Production hardening: security, resilience, observability, and compliance
Password complexity: custom validator requiring uppercase, lowercase, digit (min 8 chars)
Token expiry: 90-day token lifetime with refresh endpoint (60-90 day renewal window)
Health check: /api/health/ now pings Postgres + Redis, returns 503 on failure
Audit logging: async audit_log table for auth events (login, register, delete, etc.)
Circuit breaker: APNs/FCM push sends wrapped with 5-failure threshold, 30s recovery
FK indexes: 27 missing foreign key indexes across all tables (migration 017)
CSP header: default-src 'none'; frame-ancestors 'none'
Gzip compression: level 5 with media endpoint skipper
Prometheus metrics: /metrics endpoint using existing monitoring service
External timeouts: 15s push, 30s SMTP, context timeouts on all external calls
Migrations: 016 (token created_at), 017 (FK indexes), 018 (audit_log)
Tests: circuit breaker (15), audit service (8), token refresh (7), health (4),
middleware expiry (5), validator (new)
This commit is contained in:
Trey T
@@ -6,8 +6,11 @@
|
||||
"error.email_taken": "Email already registered",
|
||||
"error.email_already_taken": "Email already taken",
|
||||
"error.registration_failed": "Registration failed",
|
||||
"error.password_complexity": "Password must be at least 8 characters with at least one uppercase letter, one lowercase letter, and one digit",
|
||||
"error.not_authenticated": "Not authenticated",
|
||||
"error.invalid_token": "Invalid token",
|
||||
"error.token_expired": "Your session has expired. Please log in again.",
|
||||
"error.token_refresh_not_needed": "Token is still valid.",
|
||||
"error.failed_to_get_user": "Failed to get user",
|
||||
"error.failed_to_update_profile": "Failed to update profile",
|
||||
"error.invalid_verification_code": "Invalid verification code",
|
||||
|
||||
Reference in New Issue
Block a user