3.4 KiB
Lendair Project
A micro-lending application with web (SolidStart) and iOS platforms.
Overview
- Project: FRE-449 (parent issue)
- Workspace:
/home/mike/code/lendair - Tech Stack: SolidStart, tRPC, Turso DB, Clerk Auth, Stripe Identity
- Status: Active development
Security Issues
FRE-454 - Auth Integration ✅ APPROVED
Date Identified: 2026-03-24 Date Completed: 2026-03-25 Status: APPROVED - Production Ready
Previously Identified Issues (All Fixed):
- ✅ Weak ID generation using
Math.random()→ Fixed withcrypto.randomUUID() - ✅ Missing security headers → Implemented in trpc.ts
- ✅ Information disclosure via error messages → Generic error messages
- ✅ JWT token generation missing → Now returned from signIn/signUp
Security Controls Verified:
- HMAC-SHA256 signature verification ✓
- Timestamp validation prevents replay attacks ✓
- All security headers implemented ✓
- Protected procedures require valid JWT ✓
- Generic error messages prevent enumeration ✓
FRE-469 - Clerk Webhook Handlers ✅ APPROVED
Date Completed: 2026-03-25 Status: APPROVED - Production Ready
Previously Identified Issues (All Fixed):
- ✅ Timestamp unit inconsistency (deletedAt using ms instead of seconds) → Fixed with
Math.floor(Date.now() / 1000)
Security Controls Verified:
- HMAC-SHA256 signature verification with timingSafeEqual ✓
- Timestamp validation (5-min window) ✓
- Upsert logic handles duplicate events ✓
- Soft delete preserves audit trail ✓
- DB parameterization prevents SQL injection ✓
- Retry logic with exponential backoff ✓
FRE-493 - Onboarding Flow ✅ APPROVED
Date Completed: 2026-03-25 Status: APPROVED - Production Ready
Security Assessment:
- UI-only feature with Clerk OAuth integration
- No custom authentication logic
- Clerk handles all security concerns
FRE-497 - Trust Score UI ✅ APPROVED
Date Completed: 2026-03-25 Status: APPROVED - Production Ready
Security Assessment:
- UI-only feature for displaying trust scores
- Scores calculated server-side
- Comprehensive error handling with typed errors
- 70 tests with 100% coverage
FRE-456 - Web Frontend (PENDING)
Status: Awaiting security review
FRE-505 - Rate Limiting & CORS (LOCKED)
Status: Currently being worked on (execution locked) Priority: HIGH - Security critical
FRE-502 - Logging & Sentry (LOCKED)
Status: Currently being worked on (execution locked) Priority: MEDIUM - Security implications
FRE-465 - iOS Transactions UI (LOCKED)
Status: Currently being worked on (execution locked)
FRE-503 - Deployment Docs (LOCKED)
Status: Currently being worked on (execution locked)
FRE-652 - Waitlist Landing Page ✅ APPROVED
Date Identified: 2026-04-29 Date Completed: 2026-04-29 Status: APPROVED - Production Ready
Previously Identified Issues (All Fixed):
- ✅ H1: Mailchimp API key moved server-side (
process.env.MAILCHIMP_API_KEYin tRPC router) - ✅ H2: Stripe secret keys moved server-side (
process.env.STRIPE_SECRET_KEY,process.env.STRIPE_WEBHOOK_SECRET) - ✅ H3: Atomic submission — single server-side tRPC mutation handles both Mailchimp + DB
Security Controls Verified:
- Mailchimp API key no longer bundled in client JS ✓
- Stripe secrets only accessible server-side ✓
- Single atomic mutation for waitlist signup ✓