yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
15 Commits 1 Branch 0 Tags
4ecd2336b5b0f168b24531ae406790f1690a6ac5
Commit Graph

10 Commits

Author SHA1 Message Date
Yusuf Suleman
4ecd2336b5 fix: complete remaining remediation (#5, #8, #9)
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details 
#5 Gateway Trust Model:
- Token validation now uses protected endpoints, not health checks
- Unknown services rejected (no fallback to unprotected endpoint)
- Trust model documented in docs/trust-model.md

#8 CI Enforcement:
- Added .gitea/workflows/security.yml with:
  - Dependency audit (npm audit --audit-level=high for budget)
  - Secret scanning (checks for tracked .env/.db, hardcoded secrets)
  - Dockerfile lint (non-root USER, HEALTHCHECK presence)

#9 Performance Hardening:
- Budget /summary: 1-minute in-memory cache (avoids repeated account fan-out)
- Gateway /api/dashboard: 30-second per-user cache (50x faster on repeat)
- Inventory health endpoint added before auth middleware

Closes #5, #8, #9
 2026-03-29 10:13:00 -05:00
Yusuf Suleman
72747668f9 fix: remaining security and deployment hardening (#6 #7 #10) 
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains

#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks

All services verified: gateway, trips, fitness, inventory, budget, frontend
 2026-03-29 09:35:39 -05:00
Yusuf Suleman
0ed8f1f83e fix: deployment hardening — non-root containers and health checks (#10) 
- Gateway, Trips, Fitness Dockerfiles: run as non-root (appuser)
- Added HEALTHCHECK to gateway, trips, fitness
- Used --chown=appuser on COPY for correct file permissions
- Created data dirs with proper ownership before USER switch
- Trips Dockerfile no longer copies whole context (only server.py)

Partial fix for #10 — Node services (inventory, budget, frontend) not yet hardened.
 2026-03-29 09:18:42 -05:00
Yusuf Suleman
14c667bd5e fix: resolve path-to-regexp ReDoS vulnerability in budget service (#8) 
- Ran npm audit fix on services/budget — updated path-to-regexp
- npm audit now reports 0 vulnerabilities
- CI enforcement deferred (no Gitea CI runner configured)

Partial fix for #8 — vulnerability resolved, CI setup remaining.
 2026-03-29 09:14:21 -05:00
Yusuf Suleman
79d2c3b4b6 fix: remove all default credentials (#2) 
- Gateway: admin user seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars
  (no more hardcoded admin/admin). Warns if not set.
- Trips: USERNAME/PASSWORD env vars no longer default to admin/admin.
  Warns if not set.
- Fitness: user seed requires USER{n}_USERNAME/PASSWORD env vars.
  No more "changeme" fallback. Skips seed if not set.
- /api/auth/register remains disabled (403)

Closes #2
 2026-03-29 09:10:44 -05:00
Yusuf Suleman
fcb9383623 fix(gateway): enforce API key auth on inventory and budget services (#5) 
- Added X-API-Key middleware to inventory-service and budget-service
- Services reject all requests without valid API key (401)
- Gateway proxy injects service API keys for inventory and budget
- Dashboard widget fetchers inject API keys
- Generated unique API keys per service, stored in .env
- Added SERVICE_API_KEY env var to docker-compose for both services

Partial fix for #5 — internal services now require auth.
Remaining: document trust model, validate service token semantics.
 2026-03-29 09:06:41 -05:00
Yusuf Suleman
fb79f15f75 fix(fitness): eliminate cross-user data access (#4) 
- All user_id query params now enforced to authenticated user's own ID
- /api/users restricted to return only current user (no user enumeration)
- Wildcard CORS headers removed (service is internal-only via gateway)
- Covers: entries, totals, goals, templates, favorites, goal setting

Closes #4
 2026-03-29 08:53:04 -05:00
Yusuf Suleman
d700ba7569 fix(trips): enforce password protection on shared trips (#3) 
- handle_share_api now checks X-Share-Password header against bcrypt hash
  before returning trip data. Returns 401 with {protected: true} if password
  required but not provided/incorrect
- share_password now stored as bcrypt hash, not plaintext
- All plaintext password logging removed from handle_share_verify
- handle_share_verify uses bcrypt.checkpw instead of string equality
- Migration invalidates existing plaintext share passwords (< 50 chars)
- Removed dead hash_password function (used hashlib.sha256)
- Added bcrypt to trips Dockerfile

Closes #3
 2026-03-29 08:50:45 -05:00
Yusuf Suleman
6bd23e7e8b fix: security hardening across platform 
- Disable open /api/auth/register endpoint (gateway)
- Require gateway session auth on Immich and Karakeep hooks proxies
- Replace SHA-256 with bcrypt in fitness service (auth + seed)
- Remove hardcoded Telegram user IDs from fitness seed
- Add Secure flag to session cookie
- Add domain allowlist and content-type validation to image proxy
- Strengthen .gitignore (env variants, runtime data, test artifacts)
 2026-03-29 08:25:50 -05:00
Yusuf Suleman
d3e250e361 Initial commit: Second Brain Platform 
Complete platform with unified design system and real API integration.

Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings
Infrastructure: SvelteKit + Python gateway + Docker Compose
 2026-03-28 23:20:40 -05:00