k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: address second-pass audit findings

Browse Source 
- CI-C1 false positive: actions/{checkout,setup-node,upload-artifact}
  @v6 do exist (v6.0.0 releases published Oct-Dec 2025). Restore the
  @v6 refs — the earlier batch-1 commit downgraded them unnecessarily.
- Widen idempotency_keys primary key to (key, user_id, method, path)
  via new migration. Batch 1 widened the middleware lookup but left
  the table PK at (key, user_id), so `INSERT OR IGNORE` silently
  skipped the second endpoint that reused a key — the cache was
  never populated for it and a replay re-ran the handler. The
  migration rebuilds the table preserving existing rows (the old
  narrower PK guarantees no conflicts against the new looser key).
- HSTS: keep `includeSubDomains` OFF by default. Enabling it for
  every NODE_ENV=production install would break apex-domain setups
  where siblings still serve HTTP. Operators who want the stricter
  policy opt in with HSTS_INCLUDE_SUBDOMAINS=true.
- Extend the idempotency unit tests to cover the (method, path)
  dimension — same user+key on different path no longer replays.
This commit is contained in:
Maurice
2026-04-20 21:04:09 +02:00
parent 292e443dbe
commit 9f57ab4517
4 changed files with 83 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/test.yml
+6 -6
View File
@@ -17,9 +17,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22
cache: npm
@@ -33,7 +33,7 @@ jobs:
- name: Upload coverage
if: success()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v6
with:
name: backend-coverage
path: server/coverage/
@@ -44,9 +44,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22
cache: npm
@@ -60,7 +60,7 @@ jobs:
- name: Upload coverage
if: success()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v6
with:
name: frontend-coverage
path: client/coverage/