Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
CI — P2 Drift (Go + Node) / saas (push) Failing after 5s
CI — P3 Alert / test (push) Failing after 4s
CI — P4 Portal / test (push) Failing after 4s
CI — P5 Cost / test (push) Failing after 4s
CI — P6 Run / saas (push) Failing after 5s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 7s
CI — P3 Alert / build-push (push) Has been skipped
CI — P4 Portal / build-push (push) Has been skipped
CI — P5 Cost / build-push (push) Has been skipped
CI — P6 Run / build-push (push) Failing after 5s
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
CI — P2 Drift (Go + Node) / saas (push) Failing after 5s
CI — P3 Alert / test (push) Failing after 4s
CI — P4 Portal / test (push) Failing after 4s
CI — P5 Cost / test (push) Failing after 4s
CI — P6 Run / saas (push) Failing after 5s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 7s
CI — P3 Alert / build-push (push) Has been skipped
CI — P4 Portal / build-push (push) Has been skipped
CI — P5 Cost / build-push (push) Has been skipped
CI — P6 Run / build-push (push) Failing after 5s
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path
Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'
Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue
Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build
All 6 projects compile clean (tsc --noEmit).
This commit is contained in:
@@ -4,12 +4,11 @@ import { config } from '../config/index.js';
|
||||
|
||||
const logger = pino({ name: 'data' });
|
||||
|
||||
export const pool = new pg.Pool({ connectionString: config.DATABASE_URL });
|
||||
const pool = new pg.Pool({ connectionString: config.DATABASE_URL });
|
||||
|
||||
/**
|
||||
* RLS tenant isolation wrapper.
|
||||
* Sets `app.tenant_id` for the duration of the callback, then resets.
|
||||
* Prevents connection pool tenant context leakage (BMad must-have).
|
||||
*/
|
||||
export async function withTenant<T>(tenantId: string, fn: (client: pg.PoolClient) => Promise<T>): Promise<T> {
|
||||
const client = await pool.connect();
|
||||
@@ -27,3 +26,15 @@ export async function withTenant<T>(tenantId: string, fn: (client: pg.PoolClient
|
||||
client.release();
|
||||
}
|
||||
}
|
||||
|
||||
/** System-level queries that intentionally bypass RLS (auth, migrations, health) */
|
||||
export async function systemQuery<T extends pg.QueryResultRow = any>(
|
||||
text: string, params?: any[]
|
||||
): Promise<pg.QueryResult<T>> {
|
||||
return pool.query(text, params);
|
||||
}
|
||||
|
||||
/** For auth middleware that needs direct pool access for API key lookups */
|
||||
export function getPoolForAuth(): pg.Pool {
|
||||
return pool;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user