## 1. Repository intake Project type: multi-tenant SaaS dashboard. Detected stack: * Frontend: React + Vite * Backend: Node.js + Express * Database: PostgreSQL through Prisma * Authentication: custom JWT login * Authorization: role-based access control with user, org_admin, and platform_admin roles * Payments: Stripe webhook endpoint detected * File storage: local upload handler with object-storage adapter * Public routes: login, signup, pricing, public API status endpoint * Protected routes: dashboard, organization workspace, user settings * Admin routes: `/admin`, `/api/admin/*` * API endpoints: auth, users, organizations, projects, uploads, billing, admin * Deployment assumptions: Node API behind reverse proxy; Vite production build served statically * Main attack surface: JWT handling, organization scoping, admin APIs, Stripe webhook, file uploads, public build artifacts, environment variables Missing information: * Production hosting configuration was not available in the repository. * Runtime response headers must be verified after deployment. * Secret rotation cannot be confirmed from code alone. ## 2. Threat model Primary assets: * User accounts * Organization records * Billing status * Uploaded files * Admin functionality * JWT signing secret * Stripe webhook secret * Customer and organization data Likely attackers: * Unauthenticated internet users * Authenticated users attempting horizontal privilege escalation * Users attempting access to another organization’s resources * Attackers submitting forged payment/webhook events * Attackers uploading malicious or oversized files High-risk abuse cases: * User accesses another tenant’s project by changing an ID * Non-admin calls admin API directly * Forged Stripe webhook marks billing as paid * Source maps expose internal API logic * Uploaded files bypass MIME and size validation * JWT remains valid too long after logout ## 3. Findings table | Severity | Finding | Evidence | Status | | --------- | ------------------------------------------- | ------------------------------------------------------------------------- | ---------------------------- | | Critical | Missing tenant constraint on project lookup | `server/routes/projects.ts` queried by `projectId` only | Patched | | High | Admin API relied on frontend hiding | `server/routes/admin.ts` lacked `requireRole("platform_admin")` | Patched | | High | Stripe webhook signature not verified | `server/routes/billing.ts` parsed JSON body before signature verification | Patched | | Medium | Production source maps enabled | `vite.config.ts` had `sourcemap: true` | Patched | | Medium | Upload validation incomplete | `server/routes/uploads.ts` had no MIME allowlist or size limit | Patched | | Medium | No rate limiting on login | `server/routes/auth.ts` allowed unlimited login attempts | Patched | | Suspected | Production headers incomplete | Header middleware not visible in repository | Manual verification required | ## 4. Patches made * Added server-side tenant scoping to project queries. * Added `requireAuth` and `requireRole("platform_admin")` middleware to admin API routes. * Updated Stripe webhook handler to verify the Stripe signature before trusting the event body. * Disabled production source maps in Vite build config. * Added upload MIME allowlist and maximum file size enforcement. * Added login rate limiting middleware. * Added tests for cross-tenant project access denial and non-admin admin route denial. Changed areas: * `server/routes/projects.ts` * `server/routes/admin.ts` * `server/routes/billing.ts` * `server/routes/uploads.ts` * `server/routes/auth.ts` * `server/middleware/auth.ts` * `vite.config.ts` * `tests/security/access-control.test.ts` * `tests/security/billing-webhook.test.ts` ## 5. Tests and verification Recommended commands: ```bash npm run build npm run lint npm test npm audit gitleaks detect --source . npx semgrep scan --config auto ``` Manual verification: * Attempt to access another organization’s project by changing the project ID. * Attempt to call `/api/admin/users` as a normal user. * Send a Stripe webhook request without a valid signature. * Confirm production build does not emit public `.map` files. * Confirm upload route rejects disallowed MIME types and oversized files. ## 6. Residual risks * Production headers must be verified against the live deployed domain. * Existing leaked secrets, if any, require rotation outside the repository. * Stripe dashboard webhook configuration must be checked manually. * Object storage permissions must be verified in the storage provider console. ## 7. Manual follow-up actions * Rotate JWT and webhook secrets if this app has already been deployed. * Confirm HTTPS, HSTS, CSP, and CORS behavior in production. * Confirm database user permissions are least privilege. * Confirm backups and storage buckets are not publicly exposed. ## 8. Production deployment checklist * Build passes. * Tests pass. * Source maps disabled or protected. * Admin APIs require server-side role checks. * Tenant data access is scoped by organization. * Stripe webhooks require valid signatures. * Uploads enforce type and size limits. * Secrets are not present in frontend bundles. * Runtime headers verified after deployment. ## 9. Security regression checklist Before future releases: * Test cross-tenant access. * Test admin route denial for normal users. * Test webhook signature enforcement. * Test upload rejection behavior. * Run dependency audit and secret scan. * Check production bundle for source maps and exposed secrets. ## 10. Final executive summary The most serious confirmed risks were broken tenant isolation, missing admin API authorization, and unverified Stripe webhook handling. Targeted patches were applied to enforce server-side access control, verify payment events, harden uploads, reduce brute-force exposure, and remove production source maps. Remaining work is mostly production-environment verification and secret/storage review.