Commit 074a5ab
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?v=4&size=40){kind=avatar}
implement authentication and authorization system mern migration task 3 (#40)
* feat(backend): Implement authentication and authorization system
- Add cookie-parser middleware for session management
- Implement user model and authentication service with JWT and session-based authentication
- Create authentication and authorization middleware for role-based access control
- Develop project and user models to manage user roles and permissions
- Integrate Redis for session storage and improve database connection handling
- Add comprehensive unit and integration tests for authentication flows
- Update documentation to reflect new authentication implementation and usage
This commit establishes a robust authentication and authorization framework, enhancing security and user management capabilities across the application.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* fix(backend): Update user ID handling in project service and improve integration test timeouts
- Modify getUserProjects method to convert userId to ObjectId for accurate MongoDB queries.
- Increase timeout for container startup in integration tests to 120 seconds to ensure reliable test execution.
- Adjust cookie handling in authentication tests to support both single and array formats for improved robustness.
These changes enhance the reliability of user project retrieval and improve the stability of integration tests.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* fix(backend): Enhance project model middleware and improve integration test cleanup
- Update project model middleware to ensure `next()` is called only if it's a function, preventing potential errors.
- Refactor integration tests to improve cleanup order for Redis and MongoDB containers, ensuring proper resource management and reducing test flakiness.
These changes enhance the reliability of the project model and improve the stability of integration tests.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* chore(pre-commit): Update Prettier hook to use local npm script for consistent formatting
- Refactor Prettier hook to utilize a local command that runs `npm run format`, ensuring the same Prettier version and configuration as used in npm scripts.
- Adjust hook settings to always run and exclude passing filenames, improving integration with the project's formatting workflow.
These changes enhance the reliability of code formatting across the project.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* feat(backend): Implement CSRF protection and enhance authentication tests
- Introduced CSRF protection middleware using Lusca, ensuring secure handling of state-changing requests.
- Updated authentication integration tests to include CSRF token handling for login requests, improving security during testing.
- Added helper functions to facilitate CSRF token retrieval for both unauthenticated and authenticated requests.
- Updated package dependencies to include Lusca and its type definitions.
These changes enhance the security of the application by implementing CSRF protection and improving the robustness of authentication tests.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* feat(backend): Replace Lusca with CSRF protection and enhance middleware
- Removed Lusca dependency and integrated CSRF protection using the csrf package.
- Updated middleware to handle CSRF token generation and validation for state-changing requests.
- Refactored related tests to accommodate the new CSRF implementation.
- Updated package dependencies to reflect the removal of Lusca and addition of csrf.
These changes improve the security posture of the application by implementing a more flexible CSRF protection mechanism.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* Potential fix for code scanning alert no. 1: Missing rate limiting
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix: build shared package before type-check in CI
The type-check step was failing because backend imports from @hashhive/shared,
but the shared package's dist output wasn't built yet. Added build-shared as a
dependency before type-check in the ci-check recipe.
Co-Authored-By: Warp <agent@warp.dev>
* fix: extract magic numbers in rate limiter to named constants
Resolve ESLint @typescript-eslint/no-magic-numbers violations by
extracting rate limiter configuration values into descriptive constants.
Co-Authored-By: Warp <agent@warp.dev>
* feat(backend): Enhance rate limiting and database connection settings
- Added express-rate-limit package to implement rate limiting on sensitive authentication endpoints.
- Updated Jest configuration to improve coverage thresholds for various files.
- Enhanced MongoDB connection settings with server selection and socket timeouts for better reliability.
- Updated .prettierignore to exclude Next.js generated files.
These changes improve the security and performance of the application by enforcing request limits and optimizing database connectivity.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* feat(backend): Refactor CSRF handling and enhance project service with transactions
- Updated CSRF token handling in the middleware to reuse existing secrets, improving token validity across requests.
- Enhanced project creation in ProjectService to use MongoDB transactions, ensuring atomicity when creating projects and associated users.
- Improved error logging in optional authentication middleware to capture and log authentication errors.
- Refactored CSRF token retrieval in tests to align with the new header-based approach.
These changes enhance security and reliability in CSRF handling and project management processes.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* fix(ci): use npx to run eslint in workspace packages
The lint command in backend, frontend, and shared packages was failing
because eslint was not found. The eslint package is installed at the
root level as a devDependency, but workspace packages need to use 'npx'
to resolve binaries from the workspace tree.
This change updates all workspace package.json files to use 'npx eslint'
instead of 'eslint' directly.
Co-Authored-By: Warp <agent@warp.dev>
* feat(workflow): add GitHub Copilot setup workflow
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* Address PR #40 review feedback: CORS, CSRF middleware, and role aggregation (#41)
* Initial plan
* fix: Apply PR review feedback - CORS, CSRF, and role aggregation improvements
Co-authored-by: unclesp1d3r <251112+unclesp1d3r@users.noreply.github.com>
* refactor: Simplify CSRF middleware logic and remove redundant await
Co-authored-by: unclesp1d3r <251112+unclesp1d3r@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: unclesp1d3r <251112+unclesp1d3r@users.noreply.github.com>
* Update backend/src/routes/auth.routes.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* chore(ci): update node version file references and add .nvmrc
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* chore(models): remove redundant index declarations to avoid duplication
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* feat(auth): enhance password handling and upgrade flag logic
- Added password_requires_upgrade field to IUser model.
- Updated login logic to flag users with weak passwords for upgrade.
- Improved error messages for Redis client status.
- Enhanced tests for login functionality and session management.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* feat(csrf): implement encryption for CSRF secrets in cookies
- Added functions to encrypt and decrypt CSRF secrets using AES-256-GCM.
- Updated CSRF cookie handling to store encrypted secrets, enhancing security.
- Improved error handling for encryption and decryption processes.
These changes strengthen the protection of CSRF tokens by ensuring sensitive information is not stored in plaintext.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* feat(auth): improve user mapping and enhance CSRF key handling
- Added a utility function to map Mongoose IUser documents to a User object for request context, improving code readability and maintainability.
- Cached the CSRF encryption key at application startup to optimize performance by avoiding repeated PBKDF2 computations.
- Updated project model to change the pre-save hook to a pre-validate hook for slug generation, ensuring validation requirements are met.
These changes enhance the efficiency and clarity of user authentication and CSRF handling processes.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* Fix failing checks for run 19625498172 (#47)
Co-authored-by: Warp Agent <agent@warp.dev>
Co-authored-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
* docs: add ci-check reminder before committing changes in AGENTS.md and copilot-instructions.md
- Included a note to run `just ci-check` to ensure all checks and tests pass before committing changes, emphasizing the importance of task completion.
This update enhances the development workflow documentation for better adherence to quality checks.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
---------
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Warp Agent <agent@warp.dev>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>1 parent bddd2e3 commit 074a5ab
59 files changed
Lines changed: 4923 additions & 208 deletions
File tree
- .github
- workflows
- .kiro/specs/mern-migration
- backend
- src
- config
- db
- middleware
- models
- routes
- services
- types
- utils
- tests
- helpers
- integration
- unit
- docs
- frontend
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
| 37 | + | |
| 38 | + | |
37 | 39 | | |
38 | 40 | | |
39 | 41 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
21 | | - | |
| 21 | + | |
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | | - | |
| 46 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
38 | 38 | | |
39 | 39 | | |
40 | 40 | | |
41 | | - | |
42 | | - | |
| 41 | + | |
| 42 | + | |
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | 47 | | |
48 | 48 | | |
49 | | - | |
| 49 | + | |
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
55 | 55 | | |
56 | | - | |
| 56 | + | |
57 | 57 | | |
58 | 58 | | |
59 | 59 | | |
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
| 63 | + | |
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
36 | | - | |
37 | | - | |
| 35 | + | |
| 36 | + | |
38 | 37 | | |
| 38 | + | |
| 39 | + | |
39 | 40 | | |
40 | | - | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
41 | 45 | | |
42 | | - | |
| 46 | + | |
| 47 | + | |
43 | 48 | | |
44 | | - | |
45 | | - | |
46 | | - | |
47 | 49 | | |
48 | 50 | | |
49 | 51 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
| 13 | + | |
| 14 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
148 | 148 | | |
149 | 149 | | |
150 | 150 | | |
| 151 | + | |
| 152 | + | |
151 | 153 | | |
152 | 154 | | |
153 | 155 | | |
| |||
0 commit comments