Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks

Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit).
2026-03-02 23:53:55 +00:00
parent be3f37cfdd
commit eb953cdea5
67 changed files with 4461 additions and 410 deletions
--- a/products/docker-compose.yml
+++ b/products/docker-compose.yml
@@ -9,8 +9,13 @@ services:
  postgres:
    image: postgres:16-alpine
    environment:
-      POSTGRES_USER: dd0c
-      POSTGRES_PASSWORD: dd0c-dev
+      POSTGRES_USER: ${POSTGRES_USER:-dd0c}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-dd0c-dev}
+      DB_DRIFT_PASSWORD: ${DB_DRIFT_PASSWORD:-dd0c-dev}
+      DB_ALERT_PASSWORD: ${DB_ALERT_PASSWORD:-dd0c-dev}
+      DB_PORTAL_PASSWORD: ${DB_PORTAL_PASSWORD:-dd0c-dev}
+      DB_COST_PASSWORD: ${DB_COST_PASSWORD:-dd0c-dev}
+      DB_RUN_PASSWORD: ${DB_RUN_PASSWORD:-dd0c-dev}
    ports:
      - "5433:5432"
    volumes:
@@ -64,9 +69,9 @@ services:
    environment:
      NODE_ENV: production
      PORT: "3000"
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_route
+      DATABASE_URL: postgresql://dd0c:${POSTGRES_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_route
      REDIS_URL: redis://redis:6379
-      JWT_SECRET: dev-secret-change-me-in-production!!
+      JWT_SECRET: ${JWT_SECRET:-dev-secret-change-me-in-production!!}
      LOG_LEVEL: info
    depends_on:
      postgres: { condition: service_healthy }
@@ -82,7 +87,7 @@ services:
    ports:
      - "8080:8080"
    environment:
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_route
+      DATABASE_URL: postgresql://dd0c:${POSTGRES_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_route
      REDIS_URL: redis://redis:6379
      LOG_LEVEL: info
    depends_on:
@@ -97,7 +102,7 @@ services:
      dockerfile: Dockerfile
    command: ["dd0c-worker"]
    environment:
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_route
+      DATABASE_URL: postgresql://dd0c:${POSTGRES_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_route
      REDIS_URL: redis://redis:6379
      LOG_LEVEL: info
    depends_on:
@@ -115,9 +120,9 @@ services:
    environment:
      NODE_ENV: production
      PORT: "3000"
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_drift
+      DATABASE_URL: postgresql://dd0c_drift:${DB_DRIFT_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_drift
      REDIS_URL: redis://redis:6379
-      JWT_SECRET: dev-secret-change-me-in-production!!
+      JWT_SECRET: ${JWT_SECRET:-dev-secret-change-me-in-production!!}
      LOG_LEVEL: info
    depends_on:
      postgres: { condition: service_healthy }
@@ -134,9 +139,9 @@ services:
    environment:
      NODE_ENV: production
      PORT: "3000"
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_alert
+      DATABASE_URL: postgresql://dd0c_alert:${DB_ALERT_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_alert
      REDIS_URL: redis://redis:6379
-      JWT_SECRET: dev-secret-change-me-in-production!!
+      JWT_SECRET: ${JWT_SECRET:-dev-secret-change-me-in-production!!}
      LOG_LEVEL: info
    depends_on:
      postgres: { condition: service_healthy }
@@ -153,10 +158,10 @@ services:
    environment:
      NODE_ENV: production
      PORT: "3000"
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_portal
+      DATABASE_URL: postgresql://dd0c_portal:${DB_PORTAL_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_portal
      REDIS_URL: redis://redis:6379
      MEILI_URL: http://meilisearch:7700
-      JWT_SECRET: dev-secret-change-me-in-production!!
+      JWT_SECRET: ${JWT_SECRET:-dev-secret-change-me-in-production!!}
      LOG_LEVEL: info
    depends_on:
      postgres: { condition: service_healthy }
@@ -174,9 +179,9 @@ services:
    environment:
      NODE_ENV: production
      PORT: "3000"
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_cost
+      DATABASE_URL: postgresql://dd0c_cost:${DB_COST_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_cost
      REDIS_URL: redis://redis:6379
-      JWT_SECRET: dev-secret-change-me-in-production!!
+      JWT_SECRET: ${JWT_SECRET:-dev-secret-change-me-in-production!!}
      ANOMALY_THRESHOLD: "50"
      LOG_LEVEL: info
    depends_on:
@@ -194,9 +199,9 @@ services:
    environment:
      NODE_ENV: production
      PORT: "3000"
-      DATABASE_URL: postgresql://dd0c:dd0c-dev@postgres:5432/dd0c_run
+      DATABASE_URL: postgresql://dd0c_run:${DB_RUN_PASSWORD:-dd0c-dev}@postgres:5432/dd0c_run
      REDIS_URL: redis://redis:6379
-      JWT_SECRET: dev-secret-change-me-in-production!!
+      JWT_SECRET: ${JWT_SECRET:-dev-secret-change-me-in-production!!}
      LOG_LEVEL: info
    depends_on:
      postgres: { condition: service_healthy }