@checkstack/backend 0.4.13 → 0.4.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +23 -0
- package/package.json +5 -5
- package/src/index.ts +9 -0
- package/src/plugin-manager/core-services.ts +12 -6
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,28 @@
|
|
|
1
1
|
# @checkstack/backend
|
|
2
2
|
|
|
3
|
+
## 0.4.14
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 0ebbe56: Security Vulnerability Remediation completed:
|
|
8
|
+
- Refactored core authorization to Fail-Closed architecture with secure defaults.
|
|
9
|
+
- Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
|
|
10
|
+
- Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
|
|
11
|
+
- Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
|
|
12
|
+
- Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
|
|
13
|
+
- Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
|
|
14
|
+
- Enforced strict token/API Key parsing with URLSearchParams checking.
|
|
15
|
+
- Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
|
|
16
|
+
- Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
|
|
17
|
+
- Updated dependencies [0ebbe56]
|
|
18
|
+
- @checkstack/auth-common@0.5.6
|
|
19
|
+
- @checkstack/backend-api@0.8.1
|
|
20
|
+
- @checkstack/common@0.6.3
|
|
21
|
+
- @checkstack/queue-api@0.2.6
|
|
22
|
+
- @checkstack/signal-backend@0.1.12
|
|
23
|
+
- @checkstack/api-docs-common@0.1.7
|
|
24
|
+
- @checkstack/signal-common@0.1.7
|
|
25
|
+
|
|
3
26
|
## 0.4.13
|
|
4
27
|
|
|
5
28
|
### Patch Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@checkstack/backend",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.14",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"scripts": {
|
|
6
6
|
"dev": "bun --env-file=../../.env --watch src/index.ts",
|
|
@@ -12,11 +12,11 @@
|
|
|
12
12
|
"dependencies": {
|
|
13
13
|
"@checkstack/api-docs-common": "0.1.6",
|
|
14
14
|
"@checkstack/auth-common": "0.5.5",
|
|
15
|
-
"@checkstack/backend-api": "0.
|
|
15
|
+
"@checkstack/backend-api": "0.8.0",
|
|
16
16
|
"@checkstack/common": "0.6.2",
|
|
17
17
|
"@checkstack/drizzle-helper": "0.0.3",
|
|
18
|
-
"@checkstack/queue-api": "0.2.
|
|
19
|
-
"@checkstack/signal-backend": "0.1.
|
|
18
|
+
"@checkstack/queue-api": "0.2.5",
|
|
19
|
+
"@checkstack/signal-backend": "0.1.11",
|
|
20
20
|
"@checkstack/signal-common": "0.1.6",
|
|
21
21
|
"@hono/zod-validator": "^0.7.6",
|
|
22
22
|
"@orpc/client": "^1.13.2",
|
|
@@ -37,6 +37,6 @@
|
|
|
37
37
|
"@types/bun": "latest",
|
|
38
38
|
"@checkstack/tsconfig": "0.0.3",
|
|
39
39
|
"@checkstack/scripts": "0.1.1",
|
|
40
|
-
"@checkstack/test-utils-backend": "0.1.
|
|
40
|
+
"@checkstack/test-utils-backend": "0.1.11"
|
|
41
41
|
}
|
|
42
42
|
}
|
package/src/index.ts
CHANGED
|
@@ -60,6 +60,15 @@ app.use(
|
|
|
60
60
|
);
|
|
61
61
|
app.use("*", logger());
|
|
62
62
|
|
|
63
|
+
// SECURITY: Add missing standard security headers across all API responses
|
|
64
|
+
app.use("/api/*", async (c, next) => {
|
|
65
|
+
await next();
|
|
66
|
+
c.res.headers.set("X-Content-Type-Options", "nosniff");
|
|
67
|
+
c.res.headers.set("X-Frame-Options", "DENY");
|
|
68
|
+
c.res.headers.set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'");
|
|
69
|
+
c.res.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
|
|
70
|
+
});
|
|
71
|
+
|
|
63
72
|
// Runtime config endpoint - returns BASE_URL for frontend
|
|
64
73
|
app.get("/api/config", (c) => {
|
|
65
74
|
const baseUrl = process.env.BASE_URL || "http://localhost:3000";
|
|
@@ -176,9 +176,12 @@ export function registerCoreServices({
|
|
|
176
176
|
});
|
|
177
177
|
const authClient = rpcClient.forPlugin(AuthApi);
|
|
178
178
|
return await authClient.checkResourceTeamAccess(params);
|
|
179
|
-
} catch {
|
|
180
|
-
//
|
|
181
|
-
|
|
179
|
+
} catch (error) {
|
|
180
|
+
// SECURITY: Fail-Closed — deny access when auth service is unavailable
|
|
181
|
+
rootLogger.error(
|
|
182
|
+
`[auth] checkResourceTeamAccess: S2S call failed for resource ${params.resourceType}:${params.resourceId}. Denying access (Fail-Closed). Error: ${error}`,
|
|
183
|
+
);
|
|
184
|
+
return { hasAccess: false };
|
|
182
185
|
}
|
|
183
186
|
},
|
|
184
187
|
|
|
@@ -189,9 +192,12 @@ export function registerCoreServices({
|
|
|
189
192
|
});
|
|
190
193
|
const authClient = rpcClient.forPlugin(AuthApi);
|
|
191
194
|
return await authClient.getAccessibleResourceIds(params);
|
|
192
|
-
} catch {
|
|
193
|
-
//
|
|
194
|
-
|
|
195
|
+
} catch (error) {
|
|
196
|
+
// SECURITY: Fail-Closed — return empty set when auth service is unavailable
|
|
197
|
+
rootLogger.error(
|
|
198
|
+
`[auth] getAccessibleResourceIds: S2S call failed for resource type ${params.resourceType}. Denying access (Fail-Closed). Error: ${error}`,
|
|
199
|
+
);
|
|
200
|
+
return [];
|
|
195
201
|
}
|
|
196
202
|
},
|
|
197
203
|
};
|