security: address assessment findings and bump to v2026.3.11

- C1: Disable Swagger UI in production (env gate) - M1+M2: Add Helmet.js for security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) and remove X-Powered-By - H2: Add @nestjs/throttler rate limiting (5 req/min on login/register) - M4: Remove orgSchema from JWT payload and client-side storage; tenant middleware now resolves schema from orgId via cached DB lookup - L1: Fix Chatwoot user identification (read from auth store on ready) - Remove schemaName from frontend Organization type and UI displays Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 15:22:58 -04:00
parent 508a86d16c
commit 61a4f27af4
14 changed files with 105 additions and 46 deletions
--- a/backend/src/modules/auth/auth.controller.ts
+++ b/backend/src/modules/auth/auth.controller.ts
@@ -9,6 +9,7 @@ import {
 } from '@nestjs/common';
 import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
 import { AuthGuard } from '@nestjs/passport';
+import { Throttle } from '@nestjs/throttler';
 import { AuthService } from './auth.service';
 import { RegisterDto } from './dto/register.dto';
 import { LoginDto } from './dto/login.dto';
@@ -23,12 +24,14 @@ export class AuthController {

  @Post('register')
  @ApiOperation({ summary: 'Register a new user' })
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
  async register(@Body() dto: RegisterDto) {
    return this.authService.register(dto);
  }

  @Post('login')
  @ApiOperation({ summary: 'Login with email and password' })
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
  @UseGuards(AuthGuard('local'))
  async login(@Request() req: any, @Body() _dto: LoginDto) {
    const ip = req.headers['x-forwarded-for'] || req.ip;
--- a/backend/src/modules/auth/auth.service.ts
+++ b/backend/src/modules/auth/auth.service.ts
@@ -118,7 +118,6 @@ export class AuthService {
      sub: user.id,
      email: user.email,
      orgId: membership.organizationId,
-      orgSchema: membership.organization.schemaName,
      role: membership.role,
    };

@@ -177,7 +176,6 @@ export class AuthService {

    if (defaultOrg) {
      payload.orgId = defaultOrg.organizationId;
-      payload.orgSchema = defaultOrg.organization?.schemaName;
      payload.role = defaultOrg.role;
    }

@@ -195,7 +193,6 @@ export class AuthService {
      organizations: orgs.map((uo) => ({
        id: uo.organizationId,
        name: uo.organization?.name,
-        schemaName: uo.organization?.schemaName,
        status: uo.organization?.status,
        role: uo.role,
      })),
--- a/backend/src/modules/auth/strategies/jwt.strategy.ts
+++ b/backend/src/modules/auth/strategies/jwt.strategy.ts
@@ -18,7 +18,6 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
      sub: payload.sub,
      email: payload.email,
      orgId: payload.orgId,
-      orgSchema: payload.orgSchema,
      role: payload.role,
      isSuperadmin: payload.isSuperadmin || false,
      impersonatedBy: payload.impersonatedBy || null,
--- a/backend/src/modules/health-scores/health-scores.controller.ts
+++ b/backend/src/modules/health-scores/health-scores.controller.ts
@@ -16,7 +16,7 @@ export class HealthScoresController {
  @Get('latest')
  @ApiOperation({ summary: 'Get latest operating and reserve health scores' })
  getLatest(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;
    return this.service.getLatestScores(schema);
  }

@@ -24,7 +24,7 @@ export class HealthScoresController {
  @ApiOperation({ summary: 'Trigger both health score recalculations (async — returns immediately)' })
  @AllowViewer()
  async calculate(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;

    // Fire-and-forget — background processing saves results to DB
    Promise.all([
@@ -44,7 +44,7 @@ export class HealthScoresController {
  @ApiOperation({ summary: 'Trigger operating fund health score recalculation (async)' })
  @AllowViewer()
  async calculateOperating(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;

    // Fire-and-forget
    this.service.calculateScore(schema, 'operating').catch((err) => {
@@ -61,7 +61,7 @@ export class HealthScoresController {
  @ApiOperation({ summary: 'Trigger reserve fund health score recalculation (async)' })
  @AllowViewer()
  async calculateReserve(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;

    // Fire-and-forget
    this.service.calculateScore(schema, 'reserve').catch((err) => {