more secure token handling

backend/middleware/auth.js

@@ -2,11 +2,14 @@ const jwt = require("jsonwebtoken");
 const { User } = require("../models"); // Import from models/index.js to get models with associations
 
 const authenticateToken = async (req, res, next) => {
-  const authHeader = req.headers["authorization"];
-  const token = authHeader && authHeader.split(" ")[1];
+  // First try to get token from cookie
+  let token = req.cookies?.accessToken;
 
   if (!token) {
-    return res.status(401).json({ error: "Access token required" });
+    return res.status(401).json({
+      error: "Access token required",
+      code: "NO_TOKEN",
+    });
   }
 
   try {
@@ -14,20 +17,37 @@ const authenticateToken = async (req, res, next) => {
     const userId = decoded.id;
 
     if (!userId) {
-      return res.status(401).json({ error: "Invalid token format" });
+      return res.status(401).json({
+        error: "Invalid token format",
+        code: "INVALID_TOKEN_FORMAT",
+      });
     }
 
     const user = await User.findByPk(userId);
 
     if (!user) {
-      return res.status(401).json({ error: "User not found" });
+      return res.status(401).json({
+        error: "User not found",
+        code: "USER_NOT_FOUND",
+      });
     }
 
     req.user = user;
     next();
   } catch (error) {
+    // Check if token is expired
+    if (error.name === "TokenExpiredError") {
+      return res.status(401).json({
+        error: "Token expired",
+        code: "TOKEN_EXPIRED",
+      });
+    }
+
     console.error("Auth middleware error:", error);
-    return res.status(403).json({ error: "Invalid or expired token" });
+    return res.status(403).json({
+      error: "Invalid token",
+      code: "INVALID_TOKEN",
+    });
   }
 };
 

backend/middleware/rateLimiter.js

@@ -104,12 +104,70 @@ const burstProtection = createUserBasedRateLimiter(
   "Too many requests in a short period. Please slow down."
 );
 
+// Authentication rate limiters
+const authRateLimiters = {
+  // Login rate limiter - stricter to prevent brute force
+  login: rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 5, // 5 login attempts per 15 minutes
+    message: {
+      error: "Too many login attempts. Please try again in 15 minutes.",
+      retryAfter: 900, // seconds
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+    skipSuccessfulRequests: true, // Don't count successful logins
+  }),
+
+  // Registration rate limiter
+  register: rateLimit({
+    windowMs: 60 * 60 * 1000, // 1 hour
+    max: 3, // 3 registration attempts per hour
+    message: {
+      error: "Too many registration attempts. Please try again later.",
+      retryAfter: 3600,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+  }),
+
+  // Password reset rate limiter
+  passwordReset: rateLimit({
+    windowMs: 60 * 60 * 1000, // 1 hour
+    max: 3, // 3 password reset requests per hour
+    message: {
+      error: "Too many password reset requests. Please try again later.",
+      retryAfter: 3600,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+  }),
+
+  // General API rate limiter
+  general: rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 100, // 100 requests per minute
+    message: {
+      error: "Too many requests. Please slow down.",
+      retryAfter: 60,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+  }),
+};
+
 module.exports = {
   // Individual rate limiters
   placesAutocomplete: rateLimiters.placesAutocomplete,
   placeDetails: rateLimiters.placeDetails,
   geocoding: rateLimiters.geocoding,
 
+  // Auth rate limiters
+  loginLimiter: authRateLimiters.login,
+  registerLimiter: authRateLimiters.register,
+  passwordResetLimiter: authRateLimiters.passwordReset,
+  generalLimiter: authRateLimiters.general,
+
   // Burst protection
   burstProtection,
 

backend/middleware/security.js

@@ -0,0 +1,142 @@
+// HTTPS enforcement middleware
+const enforceHTTPS = (req, res, next) => {
+  // Skip HTTPS enforcement in development
+  if (
+    process.env.NODE_ENV === "dev" ||
+    process.env.NODE_ENV === "development"
+  ) {
+    return next();
+  }
+
+  // Check if request is already HTTPS
+  const isSecure =
+    req.secure ||
+    req.headers["x-forwarded-proto"] === "https" ||
+    req.protocol === "https";
+
+  if (!isSecure) {
+    // Use configured allowed host to prevent Host Header Injection
+    const allowedHost = process.env.FRONTEND_URL;
+
+    // Log the redirect for monitoring
+    if (req.headers.host !== allowedHost) {
+      console.warn("[SECURITY] Host header mismatch during HTTPS redirect:", {
+        requestHost: req.headers.host,
+        allowedHost,
+        ip: req.ip,
+        url: req.url,
+      });
+    }
+
+    // Redirect to HTTPS with validated host
+    return res.redirect(301, `https://${allowedHost}${req.url}`);
+  }
+
+  // Set Strict-Transport-Security header
+  res.setHeader(
+    "Strict-Transport-Security",
+    "max-age=31536000; includeSubDomains; preload"
+  );
+  next();
+};
+
+// Security headers middleware
+const securityHeaders = (req, res, next) => {
+  // X-Content-Type-Options
+  res.setHeader("X-Content-Type-Options", "nosniff");
+
+  // X-Frame-Options
+  res.setHeader("X-Frame-Options", "DENY");
+
+  // Referrer-Policy
+  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+
+  // Permissions-Policy (formerly Feature-Policy)
+  res.setHeader(
+    "Permissions-Policy",
+    "camera=(), microphone=(), geolocation=(self)"
+  );
+
+  next();
+};
+
+// Request ID middleware for tracking
+const requestId = require("crypto");
+const addRequestId = (req, res, next) => {
+  req.id = requestId.randomBytes(16).toString("hex");
+  res.setHeader("X-Request-ID", req.id);
+  next();
+};
+
+// Log security events
+const logSecurityEvent = (eventType, details, req) => {
+  const logEntry = {
+    timestamp: new Date().toISOString(),
+    eventType,
+    requestId: req.id || "unknown",
+    ip: req.ip || req.connection.remoteAddress,
+    userAgent: req.get("user-agent"),
+    userId: req.user?.id || "anonymous",
+    ...details,
+  };
+
+  // In production, this should write to a secure log file or service
+  if (process.env.NODE_ENV === "production") {
+    console.log("[SECURITY]", JSON.stringify(logEntry));
+  } else {
+    console.log("[SECURITY]", eventType, details);
+  }
+};
+
+// Sanitize error messages to prevent information leakage
+const sanitizeError = (err, req, res, next) => {
+  // Log the full error internally
+  console.error("Error:", {
+    requestId: req.id,
+    error: err.message,
+    stack: err.stack,
+    userId: req.user?.id,
+  });
+
+  // Send sanitized error to client
+  const isDevelopment =
+    process.env.NODE_ENV === "dev" || process.env.NODE_ENV === "development";
+
+  if (err.status === 400) {
+    // Client errors can be more specific
+    return res.status(400).json({
+      error: err.message || "Bad Request",
+      requestId: req.id,
+    });
+  } else if (err.status === 401) {
+    return res.status(401).json({
+      error: "Unauthorized",
+      requestId: req.id,
+    });
+  } else if (err.status === 403) {
+    return res.status(403).json({
+      error: "Forbidden",
+      requestId: req.id,
+    });
+  } else if (err.status === 404) {
+    return res.status(404).json({
+      error: "Not Found",
+      requestId: req.id,
+    });
+  } else {
+    // Server errors should be generic in production
+    return res.status(err.status || 500).json({
+      error: isDevelopment ? err.message : "Internal Server Error",
+      requestId: req.id,
+      ...(isDevelopment && { stack: err.stack }),
+    });
+  }
+};
+
+module.exports = {
+  enforceHTTPS,
+  securityHeaders,
+  addRequestId,
+  logSecurityEvent,
+  sanitizeError,
+};