feat(backend): implement comprehensive security and validation

Implement enterprise-grade security measures and input validation:

Security Features:
- Add Helmet.js for security headers (XSS, clickjacking, MIME protection)
- Implement rate limiting (5/15min for auth, 100/15min for API)
- Add Socket.IO JWT authentication middleware
- Fix JWT auth middleware (remove throw in catch, extend token to 7 days)
- Implement centralized error handling with AppError class
- Add CORS restrictive configuration

Input Validation:
- Add express-validator to all routes (auth, streets, tasks, posts, events, rewards, reports, users)
- Create comprehensive validation schemas in middleware/validators/
- Consistent error response format for validation failures

Additional Features:
- Add pagination middleware for all list endpoints
- Add Multer file upload middleware (5MB limit, image validation)
- Update .env.example with all required environment variables

Dependencies Added:
- helmet@8.1.0
- express-rate-limit@8.2.1
- express-validator@7.3.0
- multer@1.4.5-lts.1
- cloudinary@2.8.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

backend/middleware/validators/authValidator.js

@@ -0,0 +1,68 @@
+const { body, validationResult } = require("express-validator");
+
+/**
+ * Validation middleware to check validation results
+ */
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Register validation rules
+ */
+const registerValidation = [
+  body("name")
+    .trim()
+    .notEmpty()
+    .withMessage("Name is required")
+    .isLength({ min: 2, max: 50 })
+    .withMessage("Name must be between 2 and 50 characters"),
+  body("email")
+    .trim()
+    .notEmpty()
+    .withMessage("Email is required")
+    .isEmail()
+    .withMessage("Please provide a valid email address")
+    .normalizeEmail(),
+  body("password")
+    .notEmpty()
+    .withMessage("Password is required")
+    .isLength({ min: 6 })
+    .withMessage("Password must be at least 6 characters long")
+    .matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/)
+    .withMessage(
+      "Password must contain at least one uppercase letter, one lowercase letter, and one number",
+    ),
+  validate,
+];
+
+/**
+ * Login validation rules
+ */
+const loginValidation = [
+  body("email")
+    .trim()
+    .notEmpty()
+    .withMessage("Email is required")
+    .isEmail()
+    .withMessage("Please provide a valid email address")
+    .normalizeEmail(),
+  body("password").notEmpty().withMessage("Password is required"),
+  validate,
+];
+
+module.exports = {
+  registerValidation,
+  loginValidation,
+  validate,
+};

backend/middleware/validators/eventValidator.js

@@ -0,0 +1,65 @@
+const { body, param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Create event validation
+ */
+const createEventValidation = [
+  body("title")
+    .trim()
+    .notEmpty()
+    .withMessage("Event title is required")
+    .isLength({ min: 3, max: 200 })
+    .withMessage("Title must be between 3 and 200 characters"),
+  body("description")
+    .trim()
+    .notEmpty()
+    .withMessage("Event description is required")
+    .isLength({ min: 10, max: 1000 })
+    .withMessage("Description must be between 10 and 1000 characters"),
+  body("date")
+    .notEmpty()
+    .withMessage("Event date is required")
+    .isISO8601()
+    .withMessage("Date must be a valid ISO 8601 date")
+    .custom((value) => {
+      if (new Date(value) < new Date()) {
+        throw new Error("Event date must be in the future");
+      }
+      return true;
+    }),
+  body("location")
+    .trim()
+    .notEmpty()
+    .withMessage("Event location is required")
+    .isLength({ min: 3, max: 200 })
+    .withMessage("Location must be between 3 and 200 characters"),
+  validate,
+];
+
+/**
+ * Event ID validation
+ */
+const eventIdValidation = [
+  param("id").isMongoId().withMessage("Invalid event ID"),
+  validate,
+];
+
+module.exports = {
+  createEventValidation,
+  eventIdValidation,
+  validate,
+};

backend/middleware/validators/postValidator.js

@@ -0,0 +1,47 @@
+const { body, param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Create post validation
+ */
+const createPostValidation = [
+  body("content")
+    .trim()
+    .notEmpty()
+    .withMessage("Post content is required")
+    .isLength({ min: 1, max: 1000 })
+    .withMessage("Content must be between 1 and 1000 characters"),
+  body("imageUrl")
+    .optional()
+    .trim()
+    .isURL()
+    .withMessage("Image URL must be a valid URL"),
+  validate,
+];
+
+/**
+ * Post ID validation
+ */
+const postIdValidation = [
+  param("id").isMongoId().withMessage("Invalid post ID"),
+  validate,
+];
+
+module.exports = {
+  createPostValidation,
+  postIdValidation,
+  validate,
+};

backend/middleware/validators/reportValidator.js

@@ -0,0 +1,43 @@
+const { body, param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Create report validation
+ */
+const createReportValidation = [
+  body("street").isMongoId().withMessage("Valid street ID is required"),
+  body("issue")
+    .trim()
+    .notEmpty()
+    .withMessage("Issue description is required")
+    .isLength({ min: 10, max: 1000 })
+    .withMessage("Issue description must be between 10 and 1000 characters"),
+  validate,
+];
+
+/**
+ * Report ID validation
+ */
+const reportIdValidation = [
+  param("id").isMongoId().withMessage("Invalid report ID"),
+  validate,
+];
+
+module.exports = {
+  createReportValidation,
+  reportIdValidation,
+  validate,
+};

backend/middleware/validators/rewardValidator.js

@@ -0,0 +1,57 @@
+const { body, param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Create reward validation
+ */
+const createRewardValidation = [
+  body("name")
+    .trim()
+    .notEmpty()
+    .withMessage("Reward name is required")
+    .isLength({ min: 2, max: 100 })
+    .withMessage("Name must be between 2 and 100 characters"),
+  body("description")
+    .trim()
+    .notEmpty()
+    .withMessage("Reward description is required")
+    .isLength({ min: 10, max: 500 })
+    .withMessage("Description must be between 10 and 500 characters"),
+  body("cost")
+    .notEmpty()
+    .withMessage("Cost is required")
+    .isInt({ min: 1, max: 100000 })
+    .withMessage("Cost must be a positive integer between 1 and 100000"),
+  body("isPremium")
+    .optional()
+    .isBoolean()
+    .withMessage("isPremium must be a boolean"),
+  validate,
+];
+
+/**
+ * Reward ID validation
+ */
+const rewardIdValidation = [
+  param("id").isMongoId().withMessage("Invalid reward ID"),
+  validate,
+];
+
+module.exports = {
+  createRewardValidation,
+  rewardIdValidation,
+  validate,
+};

backend/middleware/validators/streetValidator.js

@@ -0,0 +1,56 @@
+const { body, param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Create street validation
+ */
+const createStreetValidation = [
+  body("name")
+    .trim()
+    .notEmpty()
+    .withMessage("Street name is required")
+    .isLength({ min: 2, max: 200 })
+    .withMessage("Street name must be between 2 and 200 characters"),
+  body("location")
+    .notEmpty()
+    .withMessage("Location is required")
+    .isObject()
+    .withMessage("Location must be an object"),
+  body("location.type")
+    .equals("Point")
+    .withMessage("Location type must be 'Point'"),
+  body("location.coordinates")
+    .isArray({ min: 2, max: 2 })
+    .withMessage("Coordinates must be an array with longitude and latitude"),
+  body("location.coordinates.*")
+    .isFloat()
+    .withMessage("Coordinates must be valid numbers"),
+  validate,
+];
+
+/**
+ * Street ID validation
+ */
+const streetIdValidation = [
+  param("id").isMongoId().withMessage("Invalid street ID"),
+  validate,
+];
+
+module.exports = {
+  createStreetValidation,
+  streetIdValidation,
+  validate,
+};

backend/middleware/validators/taskValidator.js

@@ -0,0 +1,43 @@
+const { body, param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * Create task validation
+ */
+const createTaskValidation = [
+  body("street").isMongoId().withMessage("Valid street ID is required"),
+  body("description")
+    .trim()
+    .notEmpty()
+    .withMessage("Task description is required")
+    .isLength({ min: 5, max: 500 })
+    .withMessage("Description must be between 5 and 500 characters"),
+  validate,
+];
+
+/**
+ * Task ID validation
+ */
+const taskIdValidation = [
+  param("id").isMongoId().withMessage("Invalid task ID"),
+  validate,
+];
+
+module.exports = {
+  createTaskValidation,
+  taskIdValidation,
+  validate,
+};

backend/middleware/validators/userValidator.js

@@ -0,0 +1,28 @@
+const { param, validationResult } = require("express-validator");
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(400).json({
+      success: false,
+      errors: errors.array().map((err) => ({
+        field: err.path,
+        message: err.msg,
+      })),
+    });
+  }
+  next();
+};
+
+/**
+ * User ID validation
+ */
+const userIdValidation = [
+  param("id").isMongoId().withMessage("Invalid user ID"),
+  validate,
+];
+
+module.exports = {
+  userIdValidation,
+  validate,
+};