Add security hardening: helmet, CORS allowlist, body limit, ID validation

- Install and configure helmet with basic CSP in app.js - Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173) - Add express.json 1mb body size limit to prevent memory exhaustion - Add parseInt+isNaN validation for all :id route params in bills.js and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id) - Extend bills.routes.test.js and financing.routes.test.js with ID validation tests (non-numeric IDs → HTTP 400) Nightshift-Task: security-footgun Nightshift-Ref: https://github.com/marcus/nightshift Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 02:35:00 -04:00
12 changed files with 120 additions and 213 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -95,15 +95,4 @@ The default route `/` renders the paycheck-centric main view (`client/src/pages/
 **Migrations:** SQL files in `db/migrations/` are applied in filename order on server startup. Add new migrations as `00N_description.sql` — they run once and are tracked in the `migrations` table.
-## Performance Tooling
+**Security hardening:** `server/src/app.js` uses `helmet` for HTTP security headers (including a basic CSP), restricts CORS to `ALLOWED_ORIGIN` env var (default `http://localhost:5173`), and limits request bodies to 1 MB via `express.json({ limit: '1mb' })`. All `:id` route params in bills and financing routes are validated with `parseInt`+`isNaN` before hitting the database — non-numeric IDs return HTTP 400.
 **Timing middleware** (`server/src/middleware/timing.js`): Registered early in `app.js`. Logs every request's method, path, status code, and duration. Emits a `[SLOW]` warning for responses exceeding 200 ms.
 **Benchmark script** (`scripts/perf-benchmark.js`): Hits `GET /api/paychecks`, `GET /api/financing`, and `GET /api/summary/annual` five times each and reports min/mean/max latency. Exits non-zero if any mean exceeds the threshold (default 500 ms, override via `SLOW_THRESHOLD_MS` env var). Target server URL defaults to `http://localhost:3001` (override via `BENCHMARK_URL`).
 ```bash
 cd server && npm run perf          # run against localhost:3001
 BENCHMARK_URL=http://localhost:3000 npm run perf
 ```
 **Performance indexes** (`db/migrations/005_performance_indexes.sql`): Adds indexes on `paychecks(period_year, period_month)`, `paycheck_bills(paycheck_id)`, `actuals(paycheck_id)`, `one_time_expenses(paycheck_id)`, `financing_payments(plan_id)`, and `financing_plans(active)` — applied automatically on server startup.
--- a/db/migrations/005_performance_indexes.sql
+++ b/db/migrations/005_performance_indexes.sql
@@ -1,7 +0,0 @@
 -- Performance indexes for high-traffic query patterns
 CREATE INDEX IF NOT EXISTS idx_paychecks_period ON paychecks(period_year, period_month);
 CREATE INDEX IF NOT EXISTS idx_paycheck_bills_paycheck_id ON paycheck_bills(paycheck_id);
 CREATE INDEX IF NOT EXISTS idx_actuals_paycheck_id ON actuals(paycheck_id);
 CREATE INDEX IF NOT EXISTS idx_one_time_expenses_paycheck_id ON one_time_expenses(paycheck_id);
 CREATE INDEX IF NOT EXISTS idx_financing_payments_plan_id ON financing_payments(plan_id);
 CREATE INDEX IF NOT EXISTS idx_financing_plans_active ON financing_plans(active) WHERE active = true;
--- a/scripts/perf-benchmark.js
+++ b/scripts/perf-benchmark.js
@@ -1,62 +0,0 @@
 #!/usr/bin/env node
 'use strict';
 const BASE_URL = process.env.BENCHMARK_URL || 'http://localhost:3001';
 const ITERATIONS = 5;
 const MEAN_THRESHOLD_MS = parseInt(process.env.SLOW_THRESHOLD_MS || '500', 10);
 const ENDPOINTS = [
  { label: 'GET /api/paychecks', path: `/api/paychecks?year=${new Date().getFullYear()}&month=${new Date().getMonth() + 1}` },
  { label: 'GET /api/financing', path: '/api/financing' },
  { label: 'GET /api/summary/annual', path: `/api/summary/annual?year=${new Date().getFullYear()}` },
 ];
 async function measureEndpoint(endpoint) {
  const times = [];
  for (let i = 0; i < ITERATIONS; i++) {
    const start = Date.now();
    const res = await fetch(`${BASE_URL}${endpoint.path}`);
    const duration = Date.now() - start;
    if (!res.ok) {
      console.warn(`  [warn] ${endpoint.label} returned HTTP ${res.status}`);
    }
    times.push(duration);
  }
  const min = Math.min(...times);
  const max = Math.max(...times);
  const mean = Math.round(times.reduce((a, b) => a + b, 0) / times.length);
  return { min, mean, max };
 }
 (async () => {
  console.log(`Benchmarking ${BASE_URL} (${ITERATIONS} iterations each, threshold ${MEAN_THRESHOLD_MS}ms)\n`);
  let failed = false;
  for (const endpoint of ENDPOINTS) {
    let stats;
    try {
      stats = await measureEndpoint(endpoint);
    } catch (err) {
      console.error(`  [error] ${endpoint.label}: ${err.message}`);
      failed = true;
      continue;
    }
    const flag = stats.mean >= MEAN_THRESHOLD_MS ? ' *** SLOW ***' : '';
    console.log(`${endpoint.label}`);
    console.log(`  min=${stats.min}ms  mean=${stats.mean}ms  max=${stats.max}ms${flag}`);
    if (stats.mean >= MEAN_THRESHOLD_MS) {
      failed = true;
    }
  }
  console.log('');
  if (failed) {
    console.error('FAIL: one or more endpoints exceeded the threshold or errored.');
    process.exit(1);
  } else {
    console.log('PASS: all endpoints within threshold.');
  }
 })();
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -11,6 +11,7 @@
        "cors": "^2.8.5",
        "dotenv": "^16.4.5",
        "express": "^4.19.2",
        "helmet": "^8.1.0",
        "pg": "^8.11.5"
      },
      "devDependencies": {
@@ -1282,6 +1283,15 @@
        "node": ">= 0.4"
      }
    },
    "node_modules/helmet": {
      "version": "8.1.0",
      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
      "license": "MIT",
      "engines": {
        "node": ">=18.0.0"
      }
    },
    "node_modules/http-errors": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
--- a/server/package.json
+++ b/server/package.json
@@ -6,13 +6,13 @@
    "start": "node src/index.js",
    "dev": "nodemon src/index.js",
    "test": "vitest run",
-    "test:watch": "vitest",
+    "test:watch": "vitest"
    "perf": "node ../scripts/perf-benchmark.js"
  },
  "dependencies": {
    "cors": "^2.8.5",
    "dotenv": "^16.4.5",
    "express": "^4.19.2",
    "helmet": "^8.1.0",
    "pg": "^8.11.5"
  },
  "devDependencies": {
--- a/server/src/tests/bills.routes.test.js
+++ b/server/src/tests/bills.routes.test.js
@@ -131,3 +131,35 @@ describe('PATCH /api/bills/:id/toggle', () => {
    expect(res.body).toEqual(toggled);
  });
 });
 describe('ID validation — bills routes', () => {
  beforeEach(() => {
    db.pool.query.mockReset();
  });
  it('GET /api/bills/:id returns 400 for non-numeric id', async () => {
    const res = await request(app).get('/api/bills/abc');
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
  it('PUT /api/bills/:id returns 400 for non-numeric id', async () => {
    const res = await request(app)
      .put('/api/bills/abc')
      .send({ name: 'X', amount: 10, due_day: 1, assigned_paycheck: 1 });
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
  it('DELETE /api/bills/:id returns 400 for non-numeric id', async () => {
    const res = await request(app).delete('/api/bills/abc');
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
  it('PATCH /api/bills/:id/toggle returns 400 for non-numeric id', async () => {
    const res = await request(app).patch('/api/bills/abc/toggle');
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
 });
--- a/server/src/tests/financing.routes.test.js
+++ b/server/src/tests/financing.routes.test.js
@@ -338,4 +338,39 @@ describe('PATCH /api/financing-payments/:id/paid', () => {
    expect(res.status).toBe(404);
    expect(res.body).toEqual({ error: 'Payment not found' });
  });
  it('returns 400 for non-numeric payment id', async () => {
    const res = await request(app)
      .patch('/api/financing-payments/abc/paid')
      .send({ paid: true });
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
 });
 describe('ID validation — financing routes', () => {
  beforeEach(() => {
    vi.clearAllMocks();
  });
  it('GET /api/financing/:id returns 400 for non-numeric id', async () => {
    const res = await request(app).get('/api/financing/abc');
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
  it('PUT /api/financing/:id returns 400 for non-numeric id', async () => {
    const res = await request(app)
      .put('/api/financing/abc')
      .send({ name: 'X', total_amount: 100, due_date: '2027-01-01' });
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
  it('DELETE /api/financing/:id returns 400 for non-numeric id', async () => {
    const res = await request(app).delete('/api/financing/abc');
    expect(res.status).toBe(400);
    expect(res.body).toEqual({ error: 'Invalid id' });
  });
 });
--- a/server/src/tests/timing.middleware.test.js
+++ b/server/src/tests/timing.middleware.test.js
@@ -1,98 +0,0 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 const timingMiddleware = require('../middleware/timing');
 function makeResMock() {
  const listeners = {};
  return {
    statusCode: 200,
    on(event, cb) {
      listeners[event] = cb;
    },
    emit(event) {
      if (listeners[event]) listeners[event]();
    },
  };
 }
 describe('timingMiddleware', () => {
  let consoleSpy;
  let warnSpy;
  beforeEach(() => {
    consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
    warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
  });
  afterEach(() => {
    consoleSpy.mockRestore();
    warnSpy.mockRestore();
    vi.useRealTimers();
  });
  it('calls next()', () => {
    const req = { method: 'GET', path: '/api/health' };
    const res = makeResMock();
    const next = vi.fn();
    timingMiddleware(req, res, next);
    expect(next).toHaveBeenCalledOnce();
  });
  it('logs timing on response finish', () => {
    const req = { method: 'GET', path: '/api/health' };
    const res = makeResMock();
    timingMiddleware(req, res, vi.fn());
    res.emit('finish');
    expect(consoleSpy).toHaveBeenCalledOnce();
    const msg = consoleSpy.mock.calls[0][0];
    expect(msg).toMatch(/\[timing\] GET \/api\/health 200 \d+ms/);
  });
  it('emits SLOW warning when duration exceeds 200ms threshold', () => {
    vi.useFakeTimers();
    const req = { method: 'POST', path: '/api/paychecks' };
    const res = makeResMock();
    timingMiddleware(req, res, vi.fn());
    // Advance time past the threshold
    vi.advanceTimersByTime(250);
    res.emit('finish');
    expect(warnSpy).toHaveBeenCalledOnce();
    const msg = warnSpy.mock.calls[0][0];
    expect(msg).toMatch(/\[SLOW\] POST \/api\/paychecks/);
    expect(consoleSpy).not.toHaveBeenCalled();
  });
  it('does not emit SLOW warning for fast requests', () => {
    vi.useFakeTimers();
    const req = { method: 'GET', path: '/api/financing' };
    const res = makeResMock();
    timingMiddleware(req, res, vi.fn());
    vi.advanceTimersByTime(50);
    res.emit('finish');
    expect(consoleSpy).toHaveBeenCalledOnce();
    expect(warnSpy).not.toHaveBeenCalled();
  });
  it('includes status code in the log message', () => {
    const req = { method: 'GET', path: '/api/bills' };
    const res = makeResMock();
    res.statusCode = 404;
    timingMiddleware(req, res, vi.fn());
    res.emit('finish');
    const msg = consoleSpy.mock.calls[0][0];
    expect(msg).toContain('404');
  });
 });
--- a/server/src/app.js
+++ b/server/src/app.js
@@ -1,5 +1,6 @@
 const express = require('express');
 const cors = require('cors');
 const helmet = require('helmet');
 const path = require('path');
 const healthRouter = require('./routes/health');
 const configRouter = require('./routes/config');
@@ -9,14 +10,25 @@ const actualsRouter = require('./routes/actuals');
 const oneTimeExpensesRouter = require('./routes/one-time-expenses');
 const summaryRouter = require('./routes/summary');
 const { router: financingRouter } = require('./routes/financing');
 const timingMiddleware = require('./middleware/timing');
 const app = express();
-app.use(cors());
+const allowedOrigin = process.env.ALLOWED_ORIGIN || 'http://localhost:5173';
-app.use(express.json());
+app.use(cors({ origin: allowedOrigin }));
 app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'data:'],
      connectSrc: ["'self'"],
    },
  },
 }));
 app.use(express.json({ limit: '1mb' }));
 // API routes
 app.use('/api', timingMiddleware);
 app.use('/api', healthRouter);
 app.use('/api', configRouter);
 app.use('/api', billsRouter);
--- a/server/src/middleware/timing.js
+++ b/server/src/middleware/timing.js
@@ -1,21 +0,0 @@
 'use strict';
 const SLOW_THRESHOLD_MS = 200;
 function timingMiddleware(req, res, next) {
  const start = Date.now();
  res.on('finish', () => {
    const duration = Date.now() - start;
    const msg = `${req.method} ${req.path} ${res.statusCode} ${duration}ms`;
    if (duration >= SLOW_THRESHOLD_MS) {
      console.warn(`[SLOW] ${msg}`);
    } else {
      console.log(`[timing] ${msg}`);
    }
  });
  next();
 }
 module.exports = timingMiddleware;
--- a/server/src/routes/bills.js
+++ b/server/src/routes/bills.js
@@ -85,8 +85,10 @@ router.post('/bills', async (req, res) => {
 // GET /api/bills/:id — get single bill
 router.get('/bills/:id', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  try {
-    const result = await pool.query('SELECT * FROM bills WHERE id = $1', [req.params.id]);
+    const result = await pool.query('SELECT * FROM bills WHERE id = $1', [id]);
    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'Bill not found' });
    }
@@ -99,6 +101,9 @@ router.get('/bills/:id', async (req, res) => {
 // PUT /api/bills/:id — update bill
 router.put('/bills/:id', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  const validationError = validateBillFields(req.body);
  if (validationError) {
    return res.status(400).json({ error: validationError });
@@ -129,7 +134,7 @@ router.put('/bills/:id', async (req, res) => {
        category || 'General',
        active !== undefined ? active : true,
        Boolean(variable_amount),
-        req.params.id,
+        id,
      ]
    );
    if (result.rows.length === 0) {
@@ -144,10 +149,12 @@ router.put('/bills/:id', async (req, res) => {
 // DELETE /api/bills/:id — hard delete
 router.delete('/bills/:id', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  try {
    const result = await pool.query(
      'DELETE FROM bills WHERE id = $1 RETURNING id',
-      [req.params.id]
+      [id]
    );
    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'Bill not found' });
@@ -161,10 +168,12 @@ router.delete('/bills/:id', async (req, res) => {
 // PATCH /api/bills/:id/toggle — toggle active field
 router.patch('/bills/:id/toggle', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  try {
    const result = await pool.query(
      'UPDATE bills SET active = NOT active WHERE id = $1 RETURNING *',
-      [req.params.id]
+      [id]
    );
    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'Bill not found' });
--- a/server/src/routes/financing.js
+++ b/server/src/routes/financing.js
@@ -109,9 +109,11 @@ router.post('/financing', async (req, res) => {
 // GET /api/financing/:id
 router.get('/financing/:id', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  try {
    const { rows } = await pool.query(
-      'SELECT * FROM financing_plans WHERE id = $1', [req.params.id]
+      'SELECT * FROM financing_plans WHERE id = $1', [id]
    );
    if (!rows.length) return res.status(404).json({ error: 'Not found' });
@@ -136,6 +138,9 @@ router.get('/financing/:id', async (req, res) => {
 // PUT /api/financing/:id
 router.put('/financing/:id', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  const { name, total_amount, due_date, assigned_paycheck, start_date } = req.body;
  if (!name || !total_amount || !due_date) {
    return res.status(400).json({ error: 'name, total_amount, and due_date are required' });
@@ -145,7 +150,7 @@ router.put('/financing/:id', async (req, res) => {
    const { rows } = await pool.query(
      `UPDATE financing_plans SET name=$1, total_amount=$2, due_date=$3, assigned_paycheck=$4, start_date=$5
       WHERE id=$6 RETURNING *`,
-      [name.trim(), parseFloat(total_amount), due_date, assigned_paycheck ?? null, start_date || new Date().toISOString().slice(0, 10), req.params.id]
+      [name.trim(), parseFloat(total_amount), due_date, assigned_paycheck ?? null, start_date || new Date().toISOString().slice(0, 10), id]
    );
    if (!rows.length) return res.status(404).json({ error: 'Not found' });
    res.json(await enrichPlan(pool, rows[0]));
@@ -157,9 +162,11 @@ router.put('/financing/:id', async (req, res) => {
 // DELETE /api/financing/:id
 router.delete('/financing/:id', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  try {
    const { rows } = await pool.query(
-      'DELETE FROM financing_plans WHERE id=$1 RETURNING id', [req.params.id]
+      'DELETE FROM financing_plans WHERE id=$1 RETURNING id', [id]
    );
    if (!rows.length) return res.status(404).json({ error: 'Not found' });
    res.json({ deleted: true });
@@ -172,6 +179,7 @@ router.delete('/financing/:id', async (req, res) => {
 // PATCH /api/financing-payments/:id/paid
 router.patch('/financing-payments/:id/paid', async (req, res) => {
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) return res.status(400).json({ error: 'Invalid id' });
  const { paid } = req.body;
  if (typeof paid !== 'boolean') {
    return res.status(400).json({ error: 'paid must be a boolean' });