Skip to content

security: enforce-secure-cookies#787

Merged
0xVida merged 2 commits into
Stellar-Fluid:mainfrom
devchant:feat/security-db-testing
May 31, 2026
Merged

security: enforce-secure-cookies#787
0xVida merged 2 commits into
Stellar-Fluid:mainfrom
devchant:feat/security-db-testing

Conversation

@devchant
Copy link
Copy Markdown
Contributor

@devchant devchant commented May 31, 2026

Security Hardening, Analytics Indexing, and Redis Failover Testing

Summary

This PR improves platform security, database performance, and infrastructure resilience across the Fluid platform.

Closes #667

Closes #710

Closes #719

Changes

HTTPS Enforcement & Secure Cookies (#667)

  • Added production-only HTTPS enforcement in admin-dashboard/middleware.ts.
  • Enabled secure, HTTP-only session cookies for NextAuth.
  • Preserved HTTP functionality for local development environments.
  • Added security-focused test coverage for middleware and cookie configuration.

Composite Indexes for Analytics Queries (#710)

  • Added composite indexes on tenantId and createdAt for analytics-related transaction queries.
  • Updated server-side database schema and query optimization logic.
  • Added documentation covering index design and expected performance improvements.
  • Added unit and integration tests for analytics query behavior.

Redis Cluster Failover Testing (#719)

  • Added Vitest integration tests simulating Redis node failure during active load.
  • Verified rate-limiting behavior remains consistent during cluster failover.
  • Added edge-case coverage for node recovery and partial cluster availability.
  • Included verification artifacts and test documentation.

Validation

  • HTTPS redirects function correctly in production environments.
  • Secure cookie flags are applied to authenticated sessions.
  • Local development remains operational over HTTP.
  • Analytics queries utilize composite indexes and show improved performance.
  • Rate limits remain enforced during Redis cluster node failures.
  • All tests pass with no regressions.

devchant added 2 commits May 31, 2026 01:47
@devchant
security: enforce-secure-cookies
3b6d731 
- Export authConfig with useSecureCookies and secure session token cookie
  flags that activate only in production (NODE_ENV === 'production')
- Enforce HTTPS in middleware: redirect HTTP → HTTPS (301) in production
  using both protocol and x-forwarded-proto header checks
- Export middlewareCallback for isolated unit testing
- Add lib/security.test.ts covering:
    * Secure cookie options match env (httpOnly, sameSite, secure flag)
    * Middleware redirects HTTP to HTTPS in production
    * Middleware does NOT redirect in development (sandbox stays on HTTP)
- Set package.json 'type': 'module' for clean ESM resolution
- Include security.test.ts in test:unit script

Closes Stellar-Fluid#667
@devchant
Merge branch 'main' into feat/security-db-testing
a61ff1b
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 31, 2026

@devchant Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@0xVida 0xVida merged commit b750143 into Stellar-Fluid:main May 31, 2026
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@devchant @0xVida