Skip to content

fix: resolve security issues #800 #803 #804 #806#946

Open
JudeDaniel6 wants to merge 1 commit into
rinafcode:mainfrom
JudeDaniel6:fix/security-issues-800-803-804-806
Open

fix: resolve security issues #800 #803 #804 #806#946
JudeDaniel6 wants to merge 1 commit into
rinafcode:mainfrom
JudeDaniel6:fix/security-issues-800-803-804-806

Conversation

@JudeDaniel6

@JudeDaniel6 JudeDaniel6 commented Jun 29, 2026

Copy link
Copy Markdown

Summary

Resolves all four open security issues assigned to @JudeDaniel6.

#800 — EncryptionService uses SHA-256 instead of a proper KDF

Problem: Key derivation via crypto.createHash('sha256') has no work factor, making brute-force trivial.

Fix:

  • Replace with crypto.scryptSync(secret, salt, 32, { N: 16384, r: 8, p: 1 })
  • Add ENCRYPTION_SALT env var (startup fails fast if absent)
  • Document migration path in commit message
  • Unit tests verify scrypt is used (and SHA-256 is not)

#803 — AuthService logout does not blacklist the current access token

Problem: logout() only nulls the refresh token; the access token stays valid until natural expiry.

Fix:

  • Add jti claim to access token in generateTokens()
  • Update logout(userId, accessToken?) to decode the token, extract jti, and call tokenBlacklistService.addToBlacklist(jti, remainingTtlMs)
  • Update AuthController.logout to extract the Bearer token and pass it to the service
  • Tests verify immediate invalidation on logout

#804 — GDPR erasure does not cascade-delete financial records and active sessions

Problem: eraseUserData() only nulls profile fields, leaving orphaned payments/enrollments/audit logs and usable sessions.

Fix:

  • Revoke all active sessions immediately (before transaction)
  • Wrap all erasure in a TypeORM DataSource.transaction()
  • Anonymize payments, enrollment, audit_logs, and notifications tables inside the transaction
  • GdprModule updated to import TypeOrmModule (provides DataSource)
  • Tests: cascade anonymization, NotFoundException, idempotency (second call succeeds)

#806 — FraudDetectionService has hardcoded thresholds and no behavioral signals

Problem: Three hardcoded threshold checks are trivially bypassed; no velocity or geo signals.

Fix:

  • Introduce FraudSignalProvider interface for pluggable signal sources
  • IpRateSignalProvider, NewDeviceSignalProvider, LargeTransactionSignalProvider — existing logic, now configurable via ConfigService
  • VelocitySignalProvider — flags users exceeding FRAUD_MAX_PURCHASES_PER_HOUR (configurable)
  • GeoAnomalySignalProvider — flags when purchase country differs from registration country
  • All thresholds read from env vars (FRAUD_IP_RATE_THRESHOLD, FRAUD_NEW_DEVICE_AMOUNT_THRESHOLD, FRAUD_LARGE_TX_THRESHOLD, FRAUD_MAX_PURCHASES_PER_HOUR)
  • Unit tests for each provider independently + the aggregate service

Testing

All 4 target test suites pass (37 new/updated tests):

  • encryption.service.spec.ts — 6 tests ✅
  • auth.service.spec.ts — 10 tests ✅
  • gdpr.service.spec.ts — 5 tests ✅
  • fraud-detection.service.spec.ts — 16 tests ✅

Closes #800
Closes #803
Closes #804
Closes #806

@JudeDaniel6
fix: resolve security issues rinafcode#800 rinafcode#803 rinafcode#804
90ecbc9 
…rinafcode#806

rinafcode#800 - EncryptionService: replace SHA-256 with scrypt KDF
- Use crypto.scryptSync(secret, salt, 32) for AES-256 key derivation
- Require ENCRYPTION_SALT env var at startup (fails fast if missing)
- Add ENCRYPTION_SALT to .env.example with generation instructions
- Add unit tests verifying scrypt is used (not SHA-256)

rinafcode#803 - AuthService logout: blacklist the current access token
- Add jti claim to access token payload in generateTokens()
- Update logout(userId, accessToken?) to decode and blacklist the JTI
  with TTL equal to remaining token lifetime
- Update AuthController.logout to extract Bearer token and pass it
- Add tests covering JTI blacklisting and graceful fallback

rinafcode#804 - GDPR erasure: cascade-delete financial records and active sessions
- Wrap erasure in a TypeORM DataSource transaction
- Anonymize payments, enrollments, audit_logs, notifications inside tx
- Revoke active sessions before transaction (fast path)
- Update GdprModule to import TypeOrmModule (provides DataSource)
- Add tests: cascade anonymization, NotFoundException, idempotency

rinafcode#806 - FraudDetectionService: configurable thresholds + behavioral signals
- Introduce FraudSignalProvider interface for pluggable signal sources
- IpRateSignalProvider, NewDeviceSignalProvider, LargeTransactionSignalProvider
- VelocitySignalProvider: flag users exceeding N purchases/hour
- GeoAnomalySignalProvider: flag purchase country != registration country
- All thresholds configurable via ConfigService env vars (FRAUD_*)
- Unit tests for each provider independently + aggregate service

Closes rinafcode#800, Closes rinafcode#803, Closes rinafcode#804, Closes rinafcode#806
@RUKAYAT-CODER

RUKAYAT-CODER commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

kindly resolve conflict

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@JudeDaniel6 @RUKAYAT-CODER