Merge pull request #268 from iyanumajekodunmi756/security-fixes-232-235-237-241

Security fixes: Implement comprehensive security enhancements (#232 #…

Author: elizabetheonoja-art

index.js

@@ -140,6 +140,10 @@ const createReconciliationRoutes = require('./routes/admin/reconciliation');
 const { setupApolloServer } = require('./src/graphql');
 
 
+// Initialize payload size limit middleware
+const { PayloadSizeLimitMiddleware } = require('./src/middleware/payloadSizeLimit');
+const { GraphQLPayloadLimitMiddleware } = require('./src/middleware/graphqlPayloadLimit');
+
 // Tier middleware — attaches req.user.tier to every request
 const { attachTier } = require('./middleware/tierAuth');
 const { MerchantCorsMiddleware } = require('./src/middleware/merchantCorsMiddleware');
@@ -180,8 +184,37 @@ async function createApp(dependencies = {}) {
   // ── Global middleware ──────────────────────────────────────────────────────
   const merchantCors = new MerchantCorsMiddleware(database);
   app.use(cors(merchantCors.corsOptionsDelegate()));
-  app.use(express.json({ limit: '10mb' }));
-  app.use(express.urlencoded({ extended: true }));
+  
+  // Initialize payload size limit middleware with security-focused configuration
+  const payloadSizeLimit = new PayloadSizeLimitMiddleware({
+    jsonLimit: process.env.PAYLOAD_JSON_LIMIT || 1024 * 1024, // 1MB for JSON
+    urlencodedLimit: process.env.PAYLOAD_URLENCODED_LIMIT || 1024 * 1024, // 1MB for URL-encoded
+    textLimit: process.env.PAYLOAD_TEXT_LIMIT || 1024 * 1024, // 1MB for text
+    rawLimit: process.env.PAYLOAD_RAW_LIMIT || 10 * 1024 * 1024, // 10MB for raw/binary
+    graphqlLimit: process.env.PAYLOAD_GRAPHQL_LIMIT || 2 * 1024 * 1024, // 2MB for GraphQL
+    fileLimit: process.env.PAYLOAD_FILE_LIMIT || 50 * 1024 * 1024, // 50MB for file uploads
+    strictMode: process.env.NODE_ENV === 'production', // Enable strict mode in production
+    enableLogging: process.env.PAYLOAD_LOGGING !== 'false' // Enable logging by default
+  });
+  
+  // Initialize GraphQL payload limit middleware
+  const graphqlPayloadLimit = new GraphQLPayloadLimitMiddleware({
+    maxQueryLength: parseInt(process.env.GRAPHQL_MAX_QUERY_LENGTH) || 10000,
+    maxVariablesSize: parseInt(process.env.GRAPHQL_MAX_VARIABLES_SIZE) || 1024 * 1024,
+    maxQueryDepth: parseInt(process.env.GRAPHQL_MAX_QUERY_DEPTH) || 10,
+    maxComplexity: parseInt(process.env.GRAPHQL_MAX_COMPLEXITY) || 1000,
+    enableLogging: process.env.GRAPHQL_LOGGING !== 'false'
+  });
+  
+  // Apply payload size limits before body parsing
+  app.use(payloadSizeLimit.middleware());
+  
+  // Apply GraphQL-specific limits for GraphQL endpoints
+  app.use('/graphql', graphqlPayloadLimit.middleware());
+  
+  // Remove the default express.json() and express.urlencoded() as they are now handled by the payload limit middleware
+  // app.use(express.json({ limit: '10mb' }));
+  // app.use(express.urlencoded({ extended: true }));
 
   // Request tracing middleware must be registered early for trace propagation
   app.use(requestTracingMiddleware);

middleware/auth.js

@@ -1,8 +1,12 @@
 const jwt = require('jsonwebtoken');
 const { ethers } = require('ethers');
+const { AuthService } = require('../src/services/auth.service');
 
 const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
 
+// Initialize enhanced authentication service
+const authService = new AuthService();
+
 // Generate nonce for SIWE
 const generateNonce = () => {
   return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
@@ -21,20 +25,25 @@ const verifySignature = (message, signature, address) => {
   }
 };
 
-// Generate JWT token
+// Generate JWT token (using enhanced service)
 const generateToken = (address, tier = 'bronze') => {
-  return jwt.sign(
-    { 
-      address: address.toLowerCase(),
-      tier,
-      iat: Math.floor(Date.now() / 1000)
-    },
-    JWT_SECRET,
-    { expiresIn: '24h' }
-  );
+  const member = {
+    id: address.toLowerCase(),
+    email: `${address.toLowerCase()}@example.com`,
+    organizationId: 'default',
+    role: 'user',
+    permissions: ['read']
+  };
+  
+  return authService.generateAccessToken(member);
 };
 
-// Verify JWT middleware
+// Generate refresh token
+const generateRefreshToken = (address) => {
+  return authService.generateRefreshToken(address.toLowerCase(), null);
+};
+
+// Enhanced JWT verification middleware with rotation support
 const authenticateToken = (req, res, next) => {
   const authHeader = req.headers['authorization'];
   const token = authHeader && authHeader.split(' ')[1];
@@ -46,16 +55,32 @@ const authenticateToken = (req, res, next) => {
     });
   }
 
-  jwt.verify(token, JWT_SECRET, (err, user) => {
-    if (err) {
-      return res.status(403).json({ 
-        success: false, 
-        error: 'Invalid or expired token' 
-      });
+  try {
+    const payload = authService.verifyAccessToken(token);
+    
+    // Check if token needs rotation
+    if (authService.shouldRotateToken(token)) {
+      // Add rotation hint to response headers
+      res.set('X-Token-Rotation-Required', 'true');
     }
-    req.user = user;
+    
+    req.user = {
+      id: payload.sub,
+      email: payload.email,
+      organizationId: payload.organizationId,
+      role: payload.role,
+      permissions: payload.permissions,
+      sessionId: payload.sessionId,
+      jti: payload.jti
+    };
+    
     next();
-  });
+  } catch (error) {
+    return res.status(403).json({ 
+      success: false, 
+      error: error.message || 'Invalid or expired token' 
+    });
+  }
 };
 
 // Tier-based access middleware
@@ -76,11 +101,70 @@ const requireTier = (requiredTier) => {
   };
 };
 
+// Token rotation endpoint handler
+const rotateTokens = async (req, res) => {
+  const { refreshToken } = req.body;
+  
+  if (!refreshToken) {
+    return res.status(400).json({
+      success: false,
+      error: 'Refresh token required'
+    });
+  }
+  
+  try {
+    const tokens = await authService.rotateTokens(refreshToken);
+    
+    res.json({
+      success: true,
+      data: tokens,
+      message: 'Tokens rotated successfully'
+    });
+  } catch (error) {
+    res.status(403).json({
+      success: false,
+      error: error.message || 'Token rotation failed'
+    });
+  }
+};
+
+// Token revocation endpoint
+const revokeToken = (req, res) => {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+  
+  if (!token) {
+    return res.status(400).json({
+      success: false,
+      error: 'Token required'
+    });
+  }
+  
+  try {
+    const payload = authService.verifyAccessToken(token);
+    authService.blacklistToken(payload.jti);
+    
+    res.json({
+      success: true,
+      message: 'Token revoked successfully'
+    });
+  } catch (error) {
+    res.status(403).json({
+      success: false,
+      error: error.message || 'Token revocation failed'
+    });
+  }
+};
+
 module.exports = {
   generateNonce,
   nonces,
   verifySignature,
   generateToken,
+  generateRefreshToken,
   authenticateToken,
-  requireTier
+  rotateTokens,
+  revokeToken,
+  requireTier,
+  authService // Export service for direct access
 };