fix(api): enforce account status per request, rate-limit auth, run tests in CI#48
Merged
aykhan019 merged 1 commit intoMay 31, 2026
Conversation
…sts in CI - Banned/soft-deleted access window (BE-1): JwtAuthGuard now re-loads the account on every request and rejects banned or soft-deleted users, so a still-valid access token can no longer outlive a ban/delete. Identity (including role) is read fresh from the DB rather than the token payload. - Rate limiting (BE-2): add @nestjs/throttler (global 100/min, with 5/min on register, 10/min on login, 30/min on refresh) and helmet security headers. - Email conflict 500 (BE-3): catch the Prisma unique-email violation (P2002) on register and profile update and return 409 EMAIL_TAKEN. findUserByEmail filters out soft-deleted/banned rows, so a soft-deleted account's email slipped past the pre-check and hit the DB constraint as an opaque 500. - CI: add a Test step so the vitest suite (~295 tests across api/web/db) actually runs; CI provisioned Postgres and test env but never ran tests.
|
@fateh-mammadli is attempting to deploy a commit to the Aykhan's projects Team on Vercel. A member of the Team first needs to authorize it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Four related backend/CI gaps surfaced in review.
What changed
JwtAuthGuardonly verified the JWT signature, so a banned or self-deleted user kept full API access until their access token expired (~15 min); banning/deleting only revoked refresh tokens. The guard now re-loads the account on every request (findUserById, which filtersdeletedAt/bannedAt) and rejects it if it's gone. Identity — including role — is now read fresh from the DB, so a revoked admin role also takes effect immediately.@nestjs/throttler(global 100/min, with 5/min register, 10/min login, 30/min refresh) andhelmetsecurity headers. This bounds brute-force/credential-stuffing and the unboundedaudit_loggrowth from failed logins.findUserByEmailexcludes soft-deleted/banned rows, so re-registering (or switching to) a soft-deleted account's email slipped past the existence check and hit the unique constraint as an opaque 500. Now the PrismaP2002is caught on register and profile update and returned as409 EMAIL_TAKEN.Teststep runningpnpm test.Verification
pnpm typecheckclean across all workspaces.pnpm test— 295 passing (api 162 incl. a new guard ban-rejection test, web 61, db 72).eslintclean on changed files.