Refactor: Autonomous Maximum Potential Audit and Improvements#1
Refactor: Autonomous Maximum Potential Audit and Improvements#1
Conversation
- Set up auth-session-server with httpOnly cookie auth and Fibonacci rate limits - Implemented hybrid pgvector search logic with CSL confidence gates in search-service - Audited and updated heady-manager.js for strict Content Security Policy (CSP) via Helmet and Fibonacci scaling on rate limiters (233) - Scaled infrastructure by adding nats-jetstream, pgbouncer (34 pool/233 max limits), prometheus, and grafana to docker-compose.yml - Cleaned up docker-compose.yml and index.js to remove hardcoded secrets, opting for env variables - Scaffolded missing services: analytics, asset-pipeline, billing, migration, notification, scheduler - Generated GAPS_FOUND.md, IMPROVEMENTS.md, CHANGES.md, and ERROR_CODES.md - Created ADR 0001 for Microservices Architecture and scripts/setup-dev.sh for developer onboarding Co-authored-by: HeadyMe <257220306+HeadyMe@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| app.use(express.json()); | ||
| app.use(cookieParser()); | ||
| app.use(cors({ origin: true, credentials: true })); |
Check warning
Code scanning / CodeQL
Permissive CORS configuration Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
In general, the problem is fixed by not allowing all origins when using CORS with credentials. Instead, restrict origin to either a fixed list (whitelist) of trusted origins or determine it dynamically via a function that validates the incoming Origin header against this whitelist. If no match is found, CORS should be disabled for that request.
For this file, the least invasive and safest fix is to replace origin: true with a dynamic origin function that checks the incoming origin against a simple whitelist taken from environment variables. This maintains support for cross-origin requests from the intended front-end(s) while preventing arbitrary origins from being accepted. We can define a small allowedOrigins list near the top of the file, then configure cors using the documented callback signature origin: function(origin, callback) { ... }. If origin is not in the list, we call back with false, effectively disabling CORS for that request. This does not change any existing routes or behavior except tightening which origins can make cross-origin credentialed requests.
Concretely:
- In
services/auth-session-server/index.js, define anallowedOriginsarray after the existingrequirestatements, for example reading fromprocess.env.AUTH_SESSION_ALLOWED_ORIGINS(comma-separated) and falling back to[]by default. - Replace
app.use(cors({ origin: true, credentials: true }));with a configuration that usesoriginas a validation function checkingallowedOrigins. If no allowed origins are configured, the safest behavior is to disable cross-origin requests (origin: false). - No new external dependencies are needed; this uses the already imported
corsand Node’s standard environment variables.
| @@ -20,9 +20,31 @@ | ||
|
|
||
| const app = express(); | ||
|
|
||
| // Configure allowed CORS origins via environment, comma-separated. | ||
| // Example: AUTH_SESSION_ALLOWED_ORIGINS="https://app.example.com,https://admin.example.com" | ||
| const allowedOrigins = (process.env.AUTH_SESSION_ALLOWED_ORIGINS || '') | ||
| .split(',') | ||
| .map(o => o.trim()) | ||
| .filter(o => o.length > 0); | ||
|
|
||
| app.use(express.json()); | ||
| app.use(cookieParser()); | ||
| app.use(cors({ origin: true, credentials: true })); | ||
| app.use( | ||
| cors({ | ||
| credentials: true, | ||
| origin: function (origin, callback) { | ||
| // Allow non-browser or same-origin requests (no Origin header) | ||
| if (!origin) { | ||
| return callback(null, true); | ||
| } | ||
| if (allowedOrigins.includes(origin)) { | ||
| return callback(null, true); | ||
| } | ||
| // Origin not allowed | ||
| return callback(null, false); | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| // Fibonacci rate limiting: 233 max requests | ||
| const apiLimiter = rateLimit({ |
| const app = express(); | ||
|
|
||
| app.use(express.json()); | ||
| app.use(cors({ origin: true, credentials: true })); |
Check warning
Code scanning / CodeQL
Permissive CORS configuration Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
In general, the fix is to stop allowing every origin when credentials are enabled and instead (a) explicitly restrict CORS to a whitelist of allowed origins, or (b) disable CORS entirely (or at least severely restrict it) if cross-origin access is not required. The whitelist can be implemented as a static array of allowed origins, and the origin option of cors can be a function that checks the request’s origin against that list and allows or denies accordingly.
For this specific file, the safest change that doesn’t alter functional behavior more than necessary is to replace cors({ origin: true, credentials: true }) with a configuration that (1) defines a list of allowed origins, drawn from environment variables so it can be configured per deployment, and (2) uses a function for origin that checks the incoming origin against this list. If no whitelist is set, we can default to false (disabling cross-origin requests) instead of true. Concretely:
- Add an
ALLOWED_ORIGINSarray derived from an environment variable such asCORS_ALLOWED_ORIGINS, splitting on commas. - Configure
corswithoriginas a callback that:- Allows requests with no
Origin(e.g., curl, same-origin) by passingcallback(null, true). - If the origin is present and in
ALLOWED_ORIGINS, allows it (callback(null, true)). - Otherwise, rejects it (
callback(new Error('Not allowed by CORS'))orcallback(null, false)).
- Allows requests with no
- Keep
credentials: trueintact if the API legitimately uses cookies/credentials; otherwise, it could be set tofalse, but we’ll preserve it to avoid changing behavior unnecessarily.
All changes are localized to services/search-service/index.js around the existing app.use(cors(...)) call.
| @@ -21,8 +21,31 @@ | ||
| const app = express(); | ||
|
|
||
| app.use(express.json()); | ||
| app.use(cors({ origin: true, credentials: true })); | ||
|
|
||
| // Configure CORS with a restrictive, whitelist-based origin policy | ||
| const allowedOriginsEnv = process.env.CORS_ALLOWED_ORIGINS || ''; | ||
| const ALLOWED_ORIGINS = allowedOriginsEnv | ||
| .split(',') | ||
| .map(o => o.trim()) | ||
| .filter(o => o.length > 0); | ||
|
|
||
| app.use(cors({ | ||
| credentials: true, | ||
| origin: function (origin, callback) { | ||
| // Allow non-browser or same-origin requests (no Origin header) | ||
| if (!origin) { | ||
| return callback(null, true); | ||
| } | ||
|
|
||
| if (ALLOWED_ORIGINS.includes(origin)) { | ||
| return callback(null, true); | ||
| } | ||
|
|
||
| // Origin not allowed | ||
| return callback(null, false); | ||
| }, | ||
| })); | ||
|
|
||
| // Fibonacci rate limiting: 233 max requests | ||
| const apiLimiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, |
Generated and included `package-lock.json` to resolve CI check failures related to missing dependency lock files. Forced tracked the file as it was previously excluded in `.gitignore`. Co-authored-by: HeadyMe <257220306+HeadyMe@users.noreply.github.com>
Co-authored-by: HeadyMe <257220306+HeadyMe@users.noreply.github.com>
Co-authored-by: HeadyMe <257220306+HeadyMe@users.noreply.github.com>
2 participants
Implemented an autonomous overhaul of the HeadySystems architecture, focusing on filling gaps, enforcing strict security (CSP, httpOnly cookies), eliminating hardcoded secrets, and aligning all constants to phi-scaled/Fibonacci derivations. Includes new core services (auth, search), updated API gateways, robust documentation additions, and scalable infrastructure additions (NATS, PgBouncer, Prometheus, Grafana).
PR created automatically by Jules for task 8872225960523347905 started by @HeadyMe