Merge pull request #39 from atomantic/better/security

atomantic · web-flow · commit 760ffda6bd44 · 2026-03-05T18:27:55.000-08:00
security: harden server bindings, auth gates, and error handling
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sparsetree",
-  "version": "0.8.4",
+  "version": "0.8.5",
   "private": true,
   "description": "",
   "main": "index.js",
diff --git a/server/src/db/sqlite.service.ts b/server/src/db/sqlite.service.ts
@@ -23,9 +23,13 @@ function initDb(): Database.Database {
   }
 
   // Create database connection
+  const isNew = !fs.existsSync(DB_PATH);
   db = new Database(DB_PATH, {
     verbose: process.env.SQLITE_VERBOSE ? console.log : undefined,
   });
+  if (isNew) {
+    fs.chmodSync(DB_PATH, 0o600);
+  }
 
   // Performance optimizations
   db.pragma('journal_mode = WAL');          // Write-Ahead Logging for better concurrency
diff --git a/server/src/index.ts b/server/src/index.ts
@@ -35,7 +35,11 @@ import { logger } from './lib/logger.js';
 
 const CORS_ORIGIN = process.env.CORS_ORIGIN || 'http://localhost:6373';
 const corsOrigin = CORS_ORIGIN.includes(',')
-  ? CORS_ORIGIN.split(',').map(o => o.trim())
+  ? CORS_ORIGIN.split(',').map(o => {
+      const trimmed = o.trim();
+      new URL(trimmed); // throws on invalid origin
+      return trimmed;
+    })
   : CORS_ORIGIN;
 
 const app = express();
@@ -114,8 +118,18 @@ if (existsSync(clientDist)) {
 // Error handling
 app.use(errorHandler);
 
-httpServer.listen(PORT, '0.0.0.0', () => {
-  logger.start('server', `Running on http://localhost:${PORT}`);
+const HOST = process.env.HOST || 'localhost';
+
+const shutdown = () => {
+  logger.warn('server', 'Shutting down gracefully...');
+  httpServer.close(() => process.exit(0));
+  setTimeout(() => process.exit(1), 5000);
+};
+process.on('SIGTERM', shutdown);
+process.on('SIGINT', shutdown);
+
+httpServer.listen(PORT, HOST, () => {
+  logger.start('server', `Running on http://${HOST}:${PORT}`);
 
   // Auto-connect to browser if enabled and browser is running
   browserService.autoConnectIfEnabled();
diff --git a/server/src/middleware/errorHandler.ts b/server/src/middleware/errorHandler.ts
@@ -7,7 +7,7 @@ export const errorHandler = (
   res: Response,
   _next: NextFunction
 ) => {
-  logger.error('server', `Unhandled: ${err.stack || err.message}`);
+  logger.error('server', `Unhandled: ${process.env.NODE_ENV !== 'production' ? (err.stack || err.message) : err.message}`);
   res.status(500).json({
     success: false,
     error: err.message || 'Internal server error'
diff --git a/server/src/routes/ancestry-update.routes.ts b/server/src/routes/ancestry-update.routes.ts
@@ -54,7 +54,7 @@ router.get('/:dbId/events', async (req: Request, res: Response) => {
     }
   }
 
-  const isTestMode = testMode === 'true';
+  const isTestMode = testMode === 'true' && process.env.NODE_ENV !== 'production';
 
   initSSE(res);
 
diff --git a/server/src/routes/browser.routes.ts b/server/src/routes/browser.routes.ts
@@ -210,6 +210,8 @@ router.get('/photos/:personId/exists', async (req: Request, res: Response) => {
 });
 
 // Get FamilySearch authentication token from browser session
+// Security note: This endpoint returns an auth token in the JSON response.
+// Acceptable because SparseTree is a local-only tool and FS tokens are short-lived.
 router.get('/token', async (_req: Request, res: Response) => {
   if (!browserService.isConnected()) {
     res.status(400).json({ success: false, error: 'Browser not connected' });
diff --git a/server/src/routes/genealogy-provider.routes.ts b/server/src/routes/genealogy-provider.routes.ts
@@ -1,4 +1,5 @@
 import { Router, Request, Response } from 'express';
+import crypto from 'crypto';
 import type { GenealogyProviderConfig, PlatformType } from '@fsf/shared';
 import { genealogyProviderService } from '../services/genealogy-provider.service.js';
 import { pickFields } from '../utils/validation.js';
@@ -60,7 +61,7 @@ router.post('/', (req: Request, res: Response) => {
 
   // Generate ID if not provided
   if (!config.id) {
-    config.id = config.platform + '-' + Date.now();
+    config.id = config.platform + '-' + crypto.randomUUID();
   }
 
   // Set defaults if not provided
diff --git a/server/src/routes/test-runner.routes.ts b/server/src/routes/test-runner.routes.ts
@@ -4,6 +4,15 @@ import { logger } from '../lib/logger.js';
 
 export const testRunnerRouter = Router();
 
+// Gate all test-runner endpoints behind non-production environment
+testRunnerRouter.use((_req, res, next) => {
+  if (process.env.NODE_ENV === 'production') {
+    res.status(403).json({ success: false, error: 'Test runner is disabled in production' });
+    return;
+  }
+  next();
+});
+
 // GET /api/test-runner/status - Get current test run status
 testRunnerRouter.get('/status', (_req, res) => {
   res.json({ success: true, data: testRunnerService.getStatus() });

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "sparsetree",`
`3`		`- "version": "0.8.4",`
	`3`	`+ "version": "0.8.5",`
`4`	`4`	`"private": true,`
`5`	`5`	`"description": "",`
`6`	`6`	`"main": "index.js",`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ router.get('/:dbId/events', async (req: Request, res: Response) => {`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
`57`		`- const isTestMode = testMode === 'true';`
	`57`	`+ const isTestMode = testMode === 'true' && process.env.NODE_ENV !== 'production';`
`58`	`58`
`59`	`59`	`initSSE(res);`
`60`	`60`