@ratim818/allyve-wellness-backend 1.0.0

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@ratim818/allyve-wellness-backend",
+  "version": "1.0.0",
+  "description": "HIPAA-compliant backend for Allyve Wellness AI — Maternal Health Monitoring Platform",
+  "type": "module",
+  "scripts": {
+    "dev": "tsx watch src/server.ts",
+    "build": "tsc",
+    "start": "node dist/server.js",
+    "migrate": "tsx src/migrations/run.ts",
+    "migrate:down": "tsx src/migrations/rollback.ts",
+    "seed": "tsx src/migrations/seed.ts",
+    "test": "vitest",
+    "lint": "eslint src/"
+  },
+  "dependencies": {
+    "express": "^4.21.0",
+    "cors": "^2.8.5",
+    "helmet": "^7.1.0",
+    "compression": "^1.7.4",
+    "express-rate-limit": "^7.4.0",
+    "pg": "^8.13.0",
+    "knex": "^3.1.0",
+    "bcryptjs": "^2.4.3",
+    "jsonwebtoken": "^9.0.2",
+    "uuid": "^10.0.0",
+    "zod": "^3.23.8",
+    "dotenv": "^16.4.5",
+    "winston": "^3.14.2",
+    "crypto-js": "^4.2.0",
+    "express-validator": "^7.2.0",
+    "cookie-parser": "^1.4.6",
+    "hpp": "^0.2.3",
+    "express-session": "^1.18.0",
+    "connect-pg-simple": "^9.0.1",
+    "cron": "^3.1.7"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.4",
+    "tsx": "^4.19.0",
+    "@types/express": "^4.17.21",
+    "@types/cors": "^2.8.17",
+    "@types/bcryptjs": "^2.4.6",
+    "@types/jsonwebtoken": "^9.0.6",
+    "@types/uuid": "^10.0.0",
+    "@types/compression": "^1.7.5",
+    "@types/cookie-parser": "^1.4.7",
+    "@types/hpp": "^0.2.6",
+    "@types/pg": "^8.11.6",
+    "@types/express-session": "^1.18.0",
+    "@types/connect-pg-simple": "^7.0.3",
+    "@types/crypto-js": "^4.2.2",
+    "vitest": "^2.0.5",
+    "eslint": "^9.9.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ratim818/allyve-backend.git"
+  }
+}

package/src/config/database.ts

@@ -0,0 +1,45 @@
+import knex, { Knex } from "knex";
+import { config } from "../config/index.js";
+import { logger } from "../utils/logger.js";
+
+const knexConfig: Knex.Config = {
+  client: "pg",
+  connection: {
+    connectionString: config.db.url,
+    ssl: config.db.ssl ? { rejectUnauthorized: true } : false,
+  },
+  pool: {
+    min: config.db.poolMin,
+    max: config.db.poolMax,
+    // Destroy connections after 30 min idle (security best practice)
+    idleTimeoutMillis: 30000,
+  },
+  migrations: {
+    directory: "./src/migrations",
+    extension: "ts",
+  },
+  // Log slow queries (>1s) for performance monitoring
+  log: {
+    warn(msg: string) { logger.warn(`[DB] ${msg}`); },
+    error(msg: string) { logger.error(`[DB] ${msg}`); },
+    debug(msg: string) { if (config.env === "development") logger.debug(`[DB] ${msg}`); },
+    deprecate(msg: string) { logger.warn(`[DB DEPRECATE] ${msg}`); },
+  },
+};
+
+export const db: Knex = knex(knexConfig);
+
+export async function testConnection(): Promise<void> {
+  try {
+    await db.raw("SELECT 1");
+    logger.info("✅ Database connection established");
+  } catch (err) {
+    logger.error("❌ Database connection failed:", err);
+    throw err;
+  }
+}
+
+export async function closeConnection(): Promise<void> {
+  await db.destroy();
+  logger.info("Database connection closed");
+}

package/src/config/index.ts

@@ -0,0 +1,52 @@
+import dotenv from "dotenv";
+dotenv.config();
+
+function requireEnv(key: string): string {
+  const val = process.env[key];
+  if (!val) throw new Error(`Missing required env var: ${key}`);
+  return val;
+}
+
+function optionalEnv(key: string, fallback: string): string {
+  return process.env[key] || fallback;
+}
+
+export const config = {
+  env: optionalEnv("NODE_ENV", "development"),
+  port: parseInt(optionalEnv("PORT", "3001")),
+  apiVersion: optionalEnv("API_VERSION", "v1"),
+  corsOrigin: optionalEnv("CORS_ORIGIN", "http://localhost:5173"),
+
+  db: {
+    url: requireEnv("DATABASE_URL"),
+    ssl: optionalEnv("DATABASE_SSL", "false") === "true",
+    poolMin: parseInt(optionalEnv("DATABASE_POOL_MIN", "2")),
+    poolMax: parseInt(optionalEnv("DATABASE_POOL_MAX", "10")),
+  },
+
+  encryption: {
+    key: requireEnv("ENCRYPTION_KEY"),
+    ivLength: parseInt(optionalEnv("ENCRYPTION_IV_LENGTH", "16")),
+  },
+
+  jwt: {
+    secret: requireEnv("JWT_SECRET"),
+    expiresIn: optionalEnv("JWT_EXPIRES_IN", "15m"),
+    refreshExpiresIn: optionalEnv("JWT_REFRESH_EXPIRES_IN", "7d"),
+  },
+
+  session: {
+    secret: requireEnv("SESSION_SECRET"),
+    maxAge: parseInt(optionalEnv("SESSION_MAX_AGE", "900000")), // 15 min
+  },
+
+  audit: {
+    retentionDays: parseInt(optionalEnv("AUDIT_LOG_RETENTION_DAYS", "2190")), // 6 years HIPAA
+    logLevel: optionalEnv("AUDIT_LOG_LEVEL", "info"),
+  },
+
+  rateLimit: {
+    windowMs: parseInt(optionalEnv("RATE_LIMIT_WINDOW_MS", "900000")), // 15 min
+    maxRequests: parseInt(optionalEnv("RATE_LIMIT_MAX_REQUESTS", "100")),
+  },
+} as const;

package/src/middleware/auth.ts

@@ -0,0 +1,167 @@
+import { Request, Response, NextFunction } from "express";
+import jwt from "jsonwebtoken";
+import { config } from "../config/index.js";
+import { db } from "../config/database.js";
+import { writeAuditLog } from "../services/audit.js";
+import type { TokenPayload } from "../services/auth.js";
+
+// Extend Express Request to include authenticated user
+declare global {
+  namespace Express {
+    interface Request {
+      user?: TokenPayload;
+    }
+  }
+}
+
+/**
+ * Verify JWT and attach user to request.
+ * HIPAA §164.312(d) — Person or entity authentication
+ */
+export function authenticate(req: Request, res: Response, next: NextFunction) {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    res.status(401).json({ error: "Authentication required" });
+    return;
+  }
+
+  const token = authHeader.split(" ")[1];
+
+  try {
+    const decoded = jwt.verify(token, config.jwt.secret, {
+      issuer: "allyve-wellness",
+      audience: "allyve-frontend",
+    }) as TokenPayload;
+
+    req.user = decoded;
+    next();
+  } catch (err) {
+    if (err instanceof jwt.TokenExpiredError) {
+      res.status(401).json({ error: "Token expired", code: "TOKEN_EXPIRED" });
+      return;
+    }
+    res.status(401).json({ error: "Invalid token" });
+  }
+}
+
+/**
+ * Verify the session is still valid (not revoked or expired).
+ * HIPAA §164.312(a)(2)(iii) — Automatic logoff
+ */
+export async function validateSession(req: Request, res: Response, next: NextFunction) {
+  if (!req.user) {
+    res.status(401).json({ error: "Authentication required" });
+    return;
+  }
+
+  try {
+    const session = await db("sessions")
+      .where("id", req.user.sessionId)
+      .where("revoked", false)
+      .where("expires_at", ">", new Date())
+      .first();
+
+    if (!session) {
+      await writeAuditLog({
+        user_id: req.user.userId,
+        action: "SESSION_TIMEOUT",
+        resource_type: "session",
+        resource_id: req.user.sessionId,
+        ip_address: req.ip,
+        outcome: "denied",
+      });
+
+      res.status(401).json({ error: "Session expired or revoked", code: "SESSION_INVALID" });
+      return;
+    }
+
+    // Extend session on activity (sliding window)
+    await db("sessions")
+      .where("id", req.user.sessionId)
+      .update({ expires_at: new Date(Date.now() + config.session.maxAge) });
+
+    next();
+  } catch (err) {
+    res.status(500).json({ error: "Session validation failed" });
+  }
+}
+
+/**
+ * Role-based access control.
+ * HIPAA §164.312(a)(1) — Access control
+ */
+export function requireRole(...roles: string[]) {
+  return (req: Request, res: Response, next: NextFunction) => {
+    if (!req.user) {
+      res.status(401).json({ error: "Authentication required" });
+      return;
+    }
+
+    if (!roles.includes(req.user.role)) {
+      writeAuditLog({
+        user_id: req.user.userId,
+        action: "VIEW",
+        resource_type: "user",
+        ip_address: req.ip,
+        outcome: "denied",
+        details: { requiredRoles: roles, userRole: req.user.role },
+      });
+
+      res.status(403).json({ error: "Insufficient permissions" });
+      return;
+    }
+
+    next();
+  };
+}
+
+/**
+ * Ensure users can only access their own data.
+ * HIPAA §164.312(a)(1) — Access control (minimum necessary)
+ */
+export function requireOwnership(paramName: string = "userId") {
+  return (req: Request, res: Response, next: NextFunction) => {
+    if (!req.user) {
+      res.status(401).json({ error: "Authentication required" });
+      return;
+    }
+
+    const targetUserId = req.params[paramName];
+
+    // Admins and providers can access other users' data (with audit)
+    if (req.user.role === "admin" || req.user.role === "provider") {
+      if (targetUserId && targetUserId !== req.user.userId) {
+        writeAuditLog({
+          user_id: req.user.userId,
+          action: "VIEW",
+          resource_type: "user",
+          resource_id: targetUserId,
+          details: { accessType: "cross_user", role: req.user.role },
+          ip_address: req.ip,
+          outcome: "success",
+        });
+      }
+      next();
+      return;
+    }
+
+    // Patients can only access their own data
+    if (targetUserId && targetUserId !== req.user.userId) {
+      writeAuditLog({
+        user_id: req.user.userId,
+        action: "VIEW",
+        resource_type: "user",
+        resource_id: targetUserId,
+        ip_address: req.ip,
+        outcome: "denied",
+        details: { reason: "ownership_violation" },
+      });
+
+      res.status(403).json({ error: "Access denied" });
+      return;
+    }
+
+    next();
+  };
+}

package/src/middleware/security.ts

@@ -0,0 +1,101 @@
+import express, { Express, Request, Response, NextFunction } from "express";
+import helmet from "helmet";
+import cors from "cors";
+import compression from "compression";
+import rateLimit from "express-rate-limit";
+import hpp from "hpp";
+import cookieParser from "cookie-parser";
+import { config } from "../config/index.js";
+import { logger } from "../utils/logger.js";
+
+/**
+ * Apply all HIPAA-required security middleware.
+ * References: HIPAA §164.312(a-e) Technical Safeguards
+ */
+export function applySecurityMiddleware(app: Express): void {
+
+  // ── Helmet: HTTP security headers ─────────────────────
+  // §164.312(e)(1) — Transmission security
+  app.use(helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"],
+        imgSrc: ["'self'", "data:", "blob:"],
+        connectSrc: ["'self'", config.corsOrigin],
+        frameSrc: ["'none'"],
+        objectSrc: ["'none'"],
+      },
+    },
+    hsts: {
+      maxAge: 31536000,          // 1 year
+      includeSubDomains: true,
+      preload: true,
+    },
+    referrerPolicy: { policy: "strict-origin-when-cross-origin" },
+    noSniff: true,
+    xssFilter: true,
+    frameguard: { action: "deny" },
+  }));
+
+  // ── CORS: restrict to known frontend origin ───────────
+  app.use(cors({
+    origin: config.corsOrigin,
+    credentials: true,
+    methods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
+    allowedHeaders: ["Content-Type", "Authorization"],
+    maxAge: 600, // Preflight cache: 10 min
+  }));
+
+  // ── Rate Limiting: prevent brute force ────────────────
+  // §164.312(a)(1) — Access control
+  const limiter = rateLimit({
+    windowMs: config.rateLimit.windowMs,
+    max: config.rateLimit.maxRequests,
+    message: { error: "Too many requests. Please try again later." },
+    standardHeaders: true,
+    legacyHeaders: false,
+    handler: (req, res) => {
+      logger.warn(`Rate limit exceeded: ${req.ip}`);
+      res.status(429).json({ error: "Too many requests. Please try again later." });
+    },
+  });
+  app.use(limiter);
+
+  // Stricter rate limit for auth endpoints
+  const authLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 10,                   // 10 login attempts per 15 min
+    message: { error: "Too many login attempts. Please try again later." },
+  });
+  app.use("/api/v1/auth/login", authLimiter);
+  app.use("/api/v1/auth/register", authLimiter);
+
+  // ── HTTP Parameter Pollution protection ────────────────
+  app.use(hpp());
+
+  // ── Cookie Parser ──────────────────────────────────────
+  app.use(cookieParser(config.session.secret));
+
+  // ── Compression ────────────────────────────────────────
+  app.use(compression());
+
+  // ── Body parsers with size limits ──────────────────────
+ app.use(express.json({ limit: "1mb" }));
+  app.use(express.urlencoded({ extended: false, limit: "1mb" }));
+
+  // ── Request logging (no PHI) ───────────────────────────
+  app.use((req: Request, _res: Response, next: NextFunction) => {
+    logger.info(`${req.method} ${req.path}`, {
+      ip: req.ip,
+      userAgent: req.get("user-agent")?.substring(0, 100),
+    });
+    next();
+  });
+
+  // ── Disable X-Powered-By ──────────────────────────────
+  app.disable("x-powered-by");
+
+  logger.info("✅ Security middleware applied");
+}

package/src/migrations/rollback.ts

@@ -0,0 +1,17 @@
+import { testConnection, closeConnection } from "../config/database.js";
+import { rollbackMigrations } from "./schema.js";
+import { logger } from "../utils/logger.js";
+
+async function main() {
+  try {
+    await testConnection();
+    await rollbackMigrations();
+  } catch (err) {
+    logger.error("Rollback failed:", err);
+    process.exit(1);
+  } finally {
+    await closeConnection();
+  }
+}
+
+main();

package/src/migrations/run.ts

@@ -0,0 +1,17 @@
+import { testConnection, closeConnection } from "../config/database.js";
+import { runMigrations } from "./schema.js";
+import { logger } from "../utils/logger.js";
+
+async function main() {
+  try {
+    await testConnection();
+    await runMigrations();
+  } catch (err) {
+    logger.error("Migration failed:", err);
+    process.exit(1);
+  } finally {
+    await closeConnection();
+  }
+}
+
+main();