Commit Graph

10 Commits

Author SHA1 Message Date
julien 21f3560e08 fix(config): fail fast at startup if SECRET env var is missing
A hardcoded fallback 'acapisecret' was silently used when SECRET was
not set, allowing JWT tokens to be forged by anyone knowing the default.
The app now throws at module load time if SECRET is absent.
2026-04-26 20:53:34 +02:00
julien 6245d1eabd fix(auth): replace fixed-salt bcrypt with HMAC-SHA256 for API key hashing
bcrypt with a fixed salt is deterministic but defeats the purpose of
bcrypt salting. API keys are high-entropy UUIDs (128 bits), making
brute-force resistance unnecessary — HMAC-SHA256 with the app secret
is the correct primitive for deterministic, secure key hashing.

Also fixes application.author.id → application.authorId in the API key
auth path, which was silently setting req.payload.id to undefined.
2026-04-26 20:31:06 +02:00
julien b3a31e4725 feat(auth): migrate Application model from MongoDB to MySQL
- Add Sequelize migration creating the 'application' table
- Add Application Sequelize model with slugify, toJSONFor, toAuthJSON
- Rewrite passport-headerapikey strategy to use DB.Application
- Rewrite applications.routes.js to use Sequelize (findAll, count,
  build/save, destroy) instead of Mongoose
- Fix pre-existing bug: passport was querying { encryptedKey } but the
  stored field is named 'apikey'
- Add Application to MySQL models index and relationships
- Remove Application from Mongoose models index and delete the schema
2026-04-26 18:26:58 +02:00
julien 66821427be fix(skydive): migrate author field from ObjectId to UUID string
- Register SkydiverProfile model in mysql.js (fixes startup crash on association)
- Replace $toObjectId with direct string match in all 12 aggregation queries
- Guard toJSONFor on all Mongo models to fall back to MySQL user.toProfileJSONFor()
  when author is a UUID string (restores username/image in API responses)
- Pass user to toJSONFor() everywhere instead of null
- Remove dead .populate('author') calls (author: String has no ref)
- Fix ownership check in /last route: compare author string to req.payload.id
  instead of the now-absent author.username property
2026-04-26 04:27:47 +02:00
julien fe1bcc0ff7 Adding Swagger 2026-03-29 23:56:11 +02:00
Rampeur b1513dccdd Mise à jour de controleurs, models et routes 2025-08-19 05:13:24 +02:00
Rampeur 10013e1de8 Mise à jour des .env 2025-08-15 23:24:41 +02:00
Rampeur f211bc4b5b Refactoring 2025-08-15 20:32:33 +02:00
Rampeur 5d361da628 Réorganisation des sources 2025-08-15 19:39:35 +02:00
Rampeur ea2d177c4c Réorganisation des sources 2025-08-15 17:29:23 +02:00