fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting
This commit is contained in:
23
docs/reports/code-review/gateway-security-20260313.md
Normal file
23
docs/reports/code-review/gateway-security-20260313.md
Normal file
@@ -0,0 +1,23 @@
|
||||
# Code Review Report — Gateway Security Hardening
|
||||
|
||||
## Scope Reviewed
|
||||
|
||||
- `apps/gateway/src/chat/chat.gateway-auth.ts`
|
||||
- `apps/gateway/src/chat/chat.gateway.ts`
|
||||
- `apps/gateway/src/conversations/conversations.dto.ts`
|
||||
- `apps/gateway/src/chat/__tests__/chat-security.test.ts`
|
||||
|
||||
## Findings
|
||||
|
||||
- No blocker findings in the final changed surface.
|
||||
|
||||
## Review Summary
|
||||
|
||||
- Correctness: socket auth helper now returns Better Auth session data unchanged, and gateway disconnects clients whose handshake does not narrow to a valid session payload
|
||||
- Security: conversation role validation now rejects `system`; conversation content ceiling is 32k; chat request ceiling remains 10k
|
||||
- Testing: targeted auth, ownership, and DTO regression tests pass
|
||||
- Quality: `pnpm typecheck`, `pnpm lint`, and `pnpm format:check` all pass after the final edits
|
||||
|
||||
## Residual Risk
|
||||
|
||||
- `chat.gateway.ts` uses local narrowing around an `unknown` session result because the requested helper contract intentionally returns `unknown`.
|
||||
Reference in New Issue
Block a user