ship-safe 1.0.0 → 2.0.0

package/configs/firebase/security-checklist.md

@@ -0,0 +1,236 @@
+# Firebase Security Checklist
+
+**Complete this checklist before launching your Firebase-powered app.**
+
+Based on common Firebase security vulnerabilities found in bug bounty programs and penetration tests.
+
+---
+
+## Critical: Security Rules
+
+### 1. [ ] NOT using test mode rules
+
+**Check your Firestore rules don't contain:**
+```javascript
+// DANGEROUS: Test mode - allows anyone to read/write
+allow read, write: if true;
+
+// DANGEROUS: Time-based test mode (often forgotten)
+allow read, write: if request.time < timestamp.date(2024, 12, 31);
+```
+
+**Fix:** Replace with proper authentication-based rules.
+
+### 2. [ ] Firestore rules require authentication
+
+```javascript
+// GOOD: Requires authentication
+allow read, write: if request.auth != null;
+
+// BETTER: Requires authentication AND ownership
+allow read, write: if request.auth.uid == userId;
+```
+
+### 3. [ ] Storage rules have file type validation
+
+```javascript
+// GOOD: Only allow specific image types
+allow write: if request.resource.contentType.matches('image/.*')
+  && request.resource.contentType in ['image/jpeg', 'image/png', 'image/webp'];
+```
+
+### 4. [ ] Storage rules have file size limits
+
+```javascript
+// GOOD: Limit to 5MB
+allow write: if request.resource.size < 5 * 1024 * 1024;
+```
+
+### 5. [ ] Default deny rule at the end
+
+```javascript
+// Catch-all: deny everything not explicitly allowed
+match /{document=**} {
+  allow read, write: if false;
+}
+```
+
+---
+
+## Critical: API Keys
+
+### 6. [ ] API key restrictions configured
+
+Firebase Console > Project Settings > API Keys (in Google Cloud Console)
+
+- [ ] Application restrictions (HTTP referrers for web, app signatures for mobile)
+- [ ] API restrictions (only enable APIs you use)
+
+### 7. [ ] Firebase config not containing sensitive data
+
+Your `firebaseConfig` is designed to be public, but verify:
+
+```javascript
+// These are OK to be public:
+const firebaseConfig = {
+  apiKey: "...",           // OK - restricted by security rules
+  authDomain: "...",       // OK - public
+  projectId: "...",        // OK - public
+  storageBucket: "...",    // OK - protected by storage rules
+  messagingSenderId: "...", // OK - public
+  appId: "..."             // OK - public
+};
+
+// NEVER include these in client code:
+// - Service account private keys
+// - Admin SDK credentials
+// - Database URLs with embedded secrets
+```
+
+### 8. [ ] Service account keys not in client code
+
+```bash
+# Scan for service account files
+npx ship-safe scan .
+
+# Or manually search
+find . -name "*.json" -exec grep -l "private_key" {} \;
+grep -r "BEGIN PRIVATE KEY" .
+```
+
+---
+
+## High: Authentication
+
+### 9. [ ] Email enumeration protection enabled
+
+Firebase Console > Authentication > Settings > User Actions
+- [ ] Email enumeration protection = ON
+
+This prevents attackers from discovering valid email addresses.
+
+### 10. [ ] Password requirements configured
+
+Firebase Console > Authentication > Sign-in method > Email/Password
+- [ ] Minimum password length (recommend 8+)
+- [ ] Require uppercase/lowercase/numbers (if supported)
+
+### 11. [ ] OAuth providers properly configured
+
+For each OAuth provider (Google, Facebook, etc.):
+- [ ] Authorized domains list is correct
+- [ ] Callback URLs are HTTPS only
+- [ ] Client secrets are not exposed
+
+### 12. [ ] Phone auth abuse protection
+
+If using phone authentication:
+- [ ] SMS region policy configured (limit to countries you serve)
+- [ ] App verification enabled
+- [ ] Rate limiting understood
+
+---
+
+## High: Database Security
+
+### 13. [ ] No sensitive data in public collections
+
+Review your data structure:
+- [ ] User emails not in publicly readable collections
+- [ ] Payment info not in Firestore (use Stripe)
+- [ ] Passwords never stored (use Firebase Auth)
+
+### 14. [ ] Indexes don't expose data patterns
+
+Firebase Console > Firestore > Indexes
+
+Complex indexes can reveal data structure. Review each index.
+
+### 15. [ ] Backup and recovery plan exists
+
+Firebase Console > Firestore > Backups
+- [ ] Automated backups enabled
+- [ ] Tested restore process
+
+---
+
+## Medium: Monitoring & Alerts
+
+### 16. [ ] Firebase App Check enabled
+
+Firebase Console > App Check
+- [ ] reCAPTCHA for web
+- [ ] Device Check for iOS
+- [ ] Play Integrity for Android
+
+App Check helps prevent abuse from unauthorized clients.
+
+### 17. [ ] Budget alerts configured
+
+Google Cloud Console > Billing > Budgets & alerts
+- [ ] Budget set for expected usage
+- [ ] Alerts at 50%, 90%, 100%
+
+Prevents surprise bills from attacks or bugs.
+
+### 18. [ ] Security rules monitoring
+
+Firebase Console > Firestore > Rules > Monitor
+- [ ] Review denied requests regularly
+- [ ] Set up alerts for unusual patterns
+
+---
+
+## Quick Security Audit Commands
+
+### Check for exposed Firebase configs
+
+```bash
+# Search for Firebase config in your codebase
+grep -r "firebaseConfig" --include="*.js" --include="*.ts" .
+grep -r "apiKey.*firebase" --include="*.js" --include="*.ts" .
+```
+
+### Test your security rules
+
+```bash
+# Install Firebase Emulator
+npm install -g firebase-tools
+
+# Run security rules tests
+firebase emulators:start --only firestore
+# Then run your test suite against localhost
+```
+
+### Scan for secrets
+
+```bash
+npx ship-safe scan .
+```
+
+---
+
+## Testing Checklist
+
+Before launch, test these scenarios:
+
+1. [ ] Unauthenticated user cannot read private data
+2. [ ] User A cannot read User B's private data
+3. [ ] User cannot write to another user's document
+4. [ ] File uploads are rejected if wrong type
+5. [ ] Large file uploads are rejected
+6. [ ] Rate limiting works (if implemented)
+
+---
+
+## Firebase Security Resources
+
+- [Firebase Security Rules Documentation](https://firebase.google.com/docs/rules)
+- [Firebase Security Checklist](https://firebase.google.com/support/guides/security-checklist)
+- [Firebase App Check](https://firebase.google.com/docs/app-check)
+
+---
+
+**Remember: Firebase makes it easy to build fast, but "test mode" is not a security strategy.**
+
+Run `npx ship-safe scan .` to check for leaked keys before every deploy.

package/configs/firebase/storage-rules.txt

@@ -0,0 +1,206 @@
+// =============================================================================
+// FIREBASE STORAGE SECURITY RULES TEMPLATES
+// =============================================================================
+//
+// Copy these rules to your Firebase Console > Storage > Rules
+//
+// WHY THIS MATTERS:
+// - Default rules may allow anyone to upload/download files
+// - Uploaded files can contain malware or illegal content
+// - Storage costs can explode if not properly secured
+//
+// HOW TO USE:
+// 1. Go to Firebase Console > Storage > Rules
+// 2. Replace the default rules with these templates
+// 3. Customize paths and limits for your app
+// 4. Publish and test thoroughly
+//
+// =============================================================================
+
+rules_version = '2';
+service firebase.storage {
+  match /b/{bucket}/o {
+
+    // =========================================================================
+    // HELPER FUNCTIONS
+    // =========================================================================
+
+    // Check if user is authenticated
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    // Get the authenticated user's ID
+    function userId() {
+      return request.auth.uid;
+    }
+
+    // Check file size (in bytes)
+    function isUnderMaxSize(maxSizeMB) {
+      return request.resource.size < maxSizeMB * 1024 * 1024;
+    }
+
+    // Check if file is an image
+    function isImage() {
+      return request.resource.contentType.matches('image/.*');
+    }
+
+    // Check if file is a specific image type
+    function isImageType(types) {
+      return request.resource.contentType in types;
+    }
+
+    // Check if file is a document
+    function isDocument() {
+      return request.resource.contentType in [
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+      ];
+    }
+
+    // =========================================================================
+    // PATTERN 1: USER AVATARS (User's own files)
+    // =========================================================================
+
+    match /avatars/{userId}/{fileName} {
+      // Anyone can view avatars (they're public profile pictures)
+      allow read: if true;
+
+      // Users can only upload to their own folder
+      allow write: if isAuthenticated()
+        && request.auth.uid == userId
+        && isImage()
+        && isUnderMaxSize(2)  // 2MB max
+        && isImageType(['image/jpeg', 'image/png', 'image/webp']);
+    }
+
+    // =========================================================================
+    // PATTERN 2: PRIVATE USER FILES
+    // =========================================================================
+
+    match /users/{userId}/private/{allPaths=**} {
+      // Users can only access their own private files
+      allow read: if isAuthenticated() && request.auth.uid == userId;
+
+      // Users can upload to their own folder with size limits
+      allow write: if isAuthenticated()
+        && request.auth.uid == userId
+        && isUnderMaxSize(10);  // 10MB max
+
+      // Users can delete their own files
+      allow delete: if isAuthenticated() && request.auth.uid == userId;
+    }
+
+    // =========================================================================
+    // PATTERN 3: SHARED/PUBLIC FILES (Authenticated upload, public read)
+    // =========================================================================
+
+    match /public/{allPaths=**} {
+      // Anyone can read public files
+      allow read: if true;
+
+      // Only authenticated users can upload
+      allow write: if isAuthenticated()
+        && isUnderMaxSize(5)
+        && (isImage() || isDocument());
+
+      // Only admins can delete (implement admin check via custom claims)
+      allow delete: if request.auth.token.admin == true;
+    }
+
+    // =========================================================================
+    // PATTERN 4: ORGANIZATION FILES
+    // =========================================================================
+
+    match /organizations/{orgId}/{allPaths=**} {
+      // Check org membership via custom claims
+      function isOrgMember() {
+        return request.auth.token.orgId == orgId;
+      }
+
+      function isOrgAdmin() {
+        return request.auth.token.orgId == orgId
+          && request.auth.token.orgRole == 'admin';
+      }
+
+      // Org members can read
+      allow read: if isAuthenticated() && isOrgMember();
+
+      // Org members can upload
+      allow create: if isAuthenticated()
+        && isOrgMember()
+        && isUnderMaxSize(50);  // 50MB for org files
+
+      // Org admins can delete
+      allow delete: if isAuthenticated() && isOrgAdmin();
+    }
+
+    // =========================================================================
+    // PATTERN 5: TEMPORARY UPLOADS (with expiration)
+    // =========================================================================
+
+    match /temp/{uploadId} {
+      // Anyone authenticated can upload to temp
+      allow create: if isAuthenticated()
+        && isUnderMaxSize(10)
+        // Set metadata for cleanup jobs
+        && request.resource.metadata.uploadedBy == userId()
+        && request.resource.metadata.expiresAt != null;
+
+      // Only the uploader can read/delete their temp files
+      allow read, delete: if isAuthenticated()
+        && resource.metadata.uploadedBy == userId();
+    }
+
+    // =========================================================================
+    // PATTERN 6: STRICT IMAGE UPLOADS (Profile pictures, etc.)
+    // =========================================================================
+
+    match /images/{imageId} {
+      // Public read
+      allow read: if true;
+
+      // Strict upload requirements
+      allow create: if isAuthenticated()
+        // Must be an allowed image type
+        && isImageType(['image/jpeg', 'image/png', 'image/gif', 'image/webp'])
+        // Max 5MB
+        && isUnderMaxSize(5)
+        // Must have dimensions metadata (set by client)
+        && request.resource.metadata.width != null
+        && request.resource.metadata.height != null
+        // Reasonable dimensions (prevent huge images)
+        && int(request.resource.metadata.width) <= 4096
+        && int(request.resource.metadata.height) <= 4096;
+    }
+
+    // =========================================================================
+    // ANTI-PATTERNS: NEVER DO THIS
+    // =========================================================================
+
+    // BAD: Allows anyone to read/write everything
+    // match /{allPaths=**} {
+    //   allow read, write: if true;
+    // }
+
+    // BAD: No file type validation (allows malware uploads)
+    // match /uploads/{file} {
+    //   allow write: if request.auth != null;
+    // }
+
+    // BAD: No size limits (allows storage cost attacks)
+    // match /files/{file} {
+    //   allow write: if request.auth != null;
+    // }
+
+    // =========================================================================
+    // DEFAULT: DENY ALL (Safety net)
+    // =========================================================================
+
+    // Deny access to any path not explicitly defined above
+    match /{allPaths=**} {
+      allow read, write: if false;
+    }
+  }
+}

package/configs/gitignore-template

@@ -0,0 +1,258 @@
+# =============================================================================
+# SHIP SAFE .GITIGNORE
+# =============================================================================
+# This file prevents you from accidentally committing sensitive data.
+# Copy this to your project root. Customize as needed.
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# ENVIRONMENT FILES - THE #1 SOURCE OF LEAKED SECRETS
+# -----------------------------------------------------------------------------
+# These files often contain API keys, database URLs, and passwords.
+# NEVER commit these. Use .env.example with placeholder values instead.
+
+.env
+.env.local
+.env.development
+.env.development.local
+.env.test
+.env.test.local
+.env.production
+.env.production.local
+.env.staging
+.env*.local
+
+# Some frameworks use different names
+.envrc
+.env.backup
+.env.bak
+*.env
+
+# -----------------------------------------------------------------------------
+# PRIVATE KEYS & CERTIFICATES
+# -----------------------------------------------------------------------------
+# These are cryptographic secrets. If leaked, attackers can impersonate you.
+
+*.pem
+*.key
+*.p12
+*.pfx
+*.crt
+*.cer
+*.der
+*.csr
+
+# SSH keys - NEVER commit these
+id_rsa
+id_rsa.pub
+id_ed25519
+id_ed25519.pub
+id_dsa
+id_dsa.pub
+*.ppk
+
+# GPG keys
+*.gpg
+*.asc
+secring.*
+
+# -----------------------------------------------------------------------------
+# API KEYS & CREDENTIALS FILES
+# -----------------------------------------------------------------------------
+# Various tools store credentials in these files
+
+# Google Cloud / Firebase
+**/service-account*.json
+*-firebase-adminsdk-*.json
+credentials.json
+client_secret*.json
+
+# AWS
+.aws/credentials
+aws-credentials.json
+*.aws
+
+# Stripe
+stripe-cli-config.toml
+
+# Generic credential files
+*credentials*
+*secrets*
+*.secrets.json
+config/secrets.yml
+secrets.yml
+secrets.yaml
+
+# Exception: Allow our security scanning scripts
+!scripts/
+!scripts/*
+
+# -----------------------------------------------------------------------------
+# DATABASE FILES
+# -----------------------------------------------------------------------------
+# Local databases may contain user data or test credentials
+
+*.sqlite
+*.sqlite3
+*.db
+*.sql
+dump.rdb
+
+# -----------------------------------------------------------------------------
+# LOGS - MAY CONTAIN SENSITIVE DATA
+# -----------------------------------------------------------------------------
+# Logs can accidentally contain API responses, user data, or errors with secrets
+
+*.log
+logs/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+# -----------------------------------------------------------------------------
+# OS FILES - NOT SENSITIVE BUT ANNOYING
+# -----------------------------------------------------------------------------
+
+# macOS
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+.AppleDouble
+.LSOverride
+
+# Windows
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+*.stackdump
+[Dd]esktop.ini
+$RECYCLE.BIN/
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+*.lnk
+
+# Linux
+*~
+.fuse_hidden*
+.directory
+.Trash-*
+.nfs*
+
+# -----------------------------------------------------------------------------
+# IDE & EDITOR FILES
+# -----------------------------------------------------------------------------
+# May contain local paths or workspace settings with secrets
+
+.idea/
+.vscode/
+*.swp
+*.swo
+*.swn
+*.sublime-workspace
+*.sublime-project
+.project
+.classpath
+.settings/
+*.code-workspace
+
+# -----------------------------------------------------------------------------
+# DEPENDENCY DIRECTORIES
+# -----------------------------------------------------------------------------
+# These are large and should be installed fresh via package manager
+
+node_modules/
+vendor/
+.bundle/
+bower_components/
+jspm_packages/
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+.Python
+venv/
+env/
+ENV/
+.venv/
+pip-log.txt
+pip-delete-this-directory.txt
+
+# -----------------------------------------------------------------------------
+# BUILD OUTPUT - MAY CONTAIN INLINED SECRETS
+# -----------------------------------------------------------------------------
+# Build processes sometimes inline environment variables
+
+.next/
+.nuxt/
+dist/
+build/
+out/
+.output/
+.cache/
+.parcel-cache/
+.turbo/
+
+# -----------------------------------------------------------------------------
+# TEST & COVERAGE - MAY CONTAIN SNAPSHOTS OF SENSITIVE DATA
+# -----------------------------------------------------------------------------
+
+coverage/
+.nyc_output/
+*.lcov
+
+# -----------------------------------------------------------------------------
+# VERCEL & DEPLOYMENT
+# -----------------------------------------------------------------------------
+# Vercel CLI may cache tokens
+
+.vercel/
+
+# -----------------------------------------------------------------------------
+# MISC SECURITY-SENSITIVE PATTERNS
+# -----------------------------------------------------------------------------
+
+# Backup files might contain old secrets
+*.bak
+*.backup
+*.old
+*.orig
+*.temp
+*.tmp
+
+# Archives that might contain sensitive exports
+*.zip
+*.tar
+*.tar.gz
+*.tgz
+*.rar
+
+# Docker secrets
+docker-compose.override.yml
+.docker/
+
+# Terraform state (contains infrastructure secrets)
+*.tfstate
+*.tfstate.*
+.terraform/
+*.tfvars
+
+# Ansible vault
+*.vault
+
+# Kubernetes secrets
+*kubeconfig*
+
+# -----------------------------------------------------------------------------
+# ADD YOUR PROJECT-SPECIFIC IGNORES BELOW
+# -----------------------------------------------------------------------------
+
+.claude/