-
Notifications
You must be signed in to change notification settings - Fork 0
Harden step completion integrity, tenant isolation, and API error handling #36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| const INSECURE_DEFAULT_JWT_SECRET = 'change-me'; | ||
|
|
||
| export function validateJwtSecret() { | ||
| const secret = process.env.JWT_SECRET; | ||
| if (process.env.NODE_ENV === 'production' && (!secret || secret === INSECURE_DEFAULT_JWT_SECRET)) { | ||
| throw new Error('JWT_SECRET must be set to a non-default value in production'); | ||
| } | ||
| } | ||
|
|
||
| export function getJwtSecret() { | ||
| return new TextEncoder().encode(process.env.JWT_SECRET || INSECURE_DEFAULT_JWT_SECRET); | ||
|
Comment on lines
+10
to
+11
|
||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -70,15 +70,26 @@ export async function getEquipmentByWorkCenter(tenantId: string, workCenterCode: | |
| orderBy: { code: 'asc' }, | ||
| }); | ||
|
|
||
| // Enrich with active downtime if any | ||
| const summaries: EquipmentSummary[] = []; | ||
| for (const eq of equipment) { | ||
| const activeDowntime = await prisma.downtimeEvent.findFirst({ | ||
| where: { equipmentId: eq.id, endedAt: null }, | ||
| orderBy: { startedAt: 'desc' }, | ||
| }); | ||
| const activeDowntimeEvents = equipment.length > 0 | ||
| ? await prisma.downtimeEvent.findMany({ | ||
| where: { | ||
| equipmentId: { in: equipment.map(eq => eq.id) }, | ||
| endedAt: null, | ||
| }, | ||
| orderBy: { startedAt: 'desc' }, | ||
| }) | ||
| : []; | ||
|
|
||
| const downtimeByEquipment = new Map<string, typeof activeDowntimeEvents[0]>(); | ||
| for (const event of activeDowntimeEvents) { | ||
| if (!downtimeByEquipment.has(event.equipmentId)) { | ||
| downtimeByEquipment.set(event.equipmentId, event); | ||
| } | ||
|
Comment on lines
+83
to
+87
|
||
| } | ||
|
|
||
| summaries.push({ | ||
| const summaries: EquipmentSummary[] = equipment.map((eq) => { | ||
| const activeDowntime = downtimeByEquipment.get(eq.id) || null; | ||
| return { | ||
| id: eq.id, | ||
| code: eq.code, | ||
| name: eq.name, | ||
|
|
@@ -95,8 +106,8 @@ export async function getEquipmentByWorkCenter(tenantId: string, workCenterCode: | |
| startedAt: activeDowntime.startedAt.toISOString(), | ||
| durationMin: (Date.now() - activeDowntime.startedAt.getTime()) / 60000, | ||
| } : null, | ||
| }); | ||
| } | ||
| }; | ||
| }); | ||
|
|
||
| return { status: 200, body: { equipment: summaries } }; | ||
| } | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,35 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| import { getJwtSecret, validateJwtSecret } from '../src/config/jwt'; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| describe('JWT configuration', () => { | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| const originalEnv = process.env; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| beforeEach(() => { | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| process.env = { ...originalEnv }; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| }); | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| afterAll(() => { | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| process.env = originalEnv; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+4
to
+11
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| const originalEnv = process.env; | |
| beforeEach(() => { | |
| process.env = { ...originalEnv }; | |
| }); | |
| afterAll(() => { | |
| process.env = originalEnv; | |
| const originalJwtSecret = process.env.JWT_SECRET; | |
| const originalNodeEnv = process.env.NODE_ENV; | |
| beforeEach(() => { | |
| if (originalJwtSecret === undefined) { | |
| delete process.env.JWT_SECRET; | |
| } else { | |
| process.env.JWT_SECRET = originalJwtSecret; | |
| } | |
| if (originalNodeEnv === undefined) { | |
| delete process.env.NODE_ENV; | |
| } else { | |
| process.env.NODE_ENV = originalNodeEnv; | |
| } | |
| }); | |
| afterAll(() => { | |
| if (originalJwtSecret === undefined) { | |
| delete process.env.JWT_SECRET; | |
| } else { | |
| process.env.JWT_SECRET = originalJwtSecret; | |
| } | |
| if (originalNodeEnv === undefined) { | |
| delete process.env.NODE_ENV; | |
| } else { | |
| process.env.NODE_ENV = originalNodeEnv; | |
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getJwtSecret()can still return the insecure default in production if some code path imports it without having calledvalidateJwtSecret()(validation currently only happens inapp.ts). Consider running validation insidegetJwtSecret()(or at module initialization inconfig/jwt.ts) so the production guardrail can’t be bypassed by alternative entrypoints.