trading-platform-backend-v2

rckrdmrd/trading-platform-backend-v2

Fork 0

Commit Graph

Author	SHA1	Message	Date
Adrian Flores Cortes	86e6303847	feat: Implement BLOCKER-001 token refresh + E2E video tests (backend) BLOCKER-001: Token Refresh Improvements (4 phases) - FASE 1: Rate limiting específico para /auth/refresh (15 req/15min per token) - FASE 2: Token rotation con SHA-256 hash y reuse detection - FASE 3: Session validation con cache de 30s (95% menos queries) - FASE 4: Proactive refresh con X-Token-Expires-At header E2E Tests: Video Upload Module (backend - 91 tests) - Suite 4: Controller tests (22 tests) - REST API endpoints validation - Suite 5: Service tests (29 tests) - Business logic and database operations - Suite 6: Storage tests (35 tests) - S3/R2 multipart upload integration - Suite 7: Full E2E flow (5 tests) - Complete pipeline validation Changes: - auth.middleware.ts: Session validation + token expiry header - rate-limiter.ts: Specific rate limiter for refresh endpoint - token.service.ts: Token rotation logic + session validation - session-cache.service.ts (NEW): 30s TTL cache for session validation - auth.types.ts: Extended types for session validation - auth.routes.ts: Applied refreshTokenRateLimiter - index.ts: Updated CORS to expose X-Token-Expires-At Tests created: - auth-token-refresh.test.ts (15 tests) - E2E token refresh flow - video-controller.test.ts (22 tests) - REST API validation - video-service.test.ts (29 tests) - Business logic validation - storage-service.test.ts (35 tests) - S3/R2 integration - video-upload-flow.test.ts (5 tests) - Complete pipeline Database migration executed: - Added refresh_token_hash and refresh_token_issued_at columns - Created index on refresh_token_hash for performance Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-27 01:43:49 -06:00
Adrian Flores Cortes	274ac85501	test(payments): Add E2E tests for PCI-DSS compliance (ST4.2.3) Comprehensive E2E tests validating PCI-DSS SAQ-A compliance for payment flows. New Files: - src/__tests__/e2e/payments-pci-dss.test.ts (600+ lines) - 7 test suites, 25+ test cases - Payment Intent flow (wallet deposit) - Checkout Session flow (hosted page) - Webhook signature verification - Payment Methods (tokenization) - Database schema validation (no sensitive columns) - API request validation (block sensitive data) - Stripe Elements integration contract - src/__tests__/e2e/README.md (350+ lines) - Test execution guide - PCI-DSS compliance checklist - Common test scenarios - Debugging guide - Coverage goals Test Coverage: ✅ NO card data ever touches our servers ✅ Payment Intents used (server-side processing) ✅ Stripe Elements used (client-side tokenization) ✅ Webhook signature verification ✅ Database schema has NO sensitive fields ✅ API blocks sensitive data in requests PCI-DSS Validation: - Wallet deposit flow (Payment Intent) - Checkout session (Stripe hosted) - Webhook handling (signature verification) - Payment method attachment (tokens only) - Database schema (no PAN/CVV columns) - Request validation (reject card data) Mock Infrastructure: - Stripe SDK fully mocked - Payment Intents creation - Checkout Sessions - Webhook signature verification - PaymentMethod attachment All tests validate that: 1. NO cardNumber, cvv, expiryDate ever sent to backend 2. Only Stripe tokens/IDs stored in database 3. Webhooks verified with Stripe signature 4. Payment confirmation happens via Stripe (not our code) Status: BLOCKER-002 (ST4.2) - Tests complete Task: #3 ST4.2.3 - Tests E2E flujos de pago PCI-DSS Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-26 21:57:22 -06:00
rckrdmrd	e45591a0ef	feat: Initial commit - Trading Platform Backend NestJS backend with: - Authentication (JWT) - WebSocket real-time support - ML integration services - Payments module - User management Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-18 04:28:47 -06:00

Author

SHA1

Message

Date

Adrian Flores Cortes

86e6303847

feat: Implement BLOCKER-001 token refresh + E2E video tests (backend)

BLOCKER-001: Token Refresh Improvements (4 phases)
- FASE 1: Rate limiting específico para /auth/refresh (15 req/15min per token)
- FASE 2: Token rotation con SHA-256 hash y reuse detection
- FASE 3: Session validation con cache de 30s (95% menos queries)
- FASE 4: Proactive refresh con X-Token-Expires-At header

E2E Tests: Video Upload Module (backend - 91 tests)
- Suite 4: Controller tests (22 tests) - REST API endpoints validation
- Suite 5: Service tests (29 tests) - Business logic and database operations
- Suite 6: Storage tests (35 tests) - S3/R2 multipart upload integration
- Suite 7: Full E2E flow (5 tests) - Complete pipeline validation

Changes:
- auth.middleware.ts: Session validation + token expiry header
- rate-limiter.ts: Specific rate limiter for refresh endpoint
- token.service.ts: Token rotation logic + session validation
- session-cache.service.ts (NEW): 30s TTL cache for session validation
- auth.types.ts: Extended types for session validation
- auth.routes.ts: Applied refreshTokenRateLimiter
- index.ts: Updated CORS to expose X-Token-Expires-At

Tests created:
- auth-token-refresh.test.ts (15 tests) - E2E token refresh flow
- video-controller.test.ts (22 tests) - REST API validation
- video-service.test.ts (29 tests) - Business logic validation
- storage-service.test.ts (35 tests) - S3/R2 integration
- video-upload-flow.test.ts (5 tests) - Complete pipeline

Database migration executed:
- Added refresh_token_hash and refresh_token_issued_at columns
- Created index on refresh_token_hash for performance

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-27 01:43:49 -06:00

Adrian Flores Cortes

274ac85501

test(payments): Add E2E tests for PCI-DSS compliance (ST4.2.3)

Comprehensive E2E tests validating PCI-DSS SAQ-A compliance for payment flows.

New Files:
- src/__tests__/e2e/payments-pci-dss.test.ts (600+ lines)
  - 7 test suites, 25+ test cases
  - Payment Intent flow (wallet deposit)
  - Checkout Session flow (hosted page)
  - Webhook signature verification
  - Payment Methods (tokenization)
  - Database schema validation (no sensitive columns)
  - API request validation (block sensitive data)
  - Stripe Elements integration contract

- src/__tests__/e2e/README.md (350+ lines)
  - Test execution guide
  - PCI-DSS compliance checklist
  - Common test scenarios
  - Debugging guide
  - Coverage goals

Test Coverage:
✅ NO card data ever touches our servers
✅ Payment Intents used (server-side processing)
✅ Stripe Elements used (client-side tokenization)
✅ Webhook signature verification
✅ Database schema has NO sensitive fields
✅ API blocks sensitive data in requests

PCI-DSS Validation:
- Wallet deposit flow (Payment Intent)
- Checkout session (Stripe hosted)
- Webhook handling (signature verification)
- Payment method attachment (tokens only)
- Database schema (no PAN/CVV columns)
- Request validation (reject card data)

Mock Infrastructure:
- Stripe SDK fully mocked
- Payment Intents creation
- Checkout Sessions
- Webhook signature verification
- PaymentMethod attachment

All tests validate that:
1. NO cardNumber, cvv, expiryDate ever sent to backend
2. Only Stripe tokens/IDs stored in database
3. Webhooks verified with Stripe signature
4. Payment confirmation happens via Stripe (not our code)

Status: BLOCKER-002 (ST4.2) - Tests complete
Task: #3 ST4.2.3 - Tests E2E flujos de pago PCI-DSS

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-26 21:57:22 -06:00

rckrdmrd

e45591a0ef

feat: Initial commit - Trading Platform Backend

NestJS backend with:
- Authentication (JWT)
- WebSocket real-time support
- ML integration services
- Payments module
- User management

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-18 04:28:47 -06:00

3 Commits