kyle/vip-coordinator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: add helmet, rate limiting, webhook auth, fix token storage, restrict hard deletes

Browse Source 
- Add helmet for HTTP security headers (CSP, HSTS, X-Frame-Options, etc.)
- Add @nestjs/throttler for rate limiting (100 req/60s per IP)
- Add shared secret validation on Signal webhook endpoint
- Remove JWT token from localStorage, use Auth0 SDK memory cache
  with async getAccessTokenSilently() in API interceptor
- Restrict hard delete (?hard=true) to ADMINISTRATOR role in service layer
- Replace exposed Anthropic API key with placeholder in .env

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kyle
2026-02-04 18:30:14 +01:00
parent 8e88880838
commit 934464bf8e
18 changed files with 132 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docker-compose.yml
View File

@@ -80,6 +80,7 @@ services:
DATABASE_URL: postgresql://postgres:changeme@postgres:5432/vip_coordinator
REDIS_URL: redis://redis:6379
SIGNAL_API_URL: http://signal-api:8080
SIGNAL_WEBHOOK_SECRET: ${SIGNAL_WEBHOOK_SECRET:-}
TRACCAR_API_URL: http://traccar:8082
TRACCAR_DEVICE_PORT: 5055
AUTH0_DOMAIN: ${AUTH0_DOMAIN}