feat: close 4 more security compliance gaps (46/63 OK, 73%)

Error-Page Headers (3.3.1.3.03 → OK): - Cache-Control no-store on ALL routes (API, auth, catch-all) Proactive Monitoring (3.2.1.04 → OK): - /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure Security Scanning (3.2.2.7 → improved): - /api/cron/security-audit: package version check against minimum safe versions Server Hardening (3.3.1.4 → OK): - docs/nginx-hardening.conf: complete template (rate limits, SSL, headers) Database Security (3.3.3 → OK): - docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4) Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 15:43:44 +01:00
parent 187c28e01e
commit cd0c2fe3e2
6 changed files with 484 additions and 11 deletions
@@ -0,0 +1,132 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@capakraken/db";
+import { createNotificationsForUsers } from "@capakraken/api";
+import { createConnection } from "net";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+const REDIS_URL = process.env["REDIS_URL"] ?? "redis://localhost:6380";
+
+async function checkPostgres(): Promise<{ status: "ok" | "error"; latencyMs: number }> {
+  const start = Date.now();
+  try {
+    await prisma.$queryRaw`SELECT 1`;
+    return { status: "ok", latencyMs: Date.now() - start };
+  } catch {
+    return { status: "error", latencyMs: Date.now() - start };
+  }
+}
+
+async function checkRedis(): Promise<{ status: "ok" | "error"; latencyMs: number }> {
+  const start = Date.now();
+  return new Promise((resolve) => {
+    try {
+      const url = new URL(REDIS_URL);
+      const host = url.hostname || "localhost";
+      const port = parseInt(url.port || "6379", 10);
+      const timeout = 3000;
+
+      const socket = createConnection({ host, port }, () => {
+        socket.write("*1\r\n$4\r\nPING\r\n");
+      });
+
+      socket.setTimeout(timeout);
+
+      socket.on("data", (data) => {
+        const response = data.toString();
+        socket.destroy();
+        resolve({
+          status: response.includes("PONG") ? "ok" : "error",
+          latencyMs: Date.now() - start,
+        });
+      });
+
+      socket.on("timeout", () => {
+        socket.destroy();
+        resolve({ status: "error", latencyMs: Date.now() - start });
+      });
+
+      socket.on("error", () => {
+        socket.destroy();
+        resolve({ status: "error", latencyMs: Date.now() - start });
+      });
+    } catch {
+      resolve({ status: "error", latencyMs: Date.now() - start });
+    }
+  });
+}
+
+/**
+ * GET /api/cron/health-check
+ *
+ * Self-health-check endpoint that verifies PostgreSQL and Redis connectivity.
+ * If any check fails, creates a CRITICAL notification for all ADMIN users.
+ *
+ * Protected by CRON_SECRET environment variable.
+ * When set, requests must include `Authorization: Bearer <secret>`.
+ */
+export async function GET(request: Request) {
+  const cronSecret = process.env["CRON_SECRET"];
+  if (cronSecret) {
+    const auth = request.headers.get("authorization");
+    if (auth !== `Bearer ${cronSecret}`) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+  }
+
+  try {
+    const [postgres, redis] = await Promise.all([
+      checkPostgres(),
+      checkRedis(),
+    ]);
+
+    const allHealthy = postgres.status === "ok" && redis.status === "ok";
+
+    // If any check fails, alert all ADMIN users
+    if (!allHealthy) {
+      const failedChecks: string[] = [];
+      if (postgres.status !== "ok") failedChecks.push("PostgreSQL");
+      if (redis.status !== "ok") failedChecks.push("Redis");
+
+      const adminUsers = await prisma.user.findMany({
+        where: { systemRole: "ADMIN" },
+        select: { id: true },
+      });
+
+      if (adminUsers.length > 0) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await createNotificationsForUsers({
+          db: prisma as any,
+          userIds: adminUsers.map((u) => u.id),
+          type: "SYSTEM_ALERT",
+          title: "CRITICAL: Health Check Failed",
+          body: `The following services are unreachable: ${failedChecks.join(", ")}. Immediate attention required.`,
+          category: "system",
+          priority: "CRITICAL",
+          link: "/admin/settings",
+        });
+      }
+    }
+
+    return NextResponse.json(
+      {
+        ok: allHealthy,
+        checks: {
+          postgres: postgres.status,
+          postgresLatencyMs: postgres.latencyMs,
+          redis: redis.status,
+          redisLatencyMs: redis.latencyMs,
+        },
+        timestamp: new Date().toISOString(),
+      },
+      { status: allHealthy ? 200 : 503 },
+    );
+  } catch (error) {
+    console.error("[cron/health-check] Error:", error);
+    return NextResponse.json(
+      { ok: false, error: "Internal error" },
+      { status: 500 },
+    );
+  }
+}