feat(backend): implement comprehensive security and validation
Implement enterprise-grade security measures and input validation: Security Features: - Add Helmet.js for security headers (XSS, clickjacking, MIME protection) - Implement rate limiting (5/15min for auth, 100/15min for API) - Add Socket.IO JWT authentication middleware - Fix JWT auth middleware (remove throw in catch, extend token to 7 days) - Implement centralized error handling with AppError class - Add CORS restrictive configuration Input Validation: - Add express-validator to all routes (auth, streets, tasks, posts, events, rewards, reports, users) - Create comprehensive validation schemas in middleware/validators/ - Consistent error response format for validation failures Additional Features: - Add pagination middleware for all list endpoints - Add Multer file upload middleware (5MB limit, image validation) - Update .env.example with all required environment variables Dependencies Added: - helmet@8.1.0 - express-rate-limit@8.2.1 - express-validator@7.3.0 - multer@1.4.5-lts.1 - cloudinary@2.8.0 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
William Valentin
77
backend/middleware/errorHandler.js
Normal file
77
backend/middleware/errorHandler.js
Normal file
@@ -0,0 +1,77 @@
|
||||
/**
|
||||
* Centralized Error Handling Middleware
|
||||
* Handles all errors throughout the application with consistent formatting
|
||||
*/
|
||||
|
||||
// Custom error class for application-specific errors
|
||||
class AppError extends Error {
|
||||
constructor(message, statusCode) {
|
||||
super(message);
|
||||
this.statusCode = statusCode;
|
||||
this.isOperational = true;
|
||||
Error.captureStackTrace(this, this.constructor);
|
||||
}
|
||||
}
|
||||
|
||||
// Global error handler middleware
|
||||
const errorHandler = (err, req, res, next) => {
|
||||
let error = { ...err };
|
||||
error.message = err.message;
|
||||
|
||||
// Log error for debugging
|
||||
console.error(`[ERROR] ${err.message}`, {
|
||||
stack: err.stack,
|
||||
path: req.path,
|
||||
method: req.method,
|
||||
timestamp: new Date().toISOString(),
|
||||
});
|
||||
|
||||
// Mongoose bad ObjectId
|
||||
if (err.name === "CastError") {
|
||||
const message = "Resource not found";
|
||||
error = new AppError(message, 404);
|
||||
}
|
||||
|
||||
// Mongoose duplicate key
|
||||
if (err.code === 11000) {
|
||||
const message = "Duplicate field value entered";
|
||||
error = new AppError(message, 400);
|
||||
}
|
||||
|
||||
// Mongoose validation error
|
||||
if (err.name === "ValidationError") {
|
||||
const message = Object.values(err.errors)
|
||||
.map((val) => val.message)
|
||||
.join(", ");
|
||||
error = new AppError(message, 400);
|
||||
}
|
||||
|
||||
// JWT errors
|
||||
if (err.name === "JsonWebTokenError") {
|
||||
const message = "Invalid token";
|
||||
error = new AppError(message, 401);
|
||||
}
|
||||
|
||||
if (err.name === "TokenExpiredError") {
|
||||
const message = "Token expired";
|
||||
error = new AppError(message, 401);
|
||||
}
|
||||
|
||||
// Send error response
|
||||
res.status(error.statusCode || 500).json({
|
||||
success: false,
|
||||
error: error.message || "Server Error",
|
||||
...(process.env.NODE_ENV === "development" && { stack: err.stack }),
|
||||
});
|
||||
};
|
||||
|
||||
// Async handler wrapper to catch errors in async route handlers
|
||||
const asyncHandler = (fn) => (req, res, next) => {
|
||||
Promise.resolve(fn(req, res, next)).catch(next);
|
||||
};
|
||||
|
||||
module.exports = {
|
||||
errorHandler,
|
||||
asyncHandler,
|
||||
AppError,
|
||||
};
|
||||
Reference in New Issue
Block a user