STRbook
diff --git a/‎backend/SECURITY_SETUP.md‎
Lines changed: 215 additions & 0 deletions b/‎backend/SECURITY_SETUP.md‎
Lines changed: 215 additions & 0 deletions
diff --git a/‎backend/config/env.js‎
Lines changed: 87 additions & 0 deletions b/‎backend/config/env.js‎
Lines changed: 87 additions & 0 deletions
@@ -0,0 +1,215 @@
+# STRbook Security Setup Guide
+
+## 🔒 Security Improvements Implemented
+
+## Environment Configuration
+
+Create a `.env` file in the backend directory with the following variables:
+
+```env
+# Database Configuration
+DB_USER=postgres
+DB_PASSWORD=your_secure_database_password_here
+DB_HOST=localhost
+DB_PORT=5432
+DB_NAME=str_book
+
+# JWT Configuration - CRITICAL: Use strong, unique secrets!
+# Generate using: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
+JWT_SECRET=your_super_secret_jwt_key_at_least_32_characters_long_replace_this_in_production
+JWT_REFRESH_SECRET=your_different_super_secret_refresh_jwt_key_replace_this_in_production
+
+# JWT Token Expiration Times
+JWT_EXPIRE_TIME=15m
+JWT_REFRESH_EXPIRE_TIME=7d
+
+# Server Configuration
+PORT=5000
+NODE_ENV=development
+
+# CORS Configuration (comma-separated list)
+ALLOWED_ORIGINS=http://localhost:3000,http://localhost:3001
+
+# Rate Limiting Configuration
+RATE_LIMIT_WINDOW_MS=900000
+RATE_LIMIT_MAX_REQUESTS=100
+```
+
+## 🛡️ Security Features Added
+
+### 1. Environment Validation
+- Validates required environment variables on startup
+- Prevents startup with weak/default JWT secrets
+
+### 2. JWT Security
+- Access tokens: 15 minutes
+- Refresh tokens: 7 days
+- Separate secrets for access and refresh tokens
+
+### 3. Input Validation & Sanitization
+- Password strength requirements
+- Email validation and normalization
+- XSS protection
+
+### 4. Rate Limiting
+- 100 requests per 15 minutes per IP
+- Configurable limits
+
+### 5. Database Security
+- Connection pooling
+- SQL injection protection
+- Transaction support
+
+### 6. Password Security
+- Bcrypt with 12 salt rounds
+- Constant-time password comparison
+
+## 🚨 Production Security Checklist
+
+Before deploying to production:
+
+### Required Actions
+- [ ] Replace all default passwords and secrets
+- [ ] Generate strong JWT secrets (64+ characters)
+- [ ] Set `NODE_ENV=production`
+- [ ] Limit `ALLOWED_ORIGINS` to your domain only
+- [ ] Adjust rate limits for production traffic
+- [ ] Enable SSL/HTTPS
+- [ ] Use production database with restricted access
+- [ ] Set up proper logging and monitoring
+
+### Generate Secure JWT Secrets
+```bash
+# Generate JWT secret
+node -e "console.log('JWT_SECRET=' + require('crypto').randomBytes(64).toString('hex'))"
+
+# Generate refresh secret
+node -e "console.log('JWT_REFRESH_SECRET=' + require('crypto').randomBytes(64).toString('hex'))"
+```
+
+### Recommended Production Settings
+```env
+NODE_ENV=production
+JWT_EXPIRE_TIME=15m
+JWT_REFRESH_EXPIRE_TIME=7d
+RATE_LIMIT_WINDOW_MS=900000
+RATE_LIMIT_MAX_REQUESTS=500
+```
+
+## 🔄 New API Endpoints
+
+### Authentication Endpoints
+
+#### Register
+```http
+POST /api/auth/register
+Content-Type: application/json
+
+{
+  "email": "student@example.com",
+  "password": "SecurePass123!",
+  "confirmPassword": "SecurePass123!"
+}
+```
+
+#### Login
+```http
+POST /api/auth/login
+Content-Type: application/json
+
+{
+  "email": "student@example.com",
+  "password": "SecurePass123!"
+}
+```
+
+#### Refresh Token
+```http
+POST /api/auth/refresh
+Content-Type: application/json
+
+{
+  "refreshToken": "your_refresh_token_here"
+}
+```
+
+#### Logout
+```http
+POST /api/auth/logout
+Authorization: Bearer your_access_token_here
+```
+
+### Response Format
+All authentication endpoints now return:
+```json
+{
+  "message": "Login successful",
+  "accessToken": "short_lived_access_token",
+  "refreshToken": "long_lived_refresh_token",
+  "user": {
+    "id": 123,
+    "email": "user@example.com",
+    "role": "student",
+    "is_first_login": true
+  }
+}
+```
+
+### Error Response Format
+```json
+{
+  "message": "Validation failed",
+  "code": "VALIDATION_ERROR",
+  "errors": [
+    {
+      "field": "password",
+      "message": "Password must contain at least one uppercase letter",
+      "value": "weakpass"
+    }
+  ]
+}
+```
+
+## 🔧 Development Setup
+
+1. **Install new dependencies**:
+```bash
+cd backend
+npm install express-rate-limit express-validator dotenv
+```
+
+2. **Create environment file**:
+```bash
+cp .env.example .env
+# Edit .env with your configuration
+```
+
+3. **Run with validation**:
+```bash
+npm start
+```
+
+The server will validate your configuration on startup and provide clear error messages if anything is missing or insecure.
+
+## 🔍 Security Monitoring
+
+Monitor these security events:
+- Failed login attempts
+- Token refresh failures
+- Rate limit violations
+- Validation failures
+- Database connection errors
+
+## 📞 Support
+
+If you encounter any security-related issues:
+1. Check the console logs for specific error messages
+2. Verify your environment configuration
+3. Ensure all required dependencies are installed
+4. Test with the provided examples
+
+## 🔗 References
+
+- [OWASP Security Guidelines](https://owasp.org/)
+- [JWT Best Practices](https://tools.ietf.org/html/rfc7519)
+- [Node.js Security Checklist](https://blog.risingstack.com/node-js-security-checklist/) 
@@ -0,0 +1,87 @@
+const path = require('path');
+
+require('dotenv').config({ path: path.join(__dirname, '../.env') });
+
+function validateEnv() {
+  const required = {
+    DB_USER: process.env.DB_USER,
+    DB_PASSWORD: process.env.DB_PASSWORD,
+    DB_HOST: process.env.DB_HOST || 'localhost',
+    DB_PORT: process.env.DB_PORT || '5432',
+    DB_NAME: process.env.DB_NAME,
+    JWT_SECRET: process.env.JWT_SECRET,
+    PORT: process.env.PORT || '5000'
+  };
+
+  const missing = [];
+  const weak = [];
+
+  Object.entries(required).forEach(([key, value]) => {
+    if (!value || value.trim() === '') {
+      missing.push(key);
+    }
+  });
+
+  if (required.JWT_SECRET && required.JWT_SECRET.length < 32) {
+    weak.push('JWT_SECRET must be at least 32 characters long');
+  }
+
+  if (required.JWT_SECRET === 'your-secret-key' || required.JWT_SECRET === 'your-secret-key-here') {
+    weak.push('JWT_SECRET is using default value - change it immediately');
+  }
+
+  if (missing.length > 0) {
+    console.error('❌ Missing required environment variables:');
+    missing.forEach(key => console.error(`   - ${key}`));
+    process.exit(1);
+  }
+
+  if (weak.length > 0) {
+    console.error('⚠️  Weak security configuration:');
+    weak.forEach(msg => console.error(`   - ${msg}`));
+    if (process.env.NODE_ENV === 'production') {
+      console.error('❌ Cannot start in production with weak security settings');
+      process.exit(1);
+    }
+  }
+
+  console.log('✅ Environment configuration validated');
+  return required;
+}
+
+const config = {
+  database: {
+    user: process.env.DB_USER,
+    password: process.env.DB_PASSWORD,
+    host: process.env.DB_HOST || 'localhost',
+    port: parseInt(process.env.DB_PORT || '5432'),
+    database: process.env.DB_NAME
+  },
+
+  jwt: {
+    secret: process.env.JWT_SECRET,
+    refreshSecret: process.env.JWT_REFRESH_SECRET || process.env.JWT_SECRET + '_refresh',
+    expiresIn: process.env.JWT_EXPIRE_TIME || '15m',
+    refreshExpiresIn: process.env.JWT_REFRESH_EXPIRE_TIME || '7d'
+  },
+
+  server: {
+    port: parseInt(process.env.PORT || '5000'),
+    nodeEnv: process.env.NODE_ENV || 'development'
+  },
+
+  cors: {
+    allowedOrigins: process.env.ALLOWED_ORIGINS ? 
+      process.env.ALLOWED_ORIGINS.split(',') : 
+      ['http://localhost:3000', 'http://localhost:3001']
+  },
+
+  rateLimit: {
+    windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000'),
+    maxRequests: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100')
+  }
+};
+
+validateEnv();
+
+module.exports = config;