Flesh out dd0c/alert: webhook routes, incident API, notification config, data layer
- Webhook routes: Datadog, PagerDuty, OpsGenie, Grafana with per-tenant HMAC/token auth
- Incident API: list (filtered), detail with alerts, acknowledge/resolve/suppress, dashboard summary
- Notification config: CRUD with upsert, test endpoint, Slack/email/webhook channels
- Grafana normalizer: severity mapping (critical/warning/info)
- Data layer: withTenant() RLS wrapper, Zod config validation
- Fastify server entry point with cors/helmet
2026-03-01 03:04:57 +00:00
|
|
|
import pg from 'pg';
|
|
|
|
|
import pino from 'pino';
|
|
|
|
|
import { config } from '../config/index.js';
|
|
|
|
|
|
|
|
|
|
const logger = pino({ name: 'data' });
|
|
|
|
|
|
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path
Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'
Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue
Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build
All 6 projects compile clean (tsc --noEmit).
2026-03-02 23:53:55 +00:00
|
|
|
const pool = new pg.Pool({ connectionString: config.DATABASE_URL });
|
Flesh out dd0c/alert: webhook routes, incident API, notification config, data layer
- Webhook routes: Datadog, PagerDuty, OpsGenie, Grafana with per-tenant HMAC/token auth
- Incident API: list (filtered), detail with alerts, acknowledge/resolve/suppress, dashboard summary
- Notification config: CRUD with upsert, test endpoint, Slack/email/webhook channels
- Grafana normalizer: severity mapping (critical/warning/info)
- Data layer: withTenant() RLS wrapper, Zod config validation
- Fastify server entry point with cors/helmet
2026-03-01 03:04:57 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* RLS tenant isolation wrapper.
|
|
|
|
|
* Sets `app.tenant_id` for the duration of the callback, then resets.
|
|
|
|
|
*/
|
|
|
|
|
export async function withTenant<T>(tenantId: string, fn: (client: pg.PoolClient) => Promise<T>): Promise<T> {
|
|
|
|
|
const client = await pool.connect();
|
|
|
|
|
try {
|
|
|
|
|
await client.query('BEGIN');
|
|
|
|
|
await client.query(`SET LOCAL app.tenant_id = '${tenantId}'`);
|
|
|
|
|
const result = await fn(client);
|
|
|
|
|
await client.query('COMMIT');
|
|
|
|
|
return result;
|
|
|
|
|
} catch (err) {
|
|
|
|
|
await client.query('ROLLBACK');
|
|
|
|
|
throw err;
|
|
|
|
|
} finally {
|
|
|
|
|
await client.query('RESET app.tenant_id');
|
|
|
|
|
client.release();
|
|
|
|
|
}
|
|
|
|
|
}
|
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path
Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'
Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue
Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build
All 6 projects compile clean (tsc --noEmit).
2026-03-02 23:53:55 +00:00
|
|
|
|
|
|
|
|
/** System-level queries that intentionally bypass RLS (auth, migrations, health) */
|
|
|
|
|
export async function systemQuery<T extends pg.QueryResultRow = any>(
|
|
|
|
|
text: string, params?: any[]
|
|
|
|
|
): Promise<pg.QueryResult<T>> {
|
|
|
|
|
return pool.query(text, params);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** For auth middleware that needs direct pool access for API key lookups */
|
|
|
|
|
export function getPoolForAuth(): pg.Pool {
|
|
|
|
|
return pool;
|
|
|
|
|
}
|