fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting #85

Merged

jason.woltje merged 5 commits from fix/gateway-security into main 2026-03-13 18:07:01 +00:00

Conversation 1 Commits 5 Files Changed 26 +928 -74

jason.woltje commented 2026-03-13 13:26:42 +00:00

Owner

Copy Link

Summary

7 security fixes for the mosaic-mono-v1 gateway:

1. ChatController auth guard — Added @UseGuards(AuthGuard) + @CurrentUser() (was unauthenticated)
2. WebSocket CORS — origin: * → process.env["GATEWAY_CORS_ORIGIN"]; chat.gateway-auth.ts helper for session validation on handleConnection
3. Ownership checks — All CRUD by-ID routes on conversations/projects/missions/tasks now throw ForbiddenException on userId mismatch
4. Global ValidationPipe — whitelist: true, forbidNonWhitelisted: true, transform: true; DTOs updated with @IsString, @IsIn, @MaxLength decorators
5. Rate limiting — @nestjs/throttler global 60/min; ChatController 10/min override
6. Helmet — @fastify/helmet registered on Fastify app (CSP disabled for now)
7. Body limit + env validation — bodyLimit: 1_048_576; startup throws if BETTER_AUTH_SECRET not set

Tests

• apps/gateway/src/__tests__/resource-ownership.test.ts
• apps/gateway/src/chat/__tests__/chat-security.test.ts

Gates

• typecheck ✅
• lint ✅
• format ✅

## Summary 7 security fixes for the mosaic-mono-v1 gateway: 1. **ChatController auth guard** — Added `@UseGuards(AuthGuard)` + `@CurrentUser()` (was unauthenticated) 2. **WebSocket CORS** — `origin: *` → `process.env["GATEWAY_CORS_ORIGIN"]`; `chat.gateway-auth.ts` helper for session validation on `handleConnection` 3. **Ownership checks** — All CRUD by-ID routes on conversations/projects/missions/tasks now throw `ForbiddenException` on userId mismatch 4. **Global ValidationPipe** — `whitelist: true, forbidNonWhitelisted: true, transform: true`; DTOs updated with `@IsString`, `@IsIn`, `@MaxLength` decorators 5. **Rate limiting** — `@nestjs/throttler` global 60/min; ChatController 10/min override 6. **Helmet** — `@fastify/helmet` registered on Fastify app (CSP disabled for now) 7. **Body limit + env validation** — `bodyLimit: 1_048_576`; startup throws if `BETTER_AUTH_SECRET` not set ## Tests - `apps/gateway/src/__tests__/resource-ownership.test.ts` - `apps/gateway/src/chat/__tests__/chat-security.test.ts` ## Gates - typecheck ✅ - lint ✅ - format ✅

jason.woltje added 2 commits 2026-03-13 13:26:43 +00:00

fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting b86bfebe1f

chore: format docs files 3c8e7fd6b2

jason.woltje added 1 commit 2026-03-13 13:33:23 +00:00

fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting 58ba99f3eb

jason.woltje force-pushed fix/gateway-security from 58ba99f3eb to 0fe2cb79a7 2026-03-13 17:03:35 +00:00 Compare

jason.woltje commented 2026-03-13 17:04:50 +00:00

Author

Owner

Copy Link

Code Review: APPROVED ✅

All 7 security fixes look solid. assertOwner() helper clean and reused across all 4 controllers. validateSocketSession() properly converts Node headers, disconnects on null. ThrottlerGuard as APP_GUARD (global 60/min) + ChatController override (10/min). Helmet registered before routes. BETTER_AUTH_SECRET guard before listen(). DTOs correctly converted from interface to class with class-validator. Minor: tasks with no projectId/missionId throw ForbiddenException — conservative secure default, acceptable.

Gates: typecheck ✅ lint ✅ format ✅

Ready for Merge Guard.

**Code Review: APPROVED ✅** All 7 security fixes look solid. `assertOwner()` helper clean and reused across all 4 controllers. `validateSocketSession()` properly converts Node headers, disconnects on null. `ThrottlerGuard` as APP_GUARD (global 60/min) + ChatController override (10/min). Helmet registered before routes. BETTER_AUTH_SECRET guard before listen(). DTOs correctly converted from interface to class with class-validator. Minor: tasks with no projectId/missionId throw ForbiddenException — conservative secure default, acceptable. Gates: typecheck ✅ lint ✅ format ✅ Ready for Merge Guard.

jason.woltje referenced this pull request 2026-03-13 17:08:57 +00:00

feat(plugins): plugin-to-gateway WebSocket auth mechanism #94

jason.woltje added 1 commit 2026-03-13 17:38:55 +00:00

fix(turbo): typecheck must depend on ^build so package types are available 19a04e9b0d

jason.woltje force-pushed fix/gateway-security from 19a04e9b0d to 85a25fd995 2026-03-13 18:04:11 +00:00 Compare

jason.woltje merged commit 02772a3910 into main 2026-03-13 18:07:01 +00:00

jason.woltje referenced this issue from a commit 2026-03-13 18:07:03 +00:00

Merge pull request 'fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting' (#85) from fix/gateway-security into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#85