Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security Hardening: Phase 1-3 complete

Browse Source 
- C1: Hash refresh tokens before DB storage (sha256)
- C2: Remove JWT_SECRET fallback, fail hard if missing
- H1: Enforce HTTP methods per route (405 on mismatch)
- H2: CORS with origin whitelist from CORS_ORIGIN env var
- H3: Redact sensitive fields (tokens, passwords) from logs
- M1: Build HmacMiddleware with replay attack prevention
- M2: Fix rate limiter race condition with flock LOCK_EX
- M3: Guard dd() — suppressed in production
- M4: Remove .env from git tracking, strengthen .gitignore
- I1: Add HSTS header (max-age=31536000)
This commit is contained in:
Hamza-Ayed
2026-05-03 21:06:17 +03:00
parent b33513ebcf
commit 214d96ee8d
11 changed files with 236 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
public/index.php
View File

@@ -5,37 +5,42 @@
require_once __DIR__ . '/../app/bootstrap/init.php';
// Global Request Logging (for debugging on server)
// Global Request Logging (non-sensitive)
error_log("Incoming Request: " . ($_SERVER['REQUEST_METHOD'] ?? 'GET') . " " . ($_SERVER['REQUEST_URI'] ?? '/'));
$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$route = $_GET['route'] ?? str_replace('/api/', '', $uri);
$route = trim($route, '/');
// Log for debugging
error_log("Router: Resolved route for URI '{$uri}' is '{$route}'");
error_log("Router: Resolved route '{$route}'");
// Mapping routes to modules
// Route map: route => [allowed_method, module_file]
$routes = [
'v1/auth/login' => 'auth/login.php',
'v1/auth/refresh' => 'auth/refresh.php',
'v1/auth/logout' => 'auth/logout.php',
'v1/users' => 'users/index.php',
'v1/auth/login' => ['POST', 'auth/login.php'],
'v1/auth/refresh' => ['POST', 'auth/refresh.php'],
'v1/auth/logout' => ['POST', 'auth/logout.php'],
'v1/users' => ['GET', 'users/index.php'],
];
if (isset($routes[$route])) {
$file = APP_PATH . '/modules_app/' . $routes[$route];
[$allowedMethod, $moduleFile] = $routes[$route];
// H1 Fix: Enforce HTTP Method
if ($_SERVER['REQUEST_METHOD'] !== $allowedMethod) {
header("Allow: {$allowedMethod}");
json_error("Method Not Allowed. Use {$allowedMethod}.", 405);
}
$file = APP_PATH . '/modules_app/' . $moduleFile;
if (file_exists($file)) {
require_once $file;
} else {
json_error("Endpoint file missing: {$route}", 500);
}
} else {
// If no route matches, maybe it's a SPA request or 404
if (str_starts_with($route, 'v1/')) {
json_error("Not Found: {$route}", 404);
} else {
// Not an API request — serve the SPA shell
include __DIR__ . '/shell.php';
exit;
}