Skip to content

Latest commit

 

History

History
383 lines (282 loc) · 11.4 KB

File metadata and controls

383 lines (282 loc) · 11.4 KB

Security Audit Report - Admin Dashboard Service (Stellar Payment API)

Executive Summary

This document outlines the comprehensive security audit and improvements made to the Stellar Payment API backend (Admin Dashboard Service). The audit focused on identifying and addressing potential security vulnerabilities, implementing robust input validation, and enhancing error handling and logging.

Audit Scope

  • Authentication & Authorization
  • Input Validation & Injection Prevention
  • Error Handling & Information Disclosure
  • Rate Limiting & DoS Protection
  • Secure Headers & Security Middleware
  • Logging & Monitoring
  • Cryptographic Operations
  • Webhook Security

Security Improvements Implemented

1. Security Headers & Middleware (Via Helmet)

Issue: Missing security headers that protect against common web vulnerabilities.

Solution: Implemented Helmet.js with comprehensive security headers:

  • Content-Security-Policy: Prevents XSS attacks
  • X-Frame-Options: DENY - prevents clickjacking
  • X-Content-Type-Options: nosniff - prevents MIME type sniffing
  • X-XSS-Protection: Enabled legacy XSS protection
  • Strict-Transport-Security (HSTS): Enforces HTTPS
  • Referrer-Policy: strict-origin-when-cross-origin

Code: /backend/src/lib/security.js

2. Enhanced Input Validation

Issues:

  • Basic email validation was insufficient
  • No Stellar address format validation
  • No asset code validation
  • No webhook URL validation (SSRF risk)
  • No memo constraints validation

Solutions Implemented:

Email Validation

  • RFC 5322 compliant regex pattern
  • Max length enforcement (254 characters)
  • Case normalization

Stellar Address Validation

  • Format: G + 55 base32 characters
  • Prevents invalid addresses from reaching blockchain

Asset Code Validation

  • Format: 1-12 alphanumeric characters
  • Prevents injection attacks

Webhook URL Validation

  • Protocol whitelist: http, https only
  • SSRF prevention: Blocks private IP ranges in production
  • Valid URL format enforcement

Amount Validation

  • Min/max bounds: 0.0000001 to 922337203685.4775
  • Number type validation
  • Prevents overflow attacks

Memo Validation

  • Max length: 28 characters
  • Type-specific validation (ID must be numeric)
  • 64-bit boundary checks for ID type

Code: /backend/src/routes/payments.js

3. API Key Format Validation

Issue: API keys were not validated for format before database queries, increasing injection attack surface.

Solution:

  • API key format: sk_ + 48 hex characters (192 bits entropy)
  • Validation before database lookup
  • Prevents malformed keys from reaching database

Code: /backend/src/lib/auth.js

4. Request Sanitization

Issues:

  • Whitespace not trimmed from inputs
  • Potential for injection through whitespace tricks

Solution:

  • Automatic whitespace trimming on all string fields
  • Sanitization middleware applied to all requests
  • Original body preservation for webhook signatures

Code: /backend/src/lib/security.js

5. Error Handling & Information Disclosure

Issues:

  • Database errors exposed to clients
  • Implementation details leaked in error messages
  • Sensitive information not sanitized

Solution:

  • Environment-aware error handling
    • Development: Full error details for debugging
    • Production: Generic error messages
  • Error logging with sanitized data
  • Sensitive field filtering (api_key, webhook_secret, password, token)

Code: /backend/src/lib/security.js

6. Rate Limiting

Issues:

  • Rate limiting only on verify-payment endpoint
  • No limits on registration or key rotation

Solution: Implemented tiered rate limiting:

  • Authentication endpoints (register, rotate-key): 5 req/15 min
  • API operations (create-payment): 30 req/15 min
  • Verification endpoints: 10 req/15 min
  • Global fallback: 100 req/60 sec
  • Exemptions: Health checks (necessary for monitoring)

Code: /backend/src/lib/security.js & /backend/src/index.js

7. CORS Configuration Hardening

Issues:

  • CORS misconfiguration could allow unauthorized access

Solution:

  • Explicit origin validation
  • Method whitelist: GET, POST, OPTIONS only
  • Header whitelist: Content-Type, x-api-key only
  • Credentials flag properly set
  • CORS violation logging

Code: /backend/src/index.js

8. Request Body Size Limiting

Issue: Large payloads could cause memory exhaustion or DoS.

Solution:

  • Express JSON limit: 1MB
  • Metadata field size limit: 4KB
  • Description field length limit: 500 characters

Code: /backend/src/index.js

9. Security Event Logging

Issues:

  • Insufficient security event tracking
  • Unable to detect attacks

Solution:

  • Comprehensive security event logging
  • Events tracked:
    • Missing/invalid API keys
    • Authentication failures
    • Registration attempts
    • Key rotations
    • Payment verification
    • CORS violations
    • Validation failures
  • Sensitive data filtering in logs

Code: /backend/src/lib/security.js

10. API Key Generation Enhancement

Issue: API key entropy and format consistency.

Solution:

  • High-entropy key generation: randomBytes(24) = 192 bits
  • Standardized format: sk_ prefix + hex string
  • Webhook secrets: whsec_ prefix for distinction

Code: /backend/src/routes/merchants.js

11. Production Environment Safeguards

Issues:

  • API docs exposed in production
  • Debug information leaked

Solution:

  • Swagger UI only available in non-production
  • Environment-based error verbosity
  • Environment variable: NODE_ENV validation

Code: /backend/src/index.js

12. Database Connection Security

Already Implemented - Verified:

  • Connection pooling with limits (max: 10 connections)
  • Idle timeout: 30 seconds
  • Connection timeout: 5 seconds
  • SSL enforcement for database connections

Code: /backend/src/lib/db.js

Testing

Security Tests Added

Created comprehensive security validation tests in /backend/src/lib/security.test.js:

  • Stellar address validation (valid/invalid formats, case sensitivity)
  • Asset code validation (length, characters, format)
  • Webhook URL validation (protocol, IP ranges, SSRF prevention)
  • API key format validation (prefix, length, hex characters)

Test Execution

# Run security tests
npm test

# Expected output: All validation tests pass

API Endpoint Security Enhancements

POST /api/register-merchant

  • ✅ Enhanced email validation (RFC 5322)
  • ✅ Business name length validation
  • ✅ Duplicate email detection
  • ✅ Case-normalized email storage
  • ✅ Secure credential generation
  • ✅ Rate limiting: 5 req/15 min
  • ✅ Security event logging

POST /api/rotate-key

  • ✅ API key format validation
  • ✅ Merchant authentication required
  • ✅ High-entropy key generation
  • ✅ Timestamp tracking (api_key_rotated_at)
  • ✅ Rate limiting: 5 req/15 min
  • ✅ Security event logging

POST /api/create-payment

  • ✅ Stellar address validation
  • ✅ Asset code validation
  • ✅ Amount boundary validation
  • ✅ Webhook URL validation (SSRF prevention)
  • ✅ Memo constraints validation
  • ✅ Metadata size limits
  • ✅ API key authentication
  • ✅ Rate limiting: 30 req/15 min
  • ✅ Security event logging

GET /api/payment-status/:id

  • ✅ UUID validation
  • ✅ Information disclosure prevention
  • ✅ Proper 404 handling
  • ✅ Error sanitization

POST /api/verify-payment/:id

  • ✅ UUID validation
  • ✅ Rate limiting: 10 req/15 min
  • ✅ Webhook security (HMAC signing)
  • ✅ Error handling without exposing internals
  • ✅ Security event logging

OWASP Top 10 Alignment

Risk Status Details
A1: Broken Access Control ✅ Mitigated API key format validation, authentication required
A2: Cryptographic Failures ✅ Mitigated HTTPS via HSTS, HMAC for webhooks
A3: Injection ✅ Mitigated Input validation, Supabase parameterized queries
A4: Insecure Design ✅ Mitigated Rate limiting, SSRF prevention
A5: Security Misconfiguration ✅ Mitigated Helmet headers, environment checks
A6: Vulnerable Components ⚠️ Review Dependencies: express-rate-limit@8.3.1, helmet@7.1.0
A7: Authentication Failures ✅ Mitigated API key validation, secure credential generation
A8: Data Integrity Failures ✅ Mitigated Webhook HMAC signing, validation
A9: Logging & Monitoring ✅ Enhanced Comprehensive security event logging
A10: SSRF ✅ Mitigated Webhook URL validation with IP range blocking

Dependencies Added/Updated

{
  "helmet": "^7.1.0"
}

Justification: Helmet provides comprehensive HTTP security headers protection and is the industry standard for Express.js security.

Configuration Recommendations

Environment Variables

Add/verify these in .env:

# Security
NODE_ENV=production
PORT=4000

# CORS
CORS_ALLOWED_ORIGINS=https://yourdomain.com

# Database
DATABASE_URL=postgresql://...

# Supabase
SUPABASE_URL=https://...
SUPABASE_SERVICE_ROLE_KEY=...

# Stellar
STELLAR_NETWORK=testnet

# Payment Links
PAYMENT_LINK_BASE=https://yourdomain.com

Deployment Checklist

  • Set NODE_ENV=production
  • Configure CORS_ALLOWED_ORIGINS properly
  • Verify HTTPS on all endpoints
  • Enable database SSL connections
  • Set up monitoring for rate limit hits
  • Configure centralized logging
  • Run security tests: npm test
  • Review error logs in production (first 24 hours)

Future Security Enhancements

  1. API Key Scoping: Implement scoped API keys (read, write, delete)
  2. Request Signing: Add request signature verification for sensitive operations
  3. IP Whitelisting: Allow merchants to whitelist webhook IPs
  4. Audit Trail: Persistent audit log of all API operations
  5. Rate Limit Fingerprinting: Better bot detection and rate limiting
  6. Webhook Retries: Enhanced retry logic with exponential backoff
  7. OAuth 2.0: Consider OAuth 2.0 for merchant applications
  8. API Versioning: Version endpoints (v1, v2) for safer updates

Compliance Notes

  • ✅ OWASP Top 10 (2021) alignment
  • ✅ Input validation best practices
  • ✅ Secure error handling
  • ✅ Cryptographic best practices
  • ✅ Rate limiting & DoS protection
  • ✅ Logging & monitoring ready

Testing Instructions

# Install dependencies
npm install

# Run all tests including security tests
npm test

# Run specific security test file
npx vitest src/lib/security.test.js

# Test rate limiting with curl
for i in {1..6}; do curl -H "x-api-key: invalid" http://localhost:4000/api/rotate-key -X POST; done
# Should see: 429 Too Many Requests on 6th attempt

Summary

This comprehensive security audit has addressed multiple critical and high-severity vulnerabilities in the Admin Dashboard Service (Stellar Payment API). The implementation follows industry best practices and OWASP Top 10 guidelines.

All improvements maintain backward compatibility while significantly enhancing the security posture of the application.


Audit Date: 2026-06-25 Auditor: Security Audit Task Status: ✅ Complete and Ready for Production