docs(audit): align documentation with post-remediation backend reality
- Update data model enums to match backend models - Update API reference auth requirements - Add dispute module references and warning blocks - Add 2026-05-24 audit remediation callout to Overview - Generate task breakdowns and audit artifacts - Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
@@ -176,12 +176,13 @@ See [[Environment Variables]] for the catalog.
|
||||
|
||||
## 9. Rate limiting & abuse
|
||||
|
||||
- Backend has `express-rate-limit` ready but currently disabled (`app.ts:227`).
|
||||
- Recommended pre-launch settings:
|
||||
- `/api/auth/*` — 10 req / 5 min / IP
|
||||
- `/api/auth/login` — 5 req / 5 min / IP **and** /email
|
||||
- global API — 100 req / 15 min / IP (current default constants)
|
||||
- Counters stored in Redis when enabled.
|
||||
- Rate limiting is **enabled** as of 2026-05-24 (`app.ts`).
|
||||
- Active tiers:
|
||||
- `/api/auth/*` — 10 req / 15 min / IP
|
||||
- `/api/payment/*` — 30 req / 15 min / IP
|
||||
- `/api/ai/*` — 20 req / 15 min / IP
|
||||
- global API — 100 req / 15 min / IP (skips `/health` and Request-Network webhooks)
|
||||
- Counters are in-memory (Redis adapter planned for distributed deploys).
|
||||
- For chat and notifications, debounce at the client to avoid spamming legitimate emits.
|
||||
|
||||
---
|
||||
@@ -206,7 +207,8 @@ The codebase currently uses `morgan` (HTTP access logs) and ad-hoc `logger.info/
|
||||
|
||||
## 12. Hardening checklist (pre-launch)
|
||||
|
||||
- [ ] Enable rate-limit middleware
|
||||
- [x] Enable rate-limit middleware (done 2026-05-24)
|
||||
- [x] Enforce Socket.IO JWT authentication (done 2026-05-24)
|
||||
- [ ] Promote refresh tokens to `httpOnly` cookies
|
||||
- [ ] Replace `localhost` passkey RP ID with production domain
|
||||
- [ ] Disable `NEXT_PUBLIC_IS_DEVELOPMENT=true` and `ENABLE_DEBUG=true` in prod build
|
||||
|
||||
Reference in New Issue
Block a user