Fix remaining critical, medium, and low security issues
IDOR (critical): GET /api/checks/:id and GET /api/deposits/:id now verify the requesting user has access to the record's account before returning data. Previously any authenticated user could fetch any record by ID across accounts. Printed check guard (critical): PUT and DELETE on checks now return 409 if the check has already been printed, enforcing the business rule that printed checks are immutable. Previously the printed flag was only enforced in the frontend. PDF DoS (medium): checkIds array capped at 300 (100 pages × 3 per page). QBO import DoS (medium): records array capped at 1000 per confirm call. PDF error detail (medium): internal err.message no longer returned to the client on PDF generation failure. SESSION_SECRET (low): removed NODE_ENV=production condition — the server now exits immediately on startup if SESSION_SECRET is unset regardless of environment. Dev script updated to load .env via node --env-file=.env so developers set it once in a local .env file. Password hints (low): updated all three UI labels from "min 8 chars" to "min 10 chars, include a digit or symbol" to match the actual server-side validation.
This commit is contained in:
+1
-1
@@ -5,7 +5,7 @@
|
||||
"main": "src/app.js",
|
||||
"scripts": {
|
||||
"start": "node src/app.js",
|
||||
"dev": "nodemon src/app.js",
|
||||
"dev": "nodemon --exec \"node --env-file=.env\" src/app.js",
|
||||
"migrate": "node migrations/import-mdb.js"
|
||||
},
|
||||
"dependencies": {
|
||||
|
||||
Reference in New Issue
Block a user