Skip to content

fix(security): resolve multiple security vulnerabilities#13

Merged
itsbkm merged 5 commits into
FreeOpenSourcePOS:mainfrom
ARCHITVARMA15:main
Jul 1, 2026
Merged

fix(security): resolve multiple security vulnerabilities#13
itsbkm merged 5 commits into
FreeOpenSourcePOS:mainfrom
ARCHITVARMA15:main

Conversation

@ARCHITVARMA15

@ARCHITVARMA15 ARCHITVARMA15 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR addresses multiple security vulnerabilities identified in the FloCafe codebase.


Changes

Issue – JWT Secret Hardcoded

  • JWT secret is now generated randomly on first launch and stored in the settings table
  • Falls back to process.env.JWT_SECRET if set
  • Caches in memory to avoid repeated DB reads

Issue – Role Enforcement via Spoofable Header

  • main/routes/order-items.ts: Removed trust of x-user-role header
  • Role is now decoded directly from the verified JWT token

Issue – Sensitive Keys Exposed in Settings Dump

  • main/routes/settings.ts: Added SENSITIVE_KEYS blocklist on GET /settings
  • Sensitive keys (jwt_secret, pin, password, token, etc.) are filtered from the dump

Issue – Settings Wildcard PUT Allows Any Key

  • main/routes/settings.ts: Added ALLOWED_WILDCARD_KEYS allowlist
  • Only explicitly permitted non-sensitive settings can be updated via wildcard PUT /:key

Issue – KDS WebSocket Has No Authentication

  • main/services/kds.ts: WebSocket messages now require authentication before processing
  • Unauthenticated clients are rejected

Issue – CORS Allows All Origins

  • main/server.ts: CORS is now restricted to localhost and private LAN IPs only
  • External origins are blocked

Issue – No Content Security Policy

  • main/server.ts: Added CSP headers blocking eval, remote scripts, and framing

Issue – No Global Rate Limiting + PIN Stored in Plaintext

Rate Limiting:

  • New file: main/middleware/security.ts with in-memory rateLimit middleware
  • Applied globally to /api/* on both the main server (port 3001) and KDS server (port 3002)
  • Limit: 100 requests/minute per IP

PIN Hashing:

  • pin_hash column added to users table (non-destructive migration v2)
  • Migration v2 hashes any existing plaintext PINs and clears the pin column
  • main/routes/staff.ts: PINs are now hashed with bcrypt before storage; pin_hash is returned instead of plaintext pin
  • main/ipc.ts: create-user and update-user IPC handlers now write to pin_hash
  • Added verifyPin() helper in main/db.ts for bcrypt-based PIN verification

Issues Skipped

  • thermal.ts:111 — macOS execSync with printer name interpolation. Use execFileSync with args.
  • ipc.ts:124 — set-setting IPC has no allowlist (you know this one — you fixed HTTP but not IPC).
    — deferred, requires printer hardware knowledge

Notes

  • No default credentials were removed (intentional — deferred)
  • All changes are non-destructive (database migration uses ALTER TABLE ADD COLUMN)
  • npm run build passes with no TypeScript errors

@itsbkm itsbkm merged commit 508a37d into FreeOpenSourcePOS:main Jul 1, 2026
5 of 6 checks passed
@khaira777 khaira777 changed the title fix(security): resolve multiple security vulnerabilities (Issues #1–7, #10) fix(security): resolve multiple security vulnerabilities Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants