fix(security): harden authentication, add rate limiting, CSRF, input validation

.github/workflows/ci.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main, develop]
 
+env:
+  BUN_VERSION: "1.3.10"
+
 jobs:
   test:
     name: Test
@@ -15,7 +18,8 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: latest
+          bun-version: ${{ env.BUN_VERSION }}
+          cache: true
 
       - name: Install dependencies
         run: bun install --frozen-lockfile
@@ -36,7 +40,8 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: latest
+          bun-version: ${{ env.BUN_VERSION }}
+          cache: true
 
       - name: Install dependencies
         run: bun install --frozen-lockfile
@@ -54,7 +59,8 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: latest
+          bun-version: ${{ env.BUN_VERSION }}
+          cache: true
 
       - name: Install dependencies
         run: bun install --frozen-lockfile

Dockerfile.project

@@ -15,7 +15,7 @@
 # ----------------------------------------------------------------------------
 # Stage 1: Base
 # ----------------------------------------------------------------------------
-FROM oven/bun:1.3.9-debian AS base
+FROM oven/bun@sha256:5ee6c5be4575d5ba079b5a9afb24d4600f75ccb1a92602f079ee99560b9dcee9 AS base
 
 LABEL maintainer="Betterbase Team"
 LABEL description="Betterbase Project - AI-Native Backend Platform"
@@ -54,14 +54,10 @@ RUN bun install --frozen-lockfile
 # ----------------------------------------------------------------------------
 # Stage 3: Builder
 # ----------------------------------------------------------------------------
-FROM base AS builder
+FROM deps AS builder
 
 WORKDIR /app
 
-# Copy lockfile and install all dependencies
-COPY package.json bun.lock ./
-RUN bun install --frozen-lockfile
-
 # Copy source code
 COPY . .
 

apps/dashboard/src/components/auth/SetupGuard.tsx

@@ -1,22 +1,15 @@
 import { useEffect, useState } from "react";
 import { useNavigate } from "react-router";
+import { checkSetup } from "../lib/api";
 
 export function SetupGuard({ children }: { children: React.ReactNode }) {
 	const navigate = useNavigate();
 	const [checking, setChecking] = useState(true);
 
 	useEffect(() => {
-		// Try hitting /admin/auth/setup without a token.
-		// If setup is complete, login page is appropriate.
-		// If setup is not done, /admin/auth/setup returns 201, not 410.
-		fetch(`${import.meta.env.VITE_API_URL ?? "http://localhost:3001"}/admin/auth/setup`, {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ _check: true }), // Will fail validation but we only care about 410
-		})
-			.then((res) => {
-				if (res.status === 410) {
-					// Setup complete — redirect to login
+		checkSetup()
+			.then((isSetup) => {
+				if (isSetup) {
 					navigate("/login", { replace: true });
 				}
 				setChecking(false);

apps/dashboard/src/lib/api.ts

@@ -1,4 +1,4 @@
-const API_BASE = import.meta.env.VITE_API_URL ?? "http://localhost:3001";
+const API_BASE = import.meta.env.VITE_API_URL;
 
 export class ApiError extends Error {
 	constructor(
@@ -94,3 +94,10 @@ export const api = {
 		return res.blob();
 	},
 };
+
+export async function checkSetup(): Promise<boolean> {
+	const res = await fetch(`${API_BASE}/admin/auth/setup/check`, {
+		method: "GET",
+	});
+	return res.status !== 410;
+}

apps/dashboard/src/vite-env.d.ts

@@ -1,7 +1,7 @@
 /// <reference types="vite/client" />
 
 interface ImportMetaEnv {
-	readonly VITE_API_URL?: string;
+	readonly VITE_API_URL: string;
 }
 
 interface ImportMeta {

docker-compose.dev.yml

@@ -1,5 +1,3 @@
-version: "3.9"
-
 # Local development: runs Inngest dev server only.
 # BetterBase server runs outside Docker via: bun run dev
 #

docker-compose.self-hosted.yml

@@ -148,7 +148,7 @@ services:
     volumes:
       - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
     healthcheck:
-      test: ["CMD", "nginx", "-t"]
+      test: ["CMD", "wget", "-qO-", "http://localhost/health"]
       interval: 30s
       timeout: 10s
       retries: 3

docker-compose.yml

@@ -31,13 +31,14 @@ services:
 
   # MinIO (S3-compatible storage)
   minio:
-    image: minio/minio:latest
+    image: bitnami/minio:2025.1.16
     container_name: betterbase-minio-local
     restart: unless-stopped
     command: server /data --console-address ":9001"
     environment:
       MINIO_ROOT_USER: ${MINIO_ROOT_USER:-betterbase}
       MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-betterbase_dev_password}
+      MINIO_DATA_DIR: /data
     ports:
       - "9000:9000"
       - "9001:9001"
@@ -51,7 +52,7 @@ services:
 
   # MinIO Init (Create bucket on startup)
   minio-init:
-    image: minio/mc:latest
+    image: minio/mc:RELEASE.2025-08-13T08-35-41Z
     container_name: betterbase-minio-init-local
     depends_on:
       minio:

packages/cli/src/index.ts

@@ -1,5 +1,5 @@
-import { Command, CommanderError } from "commander";
 import chalk from "chalk";
+import { Command, CommanderError } from "commander";
 import packageJson from "../package.json";
 import { runAuthAddProviderCommand, runAuthSetupCommand } from "./commands/auth";
 import { runBranchCommand } from "./commands/branch";
@@ -29,13 +29,24 @@ import { runWebhookCommand } from "./commands/webhook";
 import * as logger from "./utils/logger";
 
 // Commands that don't require authentication
-const PUBLIC_COMMANDS = ["login", "logout", "version", "help", "init"];
+const PUBLIC_COMMANDS = [
+	"login",
+	"logout",
+	"version",
+	"help",
+	"init",
+	"--version",
+	"-v",
+	"--help",
+	"-h",
+	"-V",
+];
 
 /**
  * Check if the user is authenticated before running a command.
  */
-async function checkAuthHook(): Promise<void> {
-	const commandName = process.argv[2];
+async function checkAuthHook(this: Command, actionCommand?: Command): Promise<void> {
+	const commandName = actionCommand?.name() ?? this.args?.[0] ?? process.argv[2] ?? "";
 
 	// Skip auth check for public commands
 	if (PUBLIC_COMMANDS.includes(commandName)) {
@@ -120,7 +131,7 @@ export function createProgram(): Command {
 		.description("Initialize a BetterBase project with BetterBase template (betterbase/ functions)")
 		.option("--no-iac", "Use interactive mode instead of BetterBase template (for legacy projects)")
 		.argument("[project-name]", "project name")
-		.action(async (options: { iac?: boolean }, projectName?: string) => {
+		.action(async (projectName: string | undefined, options: { iac?: boolean }) => {
 			await runInitCommand({ projectName, ...options });
 		});
 
@@ -476,9 +487,10 @@ export function createProgram(): Command {
 		.argument("<name>", "function name")
 		.option("--sync-env", "Sync environment variables from .env")
 		.argument("[project-root]", "project root directory", process.cwd())
-		.action(async (name: string, options: { syncEnv?: boolean; projectRoot?: string }) => {
-			const projectRoot = options.projectRoot ?? process.cwd();
-			await runFunctionCommand(["deploy", name, options.syncEnv ? "--sync-env" : ""], projectRoot);
+		.action(async (name: string, projectRootArg: string, options: { syncEnv?: boolean }) => {
+			const args = ["deploy", name];
+			if (options.syncEnv) args.push("--sync-env");
+			await runFunctionCommand(args, projectRootArg);
 		});
 
 	// ── bb login — STAGED FOR ACTIVATION ────────────────────────────────────────
@@ -541,9 +553,8 @@ export function createProgram(): Command {
 		});
 
 	branch
-		.argument("[project-root]", "project root directory", process.cwd())
 		.option("-p, --project-root <path>", "project root directory", process.cwd())
-		.action(async (options) => {
+		.action(async (options: { projectRoot?: string }) => {
 			const projectRoot = options.projectRoot || process.cwd();
 			await runBranchCommand([], projectRoot);
 		});

packages/client/src/iac/provider.tsx

@@ -25,32 +25,62 @@ export function BetterbaseProvider({
 	const [wsReady, setWsReady] = React.useState(false);
 
 	useEffect(() => {
-		const wsUrl = `${config.url.replace(/^http/, "ws")}/betterbase/ws?project=${config.projectSlug ?? "default"}`;
-		const ws = new WebSocket(wsUrl);
+		let timeoutId: ReturnType<typeof setTimeout> | null = null;
+		let isCleaned = false;
+		let reconnectDelayMs = 3_000;
+		const maxReconnectDelayMs = 30_000;
 
-		ws.onopen = () => {
-			setWsReady(true);
-		};
-		ws.onclose = () => {
+		function connect() {
+			if (isCleaned) return;
 			setWsReady(false);
-			// Reconnect after 3 seconds
-			setTimeout(() => {
-				wsRef.current = new WebSocket(wsUrl);
-			}, 3_000);
-		};
+			const baseUrl = config.url.replace(/^http/, "ws");
+			const projectPart = `project=${config.projectSlug ?? "default"}`;
+			let wsUrl = `${baseUrl}/betterbase/ws?${projectPart}`;
 
-		wsRef.current = ws;
+			const token = config.getToken?.();
+			if (token) {
+				wsUrl += `&token=${encodeURIComponent(token)}`;
+			}
 
-		// Handle pings
-		ws.onmessage = (event) => {
-			const msg = JSON.parse(event.data);
-			if (msg.type === "ping") ws.send(JSON.stringify({ type: "pong" }));
-		};
+			const ws = new WebSocket(wsUrl);
+			wsRef.current = ws;
+
+			ws.onopen = () => {
+				if (!isCleaned) {
+					setWsReady(true);
+					reconnectDelayMs = 3_000;
+				}
+			};
+			ws.onerror = (err) => {
+				if (isCleaned) return;
+				console.error("WebSocket error", err);
+			};
+			ws.onclose = () => {
+				if (isCleaned) return;
+				wsRef.current = null;
+				timeoutId = setTimeout(connect, reconnectDelayMs);
+				reconnectDelayMs = Math.min(reconnectDelayMs * 2, maxReconnectDelayMs);
+			};
+
+			ws.onmessage = (event) => {
+				try {
+					const msg = JSON.parse(event.data);
+					if (msg.type === "ping") ws.send(JSON.stringify({ type: "pong" }));
+				} catch {
+					return;
+				}
+			};
+		}
+
+		connect();
 
 		return () => {
-			ws.close();
+			isCleaned = true;
+			setWsReady(false);
+			if (timeoutId !== null) clearTimeout(timeoutId);
+			wsRef.current?.close();
 		};
-	}, [config.url, config.projectSlug]);
+	}, [config.url, config.projectSlug, config.getToken]);
 
 	return (
 		<BetterBaseContext.Provider