mporwoll/cms.c2sgmbh
1
0
Fork 0
mirror of https://github.com/complexcaresolutions/cms.c2sgmbh.git synced 2026-03-17 18:34:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
27 commits 17 branches 0 tags 17 MiB
Commit graph

7 commits

Author SHA1 Message Date
Martin Porwoll
0cdc25c4f0 feat: comprehensive security test suite 
Add 143 security tests covering all security modules:

Unit Tests (125 tests):
- rate-limiter.unit.spec.ts: limiter creation, request tracking,
  blocking, window reset, IP extraction, header generation
- csrf.unit.spec.ts: token generation/validation, origin checking,
  double submit cookie pattern, referer validation
- ip-allowlist.unit.spec.ts: CIDR matching, wildcards, endpoint-
  specific allowlist/blocklist rules, IP extraction
- data-masking.unit.spec.ts: field detection, pattern matching,
  recursive masking, JWT/connection string/private key handling

API Integration Tests (18 tests):
- security-api.int.spec.ts: rate limiting responses, IP blocking,
  CSRF protection on state-changing endpoints

Test Infrastructure:
- tests/helpers/security-test-utils.ts: CSRF token generators,
  mock request builders, environment setup utilities
- vitest.config.mts: updated to include unit tests
- package.json: added test:unit and test:security scripts
- .github/workflows/security.yml: added security-tests CI job

Also updated detect-secrets.sh to ignore .spec.ts and .test.ts
files which may contain example secrets for testing purposes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-08 00:20:47 +00:00
Martin Porwoll
fc94531931 feat: implement security hardening module 
Security Features:
- Central rate-limiter service with Redis support and memory fallback
  - Predefined limiters: publicApi, auth, email, search, form, strict
  - Automatic cleanup of stale entries
- IP allowlist/blocklist for sensitive endpoints
  - CIDR and wildcard support
  - Configurable via SEND_EMAIL_ALLOWED_IPS, BLOCKED_IPS env vars
- CSRF protection with Double Submit Cookie pattern
  - Token endpoint: GET /api/csrf-token
  - Origin header validation
- Data masking service for sensitive data
  - Automatic redaction of passwords, tokens, API keys
  - Safe logger factory for consistent logging
  - Recursive object masking for audit logs

Secret Scanning:
- Pre-commit hook for local secret detection
- GitHub Actions workflow with Gitleaks and CodeQL
- Gitleaks configuration file
- Dependency vulnerability scanning

Updated:
- /api/send-email now uses central rate-limiter and IP allowlist
- Redis lib exports getRedisClient and isRedisAvailable

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-07 23:04:14 +00:00
Martin Porwoll
6bbbea52fc feat: implement monitoring & alerting system 
- Add AuditLogs collection for tracking critical system actions
  - User changes (create, update, delete)
  - Tenant changes with sensitive data masking
  - Login events tracking

- Add Alert Service with multi-channel support
  - Email, Slack, Discord, Console channels
  - Configurable alert levels (info, warning, error, critical)
  - Environment-based configuration

- Add Email failure alerting
  - Automatic alerts on repeated failed emails
  - Per-tenant failure counting with hourly reset

- Add Email-Logs API endpoints
  - GET /api/email-logs/export (CSV/JSON export)
  - GET /api/email-logs/stats (statistics with filters)

- Add audit hooks for Users and Tenants collections
- Update TODO.md with completed monitoring tasks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-07 20:58:20 +00:00
Martin Porwoll
966af755b4 docs: update CLAUDE.md and TODO.md with recent features 
- Add E-Mail system documentation (tenant-specific SMTP, API endpoint)
- Add Redis caching section
- Add complete Collections and Globals overview
- Update project structure with new directories
- Mark Portfolio collections and Email system as completed
- Update environment variables documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-07 20:22:05 +00:00
Martin Porwoll
f1f3273fa7 docs: update TODO list with recent achievements 
- Add Git & GitHub repository setup as completed
- Mark GitHub CLI installation and configuration as done
- Add isSuperAdmin field to Users Collection
- Update Backup System status (manual backups working)
- Add Techstack documentation to completed docs
- Update last modification date to 05.12.2025

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-05 21:22:03 +00:00
Martin Porwoll
dbe36ad381 feat: add super admin role and update documentation 
- Add isSuperAdmin field to Users collection with migration
- Update API documentation with analytics examples
- Add analytics implementation guide
- Update TODO with completed tasks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-05 14:26:08 +00:00
Martin Porwoll
a88e4f60d0 test: add E2E and integration tests with documentation 
Tests:
- Update frontend.e2e.spec.ts with locale testing
- Add search.e2e.spec.ts for search functionality
- Add i18n.int.spec.ts for localization tests
- Add search.int.spec.ts for search integration
- Update playwright.config.ts

Documentation:
- Add CLAUDE.md with project instructions
- Add docs/ directory with detailed documentation
- Add scripts/ for utility scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-01 08:19:52 +00:00