fix: security hardening — auth, CORS, uploads, sessions, errors, Docker #18 #19

Merged

RiasGFirst merged 2 commits from fix-security-hardening into m2-banking-management 2026-06-10 16:42:40 +00:00

Conversation 0 Commits 2 Files changed 12 +285 -93

RiasGFirst commented 2026-06-10 16:42:22 +00:00

Owner

Copy link

Résumé

Correction des failles 1 à 11 identifiées dans l'audit de sécurité du 10 juin 2026.
Branche : fix-security-hardening depuis m2-banking-management.

• Toutes les routes /api/banks protégées par isAuthenticated
• CORS restreint à une whitelist via FRONTEND_URL (fini l'origin: true)
• Upload limité à PNG/JPEG/WebP, 2 Mo max, double validation MIME + extension
• Cookie de session durci : httpOnly, sameSite: lax, secure en prod, trust proxy
• Sessions persistées en base via connect-pg-simple (plus de MemoryStore)
• Gestionnaire d'erreurs global — format { status, message, data } sans stack trace
• Middleware validateUuid réutilisable appliqué sur toutes les routes /:id
• PUT /api/banks/:id → PATCH, body vide rejeté en 400
• Validation regex hex sur Bank.color
• UPLOAD_DIR centralisé via env var — logos persistés correctement sur le volume Docker
• Credentials Postgres sortis du compose vers .env racine + .env.example

Checklist

• test/banks.html mis à jour (PUT → PATCH)
• docs/endpoints.md mis à jour
• Deux commits distincts selon la convention
• Aucun credential en dur
• Aucune stack trace exposée côté client

À faire après merge

Reprendre l'issue #10 (CRUD Comptes) sur feat-bank-accounts.

Closes #18

## Résumé Correction des failles 1 à 11 identifiées dans l'audit de sécurité du 10 juin 2026. Branche : `fix-security-hardening` depuis `m2-banking-management`. - Toutes les routes `/api/banks` protégées par `isAuthenticated` - CORS restreint à une whitelist via `FRONTEND_URL` (fini l'`origin: true`) - Upload limité à PNG/JPEG/WebP, 2 Mo max, double validation MIME + extension - Cookie de session durci : `httpOnly`, `sameSite: lax`, `secure` en prod, `trust proxy` - Sessions persistées en base via `connect-pg-simple` (plus de MemoryStore) - Gestionnaire d'erreurs global — format `{ status, message, data }` sans stack trace - Middleware `validateUuid` réutilisable appliqué sur toutes les routes `/:id` - `PUT /api/banks/:id` → `PATCH`, body vide rejeté en 400 - Validation regex hex sur `Bank.color` - `UPLOAD_DIR` centralisé via env var — logos persistés correctement sur le volume Docker - Credentials Postgres sortis du compose vers `.env` racine + `.env.example` ## Checklist * [x] `test/banks.html` mis à jour (PUT → PATCH) * [x] `docs/endpoints.md` mis à jour * [x] Deux commits distincts selon la convention * [x] Aucun credential en dur * [x] Aucune stack trace exposée côté client ## À faire après merge Reprendre l'issue #10 (CRUD Comptes) sur `feat-bank-accounts`. Closes #18

RiasGFirst added 2 commits 2026-06-10 16:42:22 +00:00

fix: security hardening (auth, cors, uploads, sessions, errors) #18 ... c4591637d7

- Add isAuthenticated middleware to all /api/banks routes
- Replace open CORS (origin: true) with FRONTEND_URL whitelist
- Restrict uploads to PNG/JPEG/WebP with double MIME+ext validation and 2MB limit
- Harden session cookie: httpOnly, sameSite lax, secure in prod, trust proxy
- Replace MemoryStore with connect-pg-simple (createTableIfMissing)
- Add global error handler for INVALID_FILE_TYPE, LIMIT_FILE_SIZE, Sequelize errors
- Add validateUuid middleware applied to all /:id routes in banks.js
- Rename PUT /api/banks/:id to PATCH, reject empty body with 400
- Add path.basename() defense on logo_path before fs.unlink
- Add hex color validation on Bank.color field
- Update test/banks.html (PUT -> PATCH) and docs/endpoints.md

Made By Aelys

chore: docker config (uploads volume, postgres credentials) #18 ... bfec92a2df

- fileService.js: UPLOAD_DIR from process.env.UPLOAD_DIR with local fallback
- banks.js: import UPLOAD_DIR from fileService instead of hardcoded path
- docker-compose.yml: UPLOAD_DIR env var and Postgres credentials via env interpolation
- Add .env.example at repo root documenting POSTGRES_USER/PASSWORD/DB
- Install connect-pg-simple dependency

Made By Aelys

RiasGFirst added this to the RiasBudget project 2026-06-10 16:42:27 +00:00

RiasGFirst self-assigned this 2026-06-10 16:42:30 +00:00

RiasGFirst merged commit 5bbb2f8566 into m2-banking-management 2026-06-10 16:42:40 +00:00

RiasGFirst deleted branch fix-security-hardening 2026-06-10 16:42:40 +00:00

RiasGFirst referenced this pull request from a commit 2026-06-10 16:42:40 +00:00

Merge pull request 'fix: security hardening — auth, CORS, uploads, sessions, errors, Docker #18' (#19) from fix-security-hardening into m2-banking-management

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

RiasBudget

Assignees

Clear assignees

No assignees

RiasGFirst

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

RiasNetwork/riasbudget!19

No description provided.