Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks

Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path

Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'

Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue

Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build

All 6 projects compile clean (tsc --noEmit).

products/02-iac-drift-detection/saas/migrations/003_invites.sql

@@ -0,0 +1,13 @@
+CREATE TABLE IF NOT EXISTS tenant_invites (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+  email TEXT NOT NULL,
+  role TEXT NOT NULL DEFAULT 'member' CHECK (role IN ('admin', 'member', 'viewer')),
+  token TEXT NOT NULL UNIQUE,
+  invited_by UUID NOT NULL REFERENCES users(id),
+  expires_at TIMESTAMPTZ NOT NULL DEFAULT NOW() + INTERVAL '7 days',
+  accepted_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_tenant_invites_token ON tenant_invites(token);
+CREATE INDEX IF NOT EXISTS idx_tenant_invites_email ON tenant_invites(email);

products/02-iac-drift-detection/saas/package.json

@@ -14,6 +14,7 @@
   "dependencies": {
     "fastify": "^4.28.0",
     "@fastify/cors": "^9.0.0",
+    "@fastify/rate-limit": "^9.1.0",
     "@fastify/helmet": "^11.1.0",
     "pg": "^8.12.0",
     "drizzle-orm": "^0.31.0",

products/02-iac-drift-detection/saas/src/auth/middleware.ts

@@ -15,21 +15,11 @@ export interface AuthPayload {
 }
 
 /**
- * JWT auth middleware. Extracts tenant context from Bearer token.
- * Also supports API key auth via `X-API-Key` header (dd0c_ prefix).
+ * Returns an onRequest hook that validates JWT or API key auth.
+ * No URL matching — only register this hook inside a protected plugin scope.
  */
-export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool) {
-  app.decorateRequest('tenantId', '');
-  app.decorateRequest('userId', '');
-  app.decorateRequest('userRole', 'viewer');
-
-  app.addHook('onRequest', async (req: FastifyRequest, reply: FastifyReply) => {
-    if (req.url === '/health' || req.url === '/version') return;
-    if (req.url.startsWith('/webhooks/')) return;
-    if (req.url.startsWith('/slack/')) return;
-    const path = req.url.split('?')[0];
-    if (path === '/api/v1/auth/login' || path === '/api/v1/auth/signup') return;
-
+export function authHook(jwtSecret: string, pool: Pool) {
+  return async (req: FastifyRequest, reply: FastifyReply) => {
     const apiKey = req.headers['x-api-key'] as string | undefined;
     const authHeader = req.headers['authorization'];
 
@@ -38,7 +28,7 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
         return reply.status(401).send({ error: 'Invalid API key format' });
       }
 
-      const prefix = apiKey.slice(0, 13); // dd0c_ + 8 hex chars
+      const prefix = apiKey.slice(0, 13);
       const keyHash = crypto.createHash('sha256').update(apiKey).digest('hex');
 
       const result = await pool.query(
@@ -61,7 +51,7 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
     if (authHeader?.startsWith('Bearer ')) {
       const token = authHeader.slice(7);
       try {
-        const payload = jwt.verify(token, jwtSecret) as AuthPayload;
+        const payload = jwt.verify(token, jwtSecret, { algorithms: ['HS256'] }) as AuthPayload;
         (req as any).tenantId = payload.tenantId;
         (req as any).userId = payload.userId;
         (req as any).userRole = payload.role;
@@ -72,7 +62,17 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
     }
 
     return reply.status(401).send({ error: 'Missing authentication' });
-  });
+  };
+}
+
+/**
+ * Decorate the Fastify request with auth properties.
+ * Call this once on the root app instance before registering any routes.
+ */
+export function decorateAuth(app: FastifyInstance) {
+  app.decorateRequest('tenantId', '');
+  app.decorateRequest('userId', '');
+  app.decorateRequest('userRole', 'viewer');
 }
 
 export function requireRole(req: FastifyRequest, reply: FastifyReply, minRole: AuthPayload['role']): boolean {
@@ -123,11 +123,21 @@ const loginSchema = z.object({
 const signupSchema = z.object({
   email: z.string().email(),
   password: z.string().min(8),
-  tenant_name: z.string().min(1).max(100),
+  tenant_name: z.string().min(1).max(100).optional(),
+  invite_token: z.string().optional(),
+}).refine(
+  (data) => data.invite_token || data.tenant_name,
+  { message: 'Either tenant_name or invite_token is required', path: ['tenant_name'] },
+);
+
+const inviteSchema = z.object({
+  email: z.string().email(),
+  role: z.enum(['admin', 'member', 'viewer']).default('member'),
 });
 
+/** Public auth routes — login/signup. No auth required. */
 export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool: Pool) {
-  app.post('/api/v1/auth/login', async (req, reply) => {
+  app.post('/api/v1/auth/login', { config: { rateLimit: { max: 5, timeWindow: '1 minute' } } }, async (req, reply) => {
     const body = loginSchema.parse(req.body);
 
     const result = await pool.query(
@@ -152,29 +162,64 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
     return { token, expires_in: '24h' };
   });
 
-  app.post('/api/v1/auth/signup', async (req, reply) => {
+  app.post('/api/v1/auth/signup', { config: { rateLimit: { max: 3, timeWindow: '1 minute' } } }, async (req, reply) => {
     const body = signupSchema.parse(req.body);
 
-    // Check if email already exists
     const existing = await pool.query('SELECT id FROM users WHERE email = $1', [body.email]);
     if (existing.rows[0]) return reply.status(409).send({ error: 'Email already registered' });
 
     const passwordHash = await hashPassword(body.password);
-    const slug = body.tenant_name.toLowerCase().replace(/[^a-z0-9]+/g, '-').slice(0, 42) + '-' + crypto.randomBytes(3).toString('hex');
 
     const client = await pool.connect();
     try {
       await client.query('BEGIN');
 
-      const tenant = await client.query(
-        `INSERT INTO tenants (name, slug) VALUES ($1, $2) RETURNING id`,
-        [body.tenant_name, slug],
-      );
-      const tenantId = tenant.rows[0].id;
+      let tenantId: string;
+      let role: string;
+
+      if (body.invite_token) {
+        const invite = await client.query(
+          `SELECT id, tenant_id, role, expires_at, accepted_at FROM tenant_invites WHERE token = $1`,
+          [body.invite_token],
+        );
+        if (!invite.rows[0]) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'Invalid invite token' });
+        }
+        const inv = invite.rows[0];
+        if (inv.accepted_at) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'Invite already accepted' });
+        }
+        if (new Date(inv.expires_at) < new Date()) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'Invite expired' });
+        }
+
+        tenantId = inv.tenant_id;
+        role = inv.role;
+
+        await client.query(
+          `UPDATE tenant_invites SET accepted_at = NOW() WHERE id = $1`,
+          [inv.id],
+        );
+      } else {
+        if (!body.tenant_name) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'tenant_name is required for new signups' });
+        }
+        const slug = body.tenant_name.toLowerCase().replace(/[^a-z0-9]+/g, '-').slice(0, 42) + '-' + crypto.randomBytes(3).toString('hex');
+        const tenant = await client.query(
+          `INSERT INTO tenants (name, slug) VALUES ($1, $2) RETURNING id`,
+          [body.tenant_name, slug],
+        );
+        tenantId = tenant.rows[0].id;
+        role = 'owner';
+      }
 
       const user = await client.query(
-        `INSERT INTO users (tenant_id, email, password_hash, role) VALUES ($1, $2, $3, 'owner') RETURNING id`,
-        [tenantId, body.email, passwordHash],
+        `INSERT INTO users (tenant_id, email, password_hash, role) VALUES ($1, $2, $3, $4) RETURNING id`,
+        [tenantId, body.email, passwordHash, role],
       );
 
       await client.query('COMMIT');
@@ -183,7 +228,7 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
         tenantId,
         userId: user.rows[0].id,
         email: body.email,
-        role: 'owner',
+        role: role as AuthPayload['role'],
       }, jwtSecret);
 
       return reply.status(201).send({ token, tenant_id: tenantId, expires_in: '24h' });
@@ -194,7 +239,10 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
       client.release();
     }
   });
+}
 
+/** Protected auth routes — me, api-keys, invites. Must be registered inside an auth-protected plugin scope. */
+export function registerProtectedAuthRoutes(app: FastifyInstance, jwtSecret: string, pool: Pool) {
   app.get('/api/v1/auth/me', async (req, reply) => {
     return {
       tenant_id: (req as any).tenantId,
@@ -203,7 +251,6 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
     };
   });
 
-  // Generate API key
   app.post('/api/v1/auth/api-keys', async (req, reply) => {
     const tenantId = (req as any).tenantId;
     const userId = (req as any).userId;
@@ -219,7 +266,53 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
       [tenantId, userId, prefix, keyHash],
     );
 
-    // Return the raw key ONCE — it's never stored or retrievable again
     return reply.status(201).send({ api_key: rawKey, prefix });
   });
+
+  // --- Invite endpoints ---
+
+  app.post('/api/v1/auth/invite', async (req, reply) => {
+    if (!requireRole(req, reply, 'admin')) return;
+    const tenantId = (req as any).tenantId;
+    const userId = (req as any).userId;
+    const body = inviteSchema.parse(req.body);
+
+    const token = crypto.randomBytes(32).toString('hex');
+    const result = await pool.query(
+      `INSERT INTO tenant_invites (tenant_id, email, role, token, invited_by)
+       VALUES ($1, $2, $3, $4, $5)
+       RETURNING expires_at`,
+      [tenantId, body.email, body.role, token, userId],
+    );
+
+    return reply.status(201).send({ invite_token: token, expires_at: result.rows[0].expires_at });
+  });
+
+  app.get('/api/v1/auth/invites', async (req, reply) => {
+    if (!requireRole(req, reply, 'admin')) return;
+    const tenantId = (req as any).tenantId;
+
+    const result = await pool.query(
+      `SELECT id, email, role, expires_at, created_at FROM tenant_invites
+       WHERE tenant_id = $1 AND accepted_at IS NULL AND expires_at > NOW()
+       ORDER BY created_at DESC`,
+      [tenantId],
+    );
+
+    return { invites: result.rows };
+  });
+
+  app.delete('/api/v1/auth/invites/:id', async (req, reply) => {
+    if (!requireRole(req, reply, 'admin')) return;
+    const tenantId = (req as any).tenantId;
+    const { id } = req.params as { id: string };
+
+    const result = await pool.query(
+      `DELETE FROM tenant_invites WHERE id = $1 AND tenant_id = $2 AND accepted_at IS NULL RETURNING id`,
+      [id, tenantId],
+    );
+
+    if (!result.rows[0]) return reply.status(404).send({ error: 'Invite not found' });
+    return { deleted: true };
+  });
 }

products/02-iac-drift-detection/saas/src/config/index.ts

@@ -6,7 +6,7 @@ const envSchema = z.object({
   DATABASE_URL: z.string().default('postgres://dd0c:dd0c@localhost:5432/dd0c_drift'),
   REDIS_URL: z.string().default('redis://localhost:6379'),
   JWT_SECRET: z.string().default('dev-secret-change-me'),
-  CORS_ORIGIN: z.string().default('*'),
+  CORS_ORIGIN: z.string().default('http://localhost:5173'),
   LOG_LEVEL: z.string().default('info'),
   SQS_QUEUE_URL: z.string().optional(),
   S3_BUCKET: z.string().default('dd0c-drift-snapshots'),

products/02-iac-drift-detection/saas/src/data/db.ts

@@ -15,7 +15,6 @@ export function createPool(connectionString: string): pg.Pool {
  * MUST be cleared when returning the connection to the pool.
  */
 export async function setTenantContext(client: pg.PoolClient, tenantId: string): Promise<void> {
-  // SET doesn't support parameterized queries — validate UUID format then interpolate
   if (!/^[0-9a-f-]{36}$/i.test(tenantId)) throw new Error('Invalid tenant ID');
   await client.query(`SET LOCAL app.tenant_id = '${tenantId}'`);
 }

products/02-iac-drift-detection/saas/src/index.ts

@@ -2,11 +2,11 @@ import Fastify from 'fastify';
 import cors from '@fastify/cors';
 import helmet from '@fastify/helmet';
 import { config } from './config/index.js';
-import { registerProcessorRoutes } from './processor/routes.js';
-import { registerApiRoutes } from './api/routes.js';
-import { registerAuth, registerAuthRoutes } from './auth/middleware.js';
 import { createPool } from './data/db.js';
 import { createRedis } from './data/redis.js';
+import { registerProcessorRoutes } from './processor/routes.js';
+import { registerApiRoutes } from './api/routes.js';
+import { authHook, decorateAuth, registerAuthRoutes, registerProtectedAuthRoutes } from './auth/middleware.js';
 
 const app = Fastify({
   logger: {
@@ -27,19 +27,22 @@ async function start() {
   app.decorate('redis', redis);
   app.decorate('config', config);
 
-  // Auth
-  registerAuth(app, config.jwtSecret, pool);
+  decorateAuth(app);
 
-  // Health (before auth)
+  // Public routes (no auth)
   app.get('/health', async () => ({ status: 'ok' }));
-app.get('/version', async () => ({ version: process.env.BUILD_SHA || 'dev', built: process.env.BUILD_TIME || 'unknown' }));
+  app.get('/version', async () => ({ version: process.env.BUILD_SHA || 'dev', built: process.env.BUILD_TIME || 'unknown' }));
 
-  // Auth routes (signup/login)
+  // Auth routes (public - login/signup)
   registerAuthRoutes(app, config.jwtSecret, pool);
 
-  // Routes
-  await registerProcessorRoutes(app);
-  await registerApiRoutes(app);
+  // Protected routes (auth required)
+  app.register(async function protectedRoutes(protectedApp) {
+    protectedApp.addHook('onRequest', authHook(config.jwtSecret, pool));
+    registerProtectedAuthRoutes(protectedApp, config.jwtSecret, pool);
+    await registerProcessorRoutes(protectedApp);
+    await registerApiRoutes(protectedApp);
+  });
 
   await app.listen({ port: config.port, host: '0.0.0.0' });
   app.log.info(`dd0c/drift SaaS listening on :${config.port}`);
@@ -51,6 +54,3 @@ start().catch((err) => {
 });
 
 export { app };
-// CI: 2026-03-01T06:52:14Z
-// CI fix: 06:56
-// build: 2026-03-01T22:59:34Z