feat(backend): implement comprehensive security and validation

Implement enterprise-grade security measures and input validation: Security Features: - Add Helmet.js for security headers (XSS, clickjacking, MIME protection) - Implement rate limiting (5/15min for auth, 100/15min for API) - Add Socket.IO JWT authentication middleware - Fix JWT auth middleware (remove throw in catch, extend token to 7 days) - Implement centralized error handling with AppError class - Add CORS restrictive configuration Input Validation: - Add express-validator to all routes (auth, streets, tasks, posts, events, rewards, reports, users) - Create comprehensive validation schemas in middleware/validators/ - Consistent error response format for validation failures Additional Features: - Add pagination middleware for all list endpoints - Add Multer file upload middleware (5MB limit, image validation) - Update .env.example with all required environment variables Dependencies Added: - helmet@8.1.0 - express-rate-limit@8.2.1 - express-validator@7.3.0 - multer@1.4.5-lts.1 - cloudinary@2.8.0 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-01 10:42:19 -07:00
parent 8002406120
commit b3dc608750
18 changed files with 5620 additions and 65 deletions
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -3,28 +3,34 @@ const bcrypt = require("bcryptjs");
 const jwt = require("jsonwebtoken");
 const User = require("../models/User");
 const auth = require("../middleware/auth");
+const { asyncHandler } = require("../middleware/errorHandler");
+const {
+  registerValidation,
+  loginValidation,
+} = require("../middleware/validators/authValidator");

 const router = express.Router();

 // Get user
-router.get("/", auth, async (req, res) => {
-  try {
+router.get(
+  "/",
+  auth,
+  asyncHandler(async (req, res) => {
    const user = await User.findById(req.user.id).select("-password");
    res.json(user);
-  } catch (err) {
-    console.error(err.message);
-    res.status(500).send("Server error");
-  }
-});
+  }),
+);

 // Register
-router.post("/register", async (req, res) => {
-  const { name, email, password } = req.body;
+router.post(
+  "/register",
+  registerValidation,
+  asyncHandler(async (req, res) => {
+    const { name, email, password } = req.body;

-  try {
    let user = await User.findOne({ email });
    if (user) {
-      return res.status(400).json({ msg: "User already exists" });
+      return res.status(400).json({ success: false, msg: "User already exists" });
    }

    user = new User({
@@ -44,34 +50,37 @@ router.post("/register", async (req, res) => {
      },
    };

-    jwt.sign(
-      payload,
-      process.env.JWT_SECRET,
-      { expiresIn: 3600 },
-      (err, token) => {
-        if (err) throw err;
-        res.json({ token });
-      },
-    );
-  } catch (err) {
-    console.error(err.message);
-    res.status(500).send("Server error");
-  }
-});
+    const token = await new Promise((resolve, reject) => {
+      jwt.sign(
+        payload,
+        process.env.JWT_SECRET,
+        { expiresIn: "7d" },
+        (err, token) => {
+          if (err) reject(err);
+          else resolve(token);
+        },
+      );
+    });
+
+    res.json({ success: true, token });
+  }),
+);

 // Login
-router.post("/login", async (req, res) => {
-  const { email, password } = req.body;
+router.post(
+  "/login",
+  loginValidation,
+  asyncHandler(async (req, res) => {
+    const { email, password } = req.body;

-  try {
    let user = await User.findOne({ email });
    if (!user) {
-      return res.status(400).json({ msg: "Invalid credentials" });
+      return res.status(400).json({ success: false, msg: "Invalid credentials" });
    }

    const isMatch = await bcrypt.compare(password, user.password);
    if (!isMatch) {
-      return res.status(400).json({ msg: "Invalid credentials" });
+      return res.status(400).json({ success: false, msg: "Invalid credentials" });
    }

    const payload = {
@@ -80,19 +89,20 @@ router.post("/login", async (req, res) => {
      },
    };

-    jwt.sign(
-      payload,
-      process.env.JWT_SECRET,
-      { expiresIn: 3600 },
-      (err, token) => {
-        if (err) throw err;
-        res.json({ token });
-      },
-    );
-  } catch (err) {
-    console.error(err.message);
-    res.status(500).send("Server error");
-  }
-});
+    const token = await new Promise((resolve, reject) => {
+      jwt.sign(
+        payload,
+        process.env.JWT_SECRET,
+        { expiresIn: "7d" },
+        (err, token) => {
+          if (err) reject(err);
+          else resolve(token);
+        },
+      );
+    });
+
+    res.json({ success: true, token });
+  }),
+);

 module.exports = router;