Max Mayfield
5792f95d7c
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 47s
CI — P2 Drift (Go + Node) / saas (push) Successful in 36s
CI — P3 Alert / test (push) Successful in 36s
CI — P4 Portal / build-push (push) Failing after 49s
CI — P5 Cost / build-push (push) Failing after 4s
CI — P6 Run / build-push (push) Failing after 4s
CI — P4 Portal / test (push) Successful in 35s
CI — P5 Cost / test (push) Successful in 40s
CI — P6 Run / saas (push) Successful in 36s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 17s
CI — P3 Alert / build-push (push) Failing after 15s
Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean.
41 lines
1.2 KiB
TypeScript
41 lines
1.2 KiB
TypeScript
import pg from 'pg';
|
|
import pino from 'pino';
|
|
import { config } from '../config/index.js';
|
|
|
|
const logger = pino({ name: 'data' });
|
|
|
|
const pool = new pg.Pool({ connectionString: config.DATABASE_URL });
|
|
|
|
/**
|
|
* RLS tenant isolation wrapper.
|
|
* Sets `app.tenant_id` for the duration of the callback, then resets.
|
|
*/
|
|
export async function withTenant<T>(tenantId: string, fn: (client: pg.PoolClient) => Promise<T>): Promise<T> {
|
|
const client = await pool.connect();
|
|
try {
|
|
await client.query('BEGIN');
|
|
await client.query('SELECT set_config($1, $2, true)', ['app.tenant_id', tenantId]);
|
|
const result = await fn(client);
|
|
await client.query('COMMIT');
|
|
return result;
|
|
} catch (err) {
|
|
await client.query('ROLLBACK');
|
|
throw err;
|
|
} finally {
|
|
await client.query('RESET app.tenant_id');
|
|
client.release();
|
|
}
|
|
}
|
|
|
|
/** System-level queries that intentionally bypass RLS (auth, migrations, health) */
|
|
export async function systemQuery<T extends pg.QueryResultRow = any>(
|
|
text: string, params?: any[]
|
|
): Promise<pg.QueryResult<T>> {
|
|
return pool.query(text, params);
|
|
}
|
|
|
|
/** For auth middleware that needs direct pool access for API key lookups */
|
|
export function getPoolForAuth(): pg.Pool {
|
|
return pool;
|
|
}
|