bcb1cea311
Completed HIGH severity security fix (CVSS 6.5) to prevent Google Maps API key exposure to frontend clients. Issue: API key was embedded in photo URLs sent to frontend, allowing potential abuse and quota exhaustion. Solution: Implemented backend proxy endpoint for photos. Backend Changes: - google-maps.client.ts: Changed photoUrl to photoReference, added fetchPhoto() - stations.types.ts: Updated type definition (photoUrl → photoReference) - stations.controller.ts: Added getStationPhoto() proxy method - stations.routes.ts: Added GET /api/stations/photo/:reference route - stations.service.ts: Updated to use photoReference - stations.repository.ts: Updated database queries and mappings - admin controllers/services: Updated for consistency - Created migration 003 to rename photo_url column Frontend Changes: - stations.types.ts: Updated type definition (photoUrl → photoReference) - photo-utils.ts: NEW - Helper to generate proxy URLs - StationCard.tsx: Use photoReference with helper function Tests & Docs: - Updated mock data to use photoReference - Updated test expectations for proxy URLs - Updated API.md and TESTING.md documentation Database Migration: - 003_rename_photo_url_to_photo_reference.sql: Renames column in station_cache Security Benefits: - API key never sent to frontend - All photo requests proxied through authenticated endpoint - Photos cached for 24 hours (Cache-Control header) - No client-side API key exposure Files modified: 16 files New files: 2 (photo-utils.ts, migration 003) Status: All 3 P0 security fixes now complete - Fix 1: crypto.randomBytes() ✓ - Fix 2: Magic byte validation ✓ - Fix 3: API key proxy ✓ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
MotoVaultPro — Simplified Architecture
Simplified 5-container architecture with integrated platform feature.
Requirements
- Mobile + Desktop: Implement and test every feature on both.
- Docker-first, production-only: All testing and validation in containers.
- See
CLAUDE.mdfor development partnership guidelines.
Quick Start (containers)
make setup # build + start + migrate (uses mvp-* containers)
make start # start 5 services
make rebuild # rebuild on changes
make logs # tail all logs
make migrate # run DB migrations
Documentation
- AI quickload:
AI-INDEX.md - Docs hub:
docs/README.md - Features:
backend/src/features/{name}/README.md - Frontend:
frontend/README.md - Backend core:
backend/src/core/README.md
URLs and Hosts
- Frontend:
https://motovaultpro.com - Backend health:
https://motovaultpro.com/api/health