egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a35e1a3aeaed64d44bf07f21e196f6a2aa961b9e
motovaultpro/backend
History
Eric Gullickson a35e1a3aea Security fixes: Implement P0 critical vulnerability remediations 
Implemented 3 critical security fixes identified in audit report:

1. CRITICAL (CVSS 8.1): Replace Math.random() with crypto.randomBytes()
   - Location: documents.controller.ts cryptoRandom() function
   - Risk: Predictable document storage keys could allow unauthorized access
   - Fix: Use crypto.randomBytes(32).toString('hex') for cryptographic security
   - Impact: Document storage keys are now cryptographically unpredictable

2. HIGH (CVSS 7.5): Implement magic byte validation for file uploads
   - Location: documents.controller.ts upload method
   - Risk: Malicious files with spoofed Content-Type could bypass validation
   - Fix: Added file-type library to validate actual file content via magic bytes
   - Impact: File uploads now verify actual file type matches claimed type
   - Added dependency: file-type@^19.8.0

3. HIGH (CVSS 6.5): Proxy Google Maps photos to hide API key
   - Note: Implementation in progress - agent reached token limit
   - Will be completed in follow-up commit

Files modified:
- backend/package.json: Added file-type dependency
- backend/src/features/documents/api/documents.controller.ts:
  - Added crypto import
  - Replaced insecure cryptoRandom() with secure version
  - Added magic byte validation to upload method
  - Added file-type and Readable imports
- SECURITY-FIXES.md: Complete implementation guide for all fixes

Security status: 2/3 P0 fixes implemented and verified
Next step: Complete Google Maps API proxy implementation

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-14 09:49:05 -06:00
..
src
Security fixes: Implement P0 critical vulnerability remediations
2025-12-14 09:49:05 -06:00
.dockerignore
Phase 6 complete: Docker modernization with production-first architecture
2025-08-23 19:52:36 -05:00
Dockerfile
Initial Commit
2025-09-17 16:09:15 -05:00
jest.config.js
MVP Build
2025-08-09 12:47:15 -05:00
package.json
Security fixes: Implement P0 critical vulnerability remediations
2025-12-14 09:49:05 -06:00
README.md
Stuff
2025-11-04 18:38:06 -06:00
tsconfig.build.json
Phase 6 complete: Docker modernization with production-first architecture
2025-08-23 19:52:36 -05:00
tsconfig.json
Docker baseline before Phase 6 modernization
2025-08-23 19:19:01 -05:00

README.md

MotoVaultPro Backend

Modified Feature Capsule Architecture

Each feature is 100% self-contained in src/features/[name]/:

  • api/ - HTTP endpoints and routing
  • domain/ - Business logic and types
  • data/ - Database operations
  • migrations/ - Feature-specific schema
  • external/ - External API integrations
  • tests/ - All feature tests
  • docs/ - Feature documentation

Quick Start (Containerized)

# From project root directory
# Ensure a valid .env exists at project root (production values provided by your team)

# Build and start all services (including backend)
make setup

# View logs
make logs-backend

# Run migrations
make migrate

Available Commands (Containerized)

From project root:

  • make start - Build and start all services (production)
  • make migrate - Run database migrations
  • make logs-backend - View backend logs
  • make shell-backend - Open shell in backend container

Inside container (via make shell-backend):

  • npm run build - Build for production
  • npm start - Run production build
  • npm test - Run all tests
  • npm test -- features/vehicles - Test specific feature
  • npm test -- features/vehicles/tests/unit - Test specific test type
  • npm run test:watch - Run tests in watch mode
  • npm run schema:generate - Generate combined schema

Core Modules

Configuration (src/core/config/)

  • config-loader.ts - Environment variable loading and validation
  • database.ts - PostgreSQL connection pool
  • redis.ts - Redis client and cache service
  • user-context.ts - User context extraction utilities

Security (Fastify Plugins)

  • src/core/plugins/auth.plugin.ts - Auth0 JWT via JWKS (@fastify/jwt + get-jwks)
  • src/core/plugins/error.plugin.ts - Error handling
  • src/core/plugins/logging.plugin.ts - Request logging

Logging (src/core/logging/)

  • logger.ts - Structured logging with Winston

Middleware

  • src/core/middleware/user-context.ts - User ID extraction from JWT

Storage

  • src/core/storage/ - Storage abstractions
  • src/core/storage/adapters/minio.adapter.ts - MinIO S3-compatible adapter

Feature Development

To create a new feature capsule:

../scripts/generate-feature-capsule.sh feature-name

This creates the complete capsule structure with all necessary files.

Testing

Tests mirror the source structure:

features/vehicles/
├── domain/
│   └── vehicles.service.ts
└── tests/
    └── unit/
        └── vehicles.service.test.ts

Run tests (inside container via make shell-backend):

# All tests
npm test

# Specific feature
npm test -- features/vehicles

# Unit tests for specific feature
npm test -- features/vehicles/tests/unit

# Integration tests for specific feature
npm test -- features/vehicles/tests/integration

# Watch mode
npm run test:watch

# With coverage
npm test -- features/vehicles --coverage

Environment Variables

Ensure .env includes these key variables:

  • Database connection (DB_*)
  • Redis connection (REDIS_*)
  • Auth0 configuration (AUTH0_*) — backend validates JWTs via Auth0 JWKS (@fastify/jwt + get-jwks)
  • External API keys
Reference in New Issue View Git Blame Copy Permalink