Patrick/medassist-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add correlation ids and tighten frontend security headers (#299)

Browse Source 
* feat: add correlation ids and tighten frontend security headers

* docs: remove obsolete project setup guide

* fix: restore health config flags for compatibility

* test(frontend): align auth fetch assertions with correlation headers
This commit is contained in:
Daniel Volz
2026-02-24 21:21:30 +01:00
committed by GitHub
parent 63cd9ef19b
commit 26475fd3d0
9 changed files with 130 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/index.ts
+26
View File
@@ -1,4 +1,6 @@
import { randomUUID } from "node:crypto";
import { existsSync } from "node:fs";
import type { IncomingHttpHeaders } from "node:http";
import { resolve } from "node:path";
import cookie from "@fastify/cookie";
import cors from "@fastify/cors";
@@ -45,6 +47,16 @@ import {
parseCorsOrigins,
} from "./utils/server-config.js";
function sanitizeCorrelationId(headers: IncomingHttpHeaders): string | null {
const rawHeader = headers["x-correlation-id"];
if (typeof rawHeader !== "string") return null;
const trimmed = rawHeader.trim();
if (!trimmed) return null;
if (trimmed.length > 128) return null;
if (!/^[A-Za-z0-9._:-]+$/.test(trimmed)) return null;
return trimmed;
}
/** Create and configure Fastify app (without starting) */
export async function createApp(options?: {
logLevel?: string;
@@ -73,6 +85,13 @@ export async function createApp(options?: {
const app = Fastify({
logger: { level: opts.logLevel },
genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
});
app.addHook("onRequest", (request, reply, done) => {
request.correlationId = request.id;
reply.header("x-correlation-id", request.id);
done();
});
// Build config
@@ -141,6 +160,13 @@ const app = Fastify({
logger: {
level: env.LOG_LEVEL,
},
genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
});
app.addHook("onRequest", (request, reply, done) => {
request.correlationId = request.id;
reply.header("x-correlation-id", request.id);
done();
});
const origins = parseCorsOrigins(env.CORS_ORIGINS);
backend/src/routes/oidc.ts
+12 -9
View File
@@ -63,7 +63,7 @@ export async function oidcRoutes(app: FastifyInstance) {
// ---------------------------------------------------------------------------
// GET /auth/oidc/login - Initiates OIDC flow
// ---------------------------------------------------------------------------
app.get("/auth/oidc/login", async (_request, reply) => {
app.get("/auth/oidc/login", async (request, reply) => {
try {
const config = await getOIDCConfig();
@@ -105,7 +105,7 @@ export async function oidcRoutes(app: FastifyInstance) {
return reply.redirect(authUrl.href);
} catch (err: unknown) {
console.error("[OIDC] Login error:", err);
request.log.error({ err }, "[OIDC] Login initialization failed");
return reply.redirect(`${getFrontendUrl()}/?error=oidc_init_failed`);
}
});
@@ -120,7 +120,7 @@ export async function oidcRoutes(app: FastifyInstance) {
// Handle OIDC provider errors
if (error) {
console.error(`[OIDC] Provider error: ${error} - ${error_description}`);
app.log.warn({ error, errorDescription: error_description }, "[OIDC] Provider returned error");
return reply.redirect(`${getFrontendUrl()}/?error=oidc_${error}`);
}
@@ -131,14 +131,14 @@ export async function oidcRoutes(app: FastifyInstance) {
// Verify state
const storedState = request.unsignCookie(request.cookies.oidc_state || "");
if (!storedState.valid || storedState.value !== state) {
console.error("[OIDC] State mismatch");
request.log.warn("[OIDC] State mismatch during callback validation");
return reply.redirect(`${getFrontendUrl()}/?error=oidc_state_mismatch`);
}
// Get code verifier
const storedVerifier = request.unsignCookie(request.cookies.oidc_code_verifier || "");
if (!storedVerifier.valid || !storedVerifier.value) {
console.error("[OIDC] Missing code verifier");
request.log.warn("[OIDC] Missing/invalid code verifier cookie");
return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_verifier`);
}
@@ -159,7 +159,7 @@ export async function oidcRoutes(app: FastifyInstance) {
// Get user info
const sub = tokens.claims()?.sub;
if (!sub) {
console.error("[OIDC] Missing sub claim in token");
request.log.error("[OIDC] Missing sub claim in token response");
return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
}
const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
@@ -174,7 +174,10 @@ export async function oidcRoutes(app: FastifyInstance) {
const oidcSubject = userInfo.sub;
if (!username || !oidcSubject) {
console.error("[OIDC] Missing required user info:", { username, oidcSubject });
request.log.error(
{ hasUsername: Boolean(username), hasOidcSubject: Boolean(oidcSubject) },
"[OIDC] Missing required user info"
);
return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_user_info`);
}
@@ -214,7 +217,7 @@ export async function oidcRoutes(app: FastifyInstance) {
const frontendUrl = env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
return reply.redirect(`${frontendUrl}/dashboard`);
} catch (err: unknown) {
console.error("[OIDC] Callback error:", err);
request.log.error({ err }, "[OIDC] Callback processing failed");
return reply.redirect(`${getFrontendUrl()}/?error=oidc_callback_failed`);
}
}
@@ -255,7 +258,7 @@ async function findOrCreateOIDCUser(
// Check if auto-create is enabled
if (!env.OIDC_AUTO_CREATE_USERS) {
console.error(`[OIDC] User creation disabled and user not found: ${username}`);
// No logger is available in this helper, route-level logs already capture callback failures.
return null;
}
backend/src/types/fastify.d.ts
Vendored
+1
View File
@@ -22,6 +22,7 @@ declare module "fastify" {
interface FastifyRequest {
user?: AuthUser | null;
correlationId?: string;
}
}