more secure token handling

backend/middleware/security.js

@@ -0,0 +1,142 @@
+// HTTPS enforcement middleware
+const enforceHTTPS = (req, res, next) => {
+  // Skip HTTPS enforcement in development
+  if (
+    process.env.NODE_ENV === "dev" ||
+    process.env.NODE_ENV === "development"
+  ) {
+    return next();
+  }
+
+  // Check if request is already HTTPS
+  const isSecure =
+    req.secure ||
+    req.headers["x-forwarded-proto"] === "https" ||
+    req.protocol === "https";
+
+  if (!isSecure) {
+    // Use configured allowed host to prevent Host Header Injection
+    const allowedHost = process.env.FRONTEND_URL;
+
+    // Log the redirect for monitoring
+    if (req.headers.host !== allowedHost) {
+      console.warn("[SECURITY] Host header mismatch during HTTPS redirect:", {
+        requestHost: req.headers.host,
+        allowedHost,
+        ip: req.ip,
+        url: req.url,
+      });
+    }
+
+    // Redirect to HTTPS with validated host
+    return res.redirect(301, `https://${allowedHost}${req.url}`);
+  }
+
+  // Set Strict-Transport-Security header
+  res.setHeader(
+    "Strict-Transport-Security",
+    "max-age=31536000; includeSubDomains; preload"
+  );
+  next();
+};
+
+// Security headers middleware
+const securityHeaders = (req, res, next) => {
+  // X-Content-Type-Options
+  res.setHeader("X-Content-Type-Options", "nosniff");
+
+  // X-Frame-Options
+  res.setHeader("X-Frame-Options", "DENY");
+
+  // Referrer-Policy
+  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+
+  // Permissions-Policy (formerly Feature-Policy)
+  res.setHeader(
+    "Permissions-Policy",
+    "camera=(), microphone=(), geolocation=(self)"
+  );
+
+  next();
+};
+
+// Request ID middleware for tracking
+const requestId = require("crypto");
+const addRequestId = (req, res, next) => {
+  req.id = requestId.randomBytes(16).toString("hex");
+  res.setHeader("X-Request-ID", req.id);
+  next();
+};
+
+// Log security events
+const logSecurityEvent = (eventType, details, req) => {
+  const logEntry = {
+    timestamp: new Date().toISOString(),
+    eventType,
+    requestId: req.id || "unknown",
+    ip: req.ip || req.connection.remoteAddress,
+    userAgent: req.get("user-agent"),
+    userId: req.user?.id || "anonymous",
+    ...details,
+  };
+
+  // In production, this should write to a secure log file or service
+  if (process.env.NODE_ENV === "production") {
+    console.log("[SECURITY]", JSON.stringify(logEntry));
+  } else {
+    console.log("[SECURITY]", eventType, details);
+  }
+};
+
+// Sanitize error messages to prevent information leakage
+const sanitizeError = (err, req, res, next) => {
+  // Log the full error internally
+  console.error("Error:", {
+    requestId: req.id,
+    error: err.message,
+    stack: err.stack,
+    userId: req.user?.id,
+  });
+
+  // Send sanitized error to client
+  const isDevelopment =
+    process.env.NODE_ENV === "dev" || process.env.NODE_ENV === "development";
+
+  if (err.status === 400) {
+    // Client errors can be more specific
+    return res.status(400).json({
+      error: err.message || "Bad Request",
+      requestId: req.id,
+    });
+  } else if (err.status === 401) {
+    return res.status(401).json({
+      error: "Unauthorized",
+      requestId: req.id,
+    });
+  } else if (err.status === 403) {
+    return res.status(403).json({
+      error: "Forbidden",
+      requestId: req.id,
+    });
+  } else if (err.status === 404) {
+    return res.status(404).json({
+      error: "Not Found",
+      requestId: req.id,
+    });
+  } else {
+    // Server errors should be generic in production
+    return res.status(err.status || 500).json({
+      error: isDevelopment ? err.message : "Internal Server Error",
+      requestId: req.id,
+      ...(isDevelopment && { stack: err.stack }),
+    });
+  }
+};
+
+module.exports = {
+  enforceHTTPS,
+  securityHeaders,
+  addRequestId,
+  logSecurityEvent,
+  sanitizeError,
+};