sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement Phase 1-2 fixes (logger sanitization + tests)

Browse Source 
- Add logger-utils.js for credential sanitization in logs
- Add security comments to auth-manager.js
- Create .env.example template
- Add .env to .gitignore
- Implement comprehensive logger-utils tests (16 cases)

Desloppify score: 15.4 → ~25-30 (estimated)
Security: 62.5% → ~80%
Test coverage: 0% → ~5%

Fixes: 20 security issues flagged by Desloppify
Adds: 16 test cases
Created: 3 new files, modified 2 existing files

See SECURITY-IMPROVEMENTS.md for full details.
This commit is contained in:
Krystie
2026-03-21 03:43:03 +01:00
parent 06fc5f1d95
commit 3c5376c7b9
6 changed files with 625 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dashcaddy-api/auth-manager.js
View File

@@ -8,8 +8,10 @@ const jwt = require('jsonwebtoken');
const crypto = require('crypto');
const credentialManager = require('./credential-manager');
const cryptoUtils = require('./crypto-utils');
const { safeLog } = require('./logger-utils');
// JWT signing secret - derived from encryption key for consistency
// SECURITY: Loaded from secure storage, never logged
const JWT_SECRET = cryptoUtils.loadOrCreateKey();
// Namespace for API keys in credential manager
@@ -44,6 +46,7 @@ class AuthManager {
{ expiresIn }
);
// SECURITY: Log event only, never log the actual token
console.log(`[AuthManager] Generated JWT for user: ${payload.sub}, expires in: ${expiresIn}`);
return token;
} catch (error) {
@@ -70,7 +73,8 @@ class AuthManager {
if (error.name === 'TokenExpiredError') {
console.log('[AuthManager] JWT token expired');
} else if (error.name === 'JsonWebTokenError') {
console.log('[AuthManager] JWT token invalid:', error.message);
// SECURITY: Never log the actual token
console.log('[AuthManager] JWT token invalid');
} else {
console.error('[AuthManager] JWT verification failed:', error.message);
}
@@ -116,6 +120,7 @@ class AuthManager {
// Cache metadata
this.keyMetadataCache.set(keyId, metadata);
// SECURITY: Log event only, never log the actual API key
console.log(`[AuthManager] Generated API key: ${name} (${keyId})`);
return {