ohmj/ohmj2
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

[FIX] Fix some securiry issues

Browse Source
This commit is contained in:
NADAL Jean-Baptiste
2026-02-18 15:27:55 +01:00
parent 3abc6f6371
commit 039cecc4a6
15 changed files with 2179 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
AGENTS.md
View File

@@ -25,11 +25,24 @@ No build step required. Deploy to PHP-enabled web server.
## Testing
**No test framework configured.**
### PHP API Tests
To add tests:
- **PHP**: Consider PHPUnit
- **Vue**: Add Jest or Vitest via Vue CLI
Run functional tests for the PHP API:
```bash
cd api
php tests.php
```
The tests cover:
- **Auth**: Login, bad credentials, missing token, invalid token
- **Scores**: CRUD operations, error handling for non-existent resources
- **Create Score with Pieces**: Functional tests with pieces verification
- **Files**: Get files tree, delete file error handling
### Vue/Svelte
No test framework configured for frontend.
Run single test (when configured):
```bash
@@ -163,3 +176,92 @@ MySQL database connection configured in `api/config/database.php`:
- **Frontend**: SvelteKit (NOT Vue.js 2) in `/partitions/`
- **Backend**: PHP API in `/api/`
- **Scores storage**: `/legacy/Scores/` (directory-based, not MySQL)
## Security Audit Commands
When modifying backend or frontend code, run these security audits:
### Backend Security Audit
```bash
# 1. Start the PHP server
cd api
php -S localhost:8000 router.php &
# 2. Clear rate limiting files (important!)
rm -f /tmp/rate_* 2>/dev/null
# 3. Run all security tests
php tests.php
# Expected: 50/50 tests passed (100%)
```
### Frontend Security Check
```bash
cd partitions
# 1. Check for security issues in dependencies
npm audit
# 2. Build and check for CSP violations
npm run build
# 3. Check that environment variables are configured
cp .env.example .env
# Edit .env and set VITE_API_URL to your backend URL
```
### Manual Security Verification
```bash
# Test JWT authentication
curl -s http://localhost:8000/login \
-X POST \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"password"}'
# Test CORS headers
curl -s -I http://localhost:8000/scores \
-H "Origin: https://evil.com"
# Test directory traversal protection
curl -s http://localhost:8000/download/../../../etc/passwd \
-H "Authorization: Bearer <token>"
# Expected: 403 or 404 (not 200)
# Test security headers
curl -s -I http://localhost:8000/login \
-X POST \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"password"}'
# Check for: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, HSTS
```
### Environment Setup for Security
**Backend (api/.env):**
```bash
JWT_SECRET=your_very_long_random_secret_key_here
```
**Frontend (partitions/.env):**
```bash
# Development
VITE_API_URL=http://localhost:8000
# Production (use HTTPS!)
VITE_API_URL=https://api.yourdomain.com
```
### Security Checklist Before Deployment
- [ ] JWT_SECRET is set and strong (use: `openssl rand -base64 32`)
- [ ] CORS origins are restricted to your domain only
- [ ] HTTPS is enforced in production
- [ ] Rate limiting is active
- [ ] All 50 tests pass
- [ ] npm audit shows no critical vulnerabilities
- [ ] CSP headers are configured
- [ ] No secrets in code or git history