🚀 Dev → Main: feat: implement comprehensive security features including input sanitization, rate limiting, and environment variable encryption

package.json

@@ -26,14 +26,19 @@
     "@prisma/client": "^6.11.1",
     "chromadb": "^1.8.1",
     "cors": "^2.8.5",
+    "crypto-js": "^4.2.0",
     "dotenv": "^17.1.0",
     "express": "^5.1.0",
+    "express-rate-limit": "^7.5.1",
+    "express-validator": "^7.2.1",
+    "helmet": "^8.1.0",
     "openai": "^4.68.4",
     "prisma": "^6.11.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",
+    "@types/crypto-js": "^4.2.2",
     "@types/express": "^5.0.3",
     "@types/node": "^24.0.12",
     "nodemon": "^3.1.10",

src/config/matching.config.ts

@@ -1,5 +1,6 @@
 import { ChromaClient } from 'chromadb';
 import OpenAI from 'openai';
+import { EnvironmentEncryption } from '../utils/encryption.utils';
 
 export interface MatchingConfig {
   chromaHost: string;
@@ -10,7 +11,9 @@ export interface MatchingConfig {
 export const getMatchingConfig = (): MatchingConfig => {
   const chromaHost = process.env.CHROMA_HOST || 'localhost';
   const chromaPort = parseInt(process.env.CHROMA_PORT || '8000');
-  const openaiApiKey = process.env.OPENAI_API_KEY;
+
+  // Use secure environment variable handling
+  const openaiApiKey = EnvironmentEncryption.getSecureEnvVar('OPENAI_API_KEY', false);
 
   if (!openaiApiKey) {
     throw new Error('OPENAI_API_KEY environment variable is required');

src/index.ts

@@ -7,14 +7,37 @@ import jobRoutes from './routes/job.routes';
 import applicationRoutes from './routes/application.routes';
 import matchingRoutes from './routes/matching.routes';
 
+// Security imports
+import { SecurityMiddleware } from './middlewares/security.middleware';
+import { RateLimitConfig } from './utils/rate-limit.utils';
+
 dotenv.config();
 
 const app = express();
 const PORT = process.env.PORT || 3000;
 
-app.use(cors());
-app.use(express.json());
-app.use(express.urlencoded({ extended: true }));
+// Security middleware
+app.use(SecurityMiddleware.helmet());
+app.use(SecurityMiddleware.securityHeaders());
+app.use(SecurityMiddleware.securityLogger());
+app.use(SecurityMiddleware.requestSizeLimiter());
+
+// Rate limiting
+app.use(RateLimitConfig.general());
+
+// CORS configuration
+app.use(cors({
+  origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000'],
+  credentials: true,
+  optionsSuccessStatus: 200
+}));
+
+// Body parsing with security
+app.use(express.json({ limit: '10mb' }));
+app.use(express.urlencoded({ extended: true, limit: '10mb' }));
+
+// Request sanitization
+app.use(SecurityMiddleware.sanitizeRequest());
 
 app.get('/', (req, res) => {
   res.json({
@@ -32,11 +55,11 @@ app.get('/health', (req, res) => {
   });
 });
 
-app.use('/api/candidates', candidateRoutes);
-app.use('/api/jobs', jobRoutes);
-app.use('/api/applications', applicationRoutes);
-app.use('/api/matching', matchingRoutes);
-app.use('/api/matching', matchingRoutes);
+// API routes with specific rate limits
+app.use('/api/candidates', RateLimitConfig.dataModification(), candidateRoutes);
+app.use('/api/jobs', RateLimitConfig.dataModification(), jobRoutes);
+app.use('/api/applications', RateLimitConfig.dataModification(), applicationRoutes);
+app.use('/api/matching', RateLimitConfig.aiMatching(), matchingRoutes);
 
 app.listen(PORT, () => {
   console.log(`Server is running on port ${PORT}`);

src/middlewares/enhanced-validation.middleware.ts

@@ -0,0 +1,140 @@
+import { Request, Response, NextFunction } from 'express';
+import { body, param } from 'express-validator';
+import { SecurityMiddleware } from './security.middleware';
+import { InputSanitizer } from '../utils/sanitization.utils';
+
+/**
+ * Enhanced validation middleware for specific endpoints
+ * Provides additional security validation for sensitive operations
+ */
+
+export class EnhancedValidationMiddleware {
+  /**
+   * Enhanced candidate creation validation
+   */
+  static validateCandidateCreation() {
+    return [
+      InputSanitizer.sanitizeString('firstName', 2, 50),
+      InputSanitizer.sanitizeString('lastName', 2, 50),
+      InputSanitizer.sanitizeEmail('email'),
+      InputSanitizer.sanitizeString('phone', 10, 20),
+      InputSanitizer.sanitizeArray('skills', 20),
+      InputSanitizer.sanitizeInteger('experience', 0, 50),
+      InputSanitizer.sanitizeString('location', 2, 100),
+      InputSanitizer.sanitizeString('availability', 2, 50),
+      body('skills.*').isString().trim().isLength({ min: 1, max: 50 }),
+      SecurityMiddleware.handleValidationErrors()
+    ];
+  }
+
+  /**
+   * Enhanced job creation validation
+   */
+  static validateJobCreation() {
+    return [
+      InputSanitizer.sanitizeString('title', 3, 100),
+      InputSanitizer.sanitizeString('company', 2, 100),
+      InputSanitizer.sanitizeString('description', 10, 2000),
+      InputSanitizer.sanitizeArray('required_skills', 20),
+      InputSanitizer.sanitizeArray('preferred_skills', 20),
+      InputSanitizer.sanitizeString('location', 2, 100),
+      InputSanitizer.sanitizeBoolean('remote_ok'),
+      body('required_skills.*').isString().trim().isLength({ min: 1, max: 50 }),
+      body('preferred_skills.*').optional().isString().trim().isLength({ min: 1, max: 50 }),
+      body('experience_level').isIn(['entry', 'mid', 'senior', 'lead']),
+      body('employment_type').isIn(['full-time', 'part-time', 'contract', 'internship']),
+      SecurityMiddleware.handleValidationErrors()
+    ];
+  }
+
+  /**
+   * Enhanced application creation validation
+   */
+  static validateApplicationCreation() {
+    return [
+      InputSanitizer.sanitizeUUID('candidate_id'),
+      InputSanitizer.sanitizeUUID('job_position_id'),
+      InputSanitizer.sanitizeString('cover_letter', 10, 1000),
+      SecurityMiddleware.handleValidationErrors()
+    ];
+  }
+
+  /**
+   * Enhanced matching request validation
+   */
+  static validateMatchingRequest() {
+    return [
+      param('id').isUUID().withMessage('Invalid ID format'),
+      InputSanitizer.sanitizeQueryParam('limit'),
+      InputSanitizer.sanitizeQueryParam('location'),
+      InputSanitizer.sanitizeQueryParam('experience_level'),
+      SecurityMiddleware.handleValidationErrors()
+    ];
+  }
+
+  /**
+   * File upload validation (for future use)
+   */
+  static validateFileUpload() {
+    return (req: Request & { file?: any }, res: Response, next: NextFunction) => {
+      if (req.file) {
+        const allowedTypes = ['application/pdf', 'image/jpeg', 'image/png'];
+        const maxSize = 5 * 1024 * 1024;
+
+        if (!allowedTypes.includes(req.file.mimetype)) {
+          return res.status(400).json({
+            success: false,
+            message: 'Invalid file type. Only PDF, JPEG, and PNG files are allowed.'
+          });
+        }
+
+        if (req.file.size > maxSize) {
+          return res.status(400).json({
+            success: false,
+            message: 'File size exceeds 5MB limit.'
+          });
+        }
+      }
+
+      next();
+    };
+  }
+
+  /**
+   * SQL injection prevention (additional layer)
+   */
+  static preventSQLInjection() {
+    return (req: Request, res: Response, next: NextFunction) => {
+      const sqlInjectionPatterns = [
+        /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE)\b)/i,
+        /('|(\\)|;|--|\/\*|\*\/)/,
+        /(EXEC|EXECUTE|SP_|XP_)/i
+      ];
+
+      const checkForSQLInjection = (obj: any): boolean => {
+        if (typeof obj === 'string') {
+          return sqlInjectionPatterns.some(pattern => pattern.test(obj));
+        }
+
+        if (typeof obj === 'object' && obj !== null) {
+          for (const value of Object.values(obj)) {
+            if (checkForSQLInjection(value)) {
+              return true;
+            }
+          }
+        }
+
+        return false;
+      };
+
+      if (checkForSQLInjection(req.body) || checkForSQLInjection(req.query) || checkForSQLInjection(req.params)) {
+        return res.status(400).json({
+          success: false,
+          message: 'Invalid input detected'
+        });
+      }
+
+      next();
+    };
+  }
+}