Skip to content

fix(security): harden data layer and persistence (sec-data-01..08)#45

Open
Abdulkhalek-1 wants to merge 2 commits intomainfrom
fix/security-data-2026-04-07
Open

fix(security): harden data layer and persistence (sec-data-01..08)#45
Abdulkhalek-1 wants to merge 2 commits intomainfrom
fix/security-data-2026-04-07

Conversation

@Abdulkhalek-1
Copy link
Copy Markdown
Collaborator

@Abdulkhalek-1 Abdulkhalek-1 commented Apr 7, 2026

Summary

Implements 8 security hardening plans covering encryption, cache correctness, logging, and schema integrity.

# Plan Fix
01 encrypt-access-token-audit AES-256-GCM encryption for `DashboardSession.accessToken` + backfill script
02 actions-cache-atomic-swap Atomic rule-cache swap eliminates empty-cache window during reload
03 session-lookup-constant-time `timingSafeEqual` id comparison + equalized not-found path
04 dashboard-role-restrict-delete FK `onDelete: Restrict` + transactional `deleteDashboardRoleWithAudit` helper
05 logger-redaction `redactSensitive` strips Bearer tokens, webhooks, bot tokens from logs
06 audit-details-json-column `DashboardAuditLog.details` → jsonb (true Json column)
07 safejsonparse-warn Context-aware warning on corrupted rule rows
08 action-rate-limit-per-event-type Rate limit keyed per `(guildId, eventType)`

Migrations

Three Prisma migrations are included:

  • `20260407120000_encrypt_dashboard_session_tokens` — annotation-only no-op (encryption is app-layer)
  • `20260407130000_restrict_dashboard_role_delete` — FK `ON DELETE RESTRICT`
  • `20260407140000_dashboard_audit_details_jsonb` — `ALTER TABLE ... TYPE jsonb USING ...`

Required before deploy:

  1. Run `pnpm db:migrate` in the target env
  2. Run `tsx scripts/migrate-encrypt-session-tokens.ts` to backfill legacy plaintext tokens (idempotent)

Changes

  • Modified: 10 source files across dashboard, bot, systems, utils
  • New: `crypto.ts` helpers, `dashboardRoleDelete.ts`, backfill script
  • Tests: 9 new test files (7 unit + 2 integration)

Test plan

  • `pnpm --filter @fluxcore/dashboard typecheck` — clean
  • `pnpm --filter @fluxcore/bot typecheck` — clean
  • `pnpm --filter @fluxcore/dashboard test` — 287 pass / 15 pre-existing baseline failures (no new regressions)
  • `pnpm --filter @fluxcore/systems test` — 228/228 unit tests green
  • `pnpm test:integration` — integration tests for sec-data-04 and sec-data-06 need real test DB
  • Manual smoke: login + verify session row is encrypted in DB
  • Manual smoke: delete a DashboardRole with active assignments
  • Manual smoke: run backfill script against dev DB
  • Verify log output does not contain plaintext tokens after sec-data-05

🤖 Generated with Claude Code

@Abdulkhalek-1
docs(security): add data hardening plans
2166835
@Abdulkhalek-1
fix(security): harden data layer and persistence (sec-data-01..08)
51ae800 
Implements 8 security hardening plans covering encryption, cache
correctness, logging, and schema integrity:

- sec-data-01: encrypt DashboardSession.accessToken with AES-256-GCM
  (session-scoped key via sha256(dashboardSessionSecret)); adds
  isEncrypted/encryptAccessToken/decryptAccessToken helpers and a
  backfill script for legacy plaintext rows
- sec-data-02: atomic swap of actions rule cache - build the new
  per-event Map locally then swap it in to eliminate the empty-cache
  window during reloadGuild
- sec-data-03: constant-time session id comparison via timingSafeEqual
  with equalized not-found-path work (dummy decrypt)
- sec-data-04: DashboardRoleAssignment FK onDelete -> Restrict plus
  new deleteDashboardRoleWithAudit helper that enumerates, audit-logs
  and unassigns inside a single transaction before deleting the role
- sec-data-05: redactSensitive() in @fluxcore/utils logger strips
  Bearer/Basic auth, Discord webhooks, bot tokens, and sensitive query
  params from all log output
- sec-data-06: migrate DashboardAuditLog.details String -> Json (jsonb
  with ALTER TABLE USING migration); routes no longer stringify
- sec-data-07: safeJsonParse warn-on-failure with rule context so
  corrupted rows surface instead of silently degrading
- sec-data-08: action rate limiter keyed per (guildId, eventType)
  so noisy events can't starve quieter ones

Prisma migrations: 3 new (encryption annotation, FK restrict, jsonb).
Typecheck clean; dashboard 287 pass / 15 baseline failures (no new
regressions); systems 228/228 unit tests green (integration tests for
sec-data-04/06 require real test DB).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Abdulkhalek-1