Horux360

consultoria-as/Horux360

Fork 0

Commit Graph

Author	SHA1	Message	Date
Consultoria AS	351b14a78c	security: comprehensive security audit and remediation (20 fixes) CRITICAL fixes: - Restrict X-View-Tenant impersonation to global admin only (was any admin) - Add authorization to subscription endpoints (was open to any user) - Make webhook signature verification mandatory (was skippable) - Remove databaseName from JWT payload (resolve server-side with cache) - Reduce body size limit from 1GB to 10MB (50MB for bulk CFDI) - Restrict .env file permissions to 600 HIGH fixes: - Add authorization to SAT cron endpoints (global admin only) - Add Content-Security-Policy and Permissions-Policy headers - Centralize isGlobalAdmin() utility with caching - Add rate limiting on auth endpoints (express-rate-limit) - Require authentication on logout endpoint MEDIUM fixes: - Replace Math.random() with crypto.randomBytes for temp passwords - Remove console.log of temporary passwords in production - Remove DB credentials from admin notification email - Add escapeHtml() to email templates (prevent HTML injection) - Add file size validation on FIEL upload (50KB max) - Require TLS for SMTP connections - Normalize email to lowercase before uniqueness check - Remove hardcoded default for FIEL_ENCRYPTION_KEY Also includes: - Complete production deployment documentation - API reference documentation - Security audit report with remediation details - Updated README with v0.5.0 changelog - New client admin email template - Utility scripts (create-carlos, test-emails) - PM2 ecosystem config updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 22:32:04 +00:00
Consultoria AS	c3ce7199af	feat: bulk XML upload, period selector, and session persistence - Add bulk XML CFDI upload support (up to 300MB) - Add period selector component for month/year navigation - Fix session persistence on page refresh (Zustand hydration) - Fix income/expense classification based on tenant RFC - Fix IVA calculation from XML (correct Impuestos element) - Add error handling to reportes page - Support multiple CORS origins - Update reportes service with proper Decimal/BigInt handling - Add RFC to tenant view store for proper CFDI classification - Update README with changelog and new features Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-22 06:51:53 +00:00
Consultoria AS	e0c97cb3b6	Initial commit: Horux360 SaaS design documentation - Complete design document with architecture, data models, and API specs - Database schema (Prisma) for multi-tenant PostgreSQL - README with project overview and plans - Support for 4 visual themes (Light, Vibrant, Corporate, Dark) - Comprehensive module specifications: - Dashboard with KPIs - CFDI management - IVA/ISR tax control - Bank reconciliation - Fiscal calendar - User management with roles Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-22 01:28:58 +00:00

Author

SHA1

Message

Date

Consultoria AS

351b14a78c

security: comprehensive security audit and remediation (20 fixes)

CRITICAL fixes:
- Restrict X-View-Tenant impersonation to global admin only (was any admin)
- Add authorization to subscription endpoints (was open to any user)
- Make webhook signature verification mandatory (was skippable)
- Remove databaseName from JWT payload (resolve server-side with cache)
- Reduce body size limit from 1GB to 10MB (50MB for bulk CFDI)
- Restrict .env file permissions to 600

HIGH fixes:
- Add authorization to SAT cron endpoints (global admin only)
- Add Content-Security-Policy and Permissions-Policy headers
- Centralize isGlobalAdmin() utility with caching
- Add rate limiting on auth endpoints (express-rate-limit)
- Require authentication on logout endpoint

MEDIUM fixes:
- Replace Math.random() with crypto.randomBytes for temp passwords
- Remove console.log of temporary passwords in production
- Remove DB credentials from admin notification email
- Add escapeHtml() to email templates (prevent HTML injection)
- Add file size validation on FIEL upload (50KB max)
- Require TLS for SMTP connections
- Normalize email to lowercase before uniqueness check
- Remove hardcoded default for FIEL_ENCRYPTION_KEY

Also includes:
- Complete production deployment documentation
- API reference documentation
- Security audit report with remediation details
- Updated README with v0.5.0 changelog
- New client admin email template
- Utility scripts (create-carlos, test-emails)
- PM2 ecosystem config updates

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-18 22:32:04 +00:00

Consultoria AS

c3ce7199af

feat: bulk XML upload, period selector, and session persistence

- Add bulk XML CFDI upload support (up to 300MB)
- Add period selector component for month/year navigation
- Fix session persistence on page refresh (Zustand hydration)
- Fix income/expense classification based on tenant RFC
- Fix IVA calculation from XML (correct Impuestos element)
- Add error handling to reportes page
- Support multiple CORS origins
- Update reportes service with proper Decimal/BigInt handling
- Add RFC to tenant view store for proper CFDI classification
- Update README with changelog and new features

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-22 06:51:53 +00:00

Consultoria AS

e0c97cb3b6

Initial commit: Horux360 SaaS design documentation

- Complete design document with architecture, data models, and API specs
- Database schema (Prisma) for multi-tenant PostgreSQL
- README with project overview and plans
- Support for 4 visual themes (Light, Vibrant, Corporate, Dark)
- Comprehensive module specifications:
  - Dashboard with KPIs
  - CFDI management
  - IVA/ISR tax control
  - Bank reconciliation
  - Fiscal calendar
  - User management with roles

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-22 01:28:58 +00:00

3 Commits