://motovaultpro.com/api/health