Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
191 Commits 2 Branches 0 Tags
35d004cde328332d0abc3a323be6b262518f370e
Commit Graph

5 Commits

Author SHA1 Message Date
Michael Freno
3aead0d7bb Implement Redis rate limiting middleware for spam endpoints (FRE-4507) 
- Add ioredis dependency to API package
- Create Redis connection utility (apps/api/src/config/redis.ts)
- Create Redis-backed spam rate limit middleware with per-minute and daily limits
- Create spam classification routes (SMS, number reputation, call analysis, feedback)
- Register middleware and routes in API server
- Add 7 passing tests for rate limit enforcement
- Update vitest config with required env vars

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-29 20:54:39 -04:00
Michael Freno
0495ee5bd2 Auto-commit 2026-04-29 16:31 2026-04-29 16:31:27 -04:00
Michael Freno
0ff6c74871 FRE-709: Document duplicate recovery wake - FRE-635 already recovered via FRE-708 2026-04-26 20:23:14 -04:00
Michael Freno
754fce269f fix: implement critical security remediation for authentication and authorization 
- Add Clerk token verification to tRPC context (server/trpc/index.ts)
- Remove client-controlled authorId/reviewedById from revisions router
- Require JWT_SECRET environment variable, remove hardcoded fallback
- Add table name validation to prevent SQL injection in backup logic
- Fix TRPCContext type to use better-sqlite3 instead of LibSQL
- Update revisions router tests to use proper tRPC v11+ API
- Add resetInMemoryState function for test isolation

Security fixes address:
- Critical: Authentication bypass via missing token verification
- Critical: User impersonation via client-controlled IDs
- High: Insecure WebSocket defaults with hardcoded secrets
- High: SQL injection vulnerability in backup logic

All tests passing (24/24).
 2026-04-25 08:24:45 -04:00
Michael Freno
7c684a42cc FRE-600: Fix code review blockers 
- Consolidated duplicate UndoManagers to single instance
- Fixed connection promise to only resolve on 'connected' status
- Fixed WebSocketProvider import (WebsocketProvider)
- Added proper doc.destroy() cleanup
- Renamed isPresenceInitialized property to avoid conflict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-25 00:08:01 -04:00