Feature/security headers middleware

backend/src/app.module.ts

@@ -1,3 +1,4 @@
+import { Module, MiddlewareConsumer, NestModule } from '@nestjs/common';
 import { Module, NestModule, MiddlewareConsumer, RequestMethod } from '@nestjs/common';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { ConfigModule, ConfigService } from '@nestjs/config';
@@ -16,6 +17,12 @@ import { PuzzlesModule } from './puzzles/puzzles.module';
 import { QuestsModule } from './quests/quests.module';
 import { StreakModule } from './streak/strerak.module';
 import { CategoriesModule } from './categories/categories.module';
+import { TransactionMiddleware } from './middleware/transaction/transaction.middleware';
+import { TransactionLogger } from './middleware/transaction/transaction.logger';
+import { CompressionMiddleware } from './middleware/compression/compression.middleware';
+import { IdempotencyMiddleware } from './middleware/idempotency/idempotency.middleware';
+import { IdempotencyService } from './middleware/idempotency/idempotency.service';
+import { SecurityHeadersMiddleware } from './middleware/security/security-headers.middleware';
 import { JwtAuthModule, JwtAuthMiddleware } from './auth/middleware/jwt-auth.module';
 import { REDIS_CLIENT } from './redis/redis.constants';
 import jwtConfig from './auth/authConfig/jwt.config';
@@ -87,7 +94,6 @@ import { HealthModule } from './health/health.module';
     CommonModule,
     RedisModule,
     BlockchainModule,
-    ProgressModule,
     CategoriesModule,
     // Register the custom JWT Auth Middleware module
     JwtAuthModule.registerAsync({
@@ -104,10 +110,19 @@ import { HealthModule } from './health/health.module';
     HealthModule,
   ],
   controllers: [AppController],
-  providers: [AppService],
+  providers: [AppService, TransactionLogger],
 })
 export class AppModule implements NestModule {
-  /**
+  configure(consumer: MiddlewareConsumer) {
+    // Apply transaction middleware globally
+    consumer.apply(TransactionMiddleware).forRoutes('*');
+
+
+    consumer.apply(CompressionMiddleware).forRoutes('*');
+        consumer.apply(IdempotencyMiddleware).forRoutes('*');
+            consumer.apply(SecurityHeadersMiddleware).forRoutes('*');
+
+/**
    * Apply the JWT Authentication Middleware to all routes except public ones.
    */
   configure(consumer: MiddlewareConsumer) {
@@ -124,5 +139,6 @@ export class AppModule implements NestModule {
         { path: 'health', method: RequestMethod.GET },
       )
       .forRoutes('*');
+
   }
 }

backend/src/common/controllers/security.controller.ts

@@ -0,0 +1,14 @@
+import { Controller, Get, Res } from '@nestjs/common';
+import { Response } from 'express';
+
+@Controller('.well-known')
+export class SecurityController {
+  @Get('security.txt')
+  getSecurityTxt(@Res() res: Response) {
+    res.type('text/plain').send(
+      `Contact: security@yourdomain.com
+Policy: https://yourdomain.com/security-policy
+Acknowledgments: https://yourdomain.com/security-acknowledgments`
+    );
+  }
+}

backend/src/middleware/compression/compression.config.ts

@@ -0,0 +1,20 @@
+export const COMPRESSION_CONFIG = {
+  threshold: 1024, // minimum size in bytes
+  gzip: { level: 6 }, // balance speed vs size
+  brotli: { quality: 4 }, // modern browsers
+  skipTypes: [
+    /^image\//,
+    /^video\//,
+    /^audio\//,
+    /^application\/zip/,
+    /^application\/gzip/,
+  ],
+  compressibleTypes: [
+    'application/json',
+    'text/html',
+    'text/plain',
+    'application/javascript',
+    'text/css',
+    'text/xml',
+  ],
+};

backend/src/middleware/compression/compression.middleware.ts

@@ -0,0 +1,63 @@
+import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import * as zlib from 'zlib';
+import { COMPRESSION_CONFIG } from './compression.config';
+
+@Injectable()
+export class CompressionMiddleware implements NestMiddleware {
+  use(req: Request, res: Response, next: NextFunction) {
+    const acceptEncoding = req.headers['accept-encoding'] || '';
+    const chunks: Buffer[] = [];
+    const originalWrite = res.write;
+    const originalEnd = res.end;
+
+    // Intercept response body
+    res.write = function (chunk: any) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+      return true;
+    };
+
+    res.end = function (chunk: any) {
+      if (chunk) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+      }
+
+      const body = Buffer.concat(chunks);
+
+      // Skip compression if too small
+      if (body.length < COMPRESSION_CONFIG.threshold) {
+        return originalEnd.call(res, body);
+      }
+
+      const contentType = res.getHeader('Content-Type') as string;
+      if (COMPRESSION_CONFIG.skipTypes.some((regex) => regex.test(contentType))) {
+        return originalEnd.call(res, body);
+      }
+
+      // Select algorithm
+      if (/\bbr\b/.test(acceptEncoding)) {
+        zlib.brotliCompress(body, { params: { [zlib.constants.BROTLI_PARAM_QUALITY]: COMPRESSION_CONFIG.brotli.quality } }, (err, compressed) => {
+          if (err) return originalEnd.call(res, body);
+          res.setHeader('Content-Encoding', 'br');
+          originalEnd.call(res, compressed);
+        });
+      } else if (/\bgzip\b/.test(acceptEncoding)) {
+        zlib.gzip(body, { level: COMPRESSION_CONFIG.gzip.level }, (err, compressed) => {
+          if (err) return originalEnd.call(res, body);
+          res.setHeader('Content-Encoding', 'gzip');
+          originalEnd.call(res, compressed);
+        });
+      } else if (/\bdeflate\b/.test(acceptEncoding)) {
+        zlib.deflate(body, (err, compressed) => {
+          if (err) return originalEnd.call(res, body);
+          res.setHeader('Content-Encoding', 'deflate');
+          originalEnd.call(res, compressed);
+        });
+      } else {
+        return originalEnd.call(res, body);
+      }
+    };
+
+    next();
+  }
+}

backend/src/middleware/idempotency/idempotency.config.ts

@@ -0,0 +1,9 @@
+export const IDEMPOTENCY_CONFIG = {
+  ttl: {
+    puzzleSubmission: 300, // 5 minutes
+    pointClaim: 600,       // 10 minutes
+    friendRequest: 3600,   // 1 hour
+    profileUpdate: 60,     // 1 minute
+  },
+  headerKey: 'x-idempotency-key',
+};

backend/src/middleware/idempotency/idempotency.middleware.ts

@@ -0,0 +1,56 @@
+import { Injectable, NestMiddleware, BadRequestException } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import { IdempotencyService } from './idempotency.service';
+import { IDEMPOTENCY_CONFIG } from './idempotency.config';
+
+@Injectable()
+export class IdempotencyMiddleware implements NestMiddleware {
+  constructor(private readonly idempotencyService: IdempotencyService) {}
+
+  async use(req: Request, res: Response, next: NextFunction) {
+    // Skip GET requests
+    if (req.method === 'GET') return next();
+
+    const headerKey = IDEMPOTENCY_CONFIG.headerKey;
+    let idempotencyKey = req.headers[headerKey] as string;
+
+    if (!idempotencyKey) {
+      // Auto-generate key if not provided
+      idempotencyKey = await this.idempotencyService.generateKey(req);
+    }
+
+    if (typeof idempotencyKey !== 'string') {
+      throw new BadRequestException('Invalid idempotency key format');
+    }
+
+    const cachedResponse = await this.idempotencyService.getResponse(idempotencyKey);
+    if (cachedResponse) {
+      // Return cached response immediately
+      res.set(cachedResponse.headers);
+      return res.status(cachedResponse.statusCode).send(cachedResponse.body);
+    }
+
+    // Intercept response to store it
+    const originalSend = res.send.bind(res);
+    res.send = async (body: any) => {
+      const ttl = this.resolveTTL(req.originalUrl);
+      const responsePayload = {
+        statusCode: res.statusCode,
+        headers: res.getHeaders(),
+        body,
+      };
+      await this.idempotencyService.storeResponse(idempotencyKey, responsePayload, ttl);
+      return originalSend(body);
+    };
+
+    next();
+  }
+
+  private resolveTTL(url: string): number {
+    if (url.includes('/puzzles')) return IDEMPOTENCY_CONFIG.ttl.puzzleSubmission;
+    if (url.includes('/points')) return IDEMPOTENCY_CONFIG.ttl.pointClaim;
+    if (url.includes('/friends')) return IDEMPOTENCY_CONFIG.ttl.friendRequest;
+    if (url.includes('/profile')) return IDEMPOTENCY_CONFIG.ttl.profileUpdate;
+    return 300; // default
+  }
+}

backend/src/middleware/idempotency/idempotency.service.ts

@@ -0,0 +1,25 @@
+import { Injectable } from '@nestjs/common';
+import { RedisService } from '../../redis/redis.service';
+import * as crypto from 'crypto';
+
+@Injectable()
+export class IdempotencyService {
+  constructor(private readonly redisService: RedisService) {}
+
+  async generateKey(req: any): Promise<string> {
+    const userId = req.user?.id || 'anon';
+    const bodyHash = crypto.createHash('sha256').update(JSON.stringify(req.body)).digest('hex');
+    return `${userId}:${req.method}:${req.originalUrl}:${bodyHash}`;
+  }
+
+  async storeResponse(key: string, response: any, ttl: number) {
+    const client = this.redisService.getClient();
+    await client.set(key, JSON.stringify(response), 'EX', ttl, 'NX'); // SETNX for atomicity
+  }
+
+  async getResponse(key: string): Promise<any | null> {
+    const client = this.redisService.getClient();
+    const data = await client.get(key);
+    return data ? JSON.parse(data) : null;
+  }
+}

backend/src/middleware/security/security-headers.config.ts

@@ -0,0 +1,20 @@
+export const SECURITY_HEADERS_CONFIG = {
+  common: {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'X-XSS-Protection': '1; mode=block',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Permissions-Policy': 'geolocation=(), microphone=(), camera=(), payment=(), usb=()',
+    'X-DNS-Prefetch-Control': 'off',
+  },
+  hsts: {
+    production: 'max-age=31536000; includeSubDomains; preload',
+    development: null, // disabled in dev
+  },
+  cacheControl: {
+    dynamic: 'no-cache, no-store, must-revalidate',
+    static: 'public, max-age=31536000',
+    private: 'private, no-cache',
+  },
+  removeHeaders: ['X-Powered-By', 'Server', 'X-AspNet-Version', 'X-AspNetMvc-Version'],
+};

backend/src/middleware/security/security-headers.middleware.ts

@@ -0,0 +1,39 @@
+import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import { SECURITY_HEADERS_CONFIG } from './security-headers.config';
+
+@Injectable()
+export class SecurityHeadersMiddleware implements NestMiddleware {
+  use(req: Request, res: Response, next: NextFunction) {
+    // Apply common security headers
+    for (const [header, value] of Object.entries(SECURITY_HEADERS_CONFIG.common)) {
+      res.setHeader(header, value);
+    }
+
+    // Apply HSTS only in production
+    if (process.env.NODE_ENV === 'production' && SECURITY_HEADERS_CONFIG.hsts.production) {
+      res.setHeader('Strict-Transport-Security', SECURITY_HEADERS_CONFIG.hsts.production);
+    }
+
+    // Remove sensitive headers
+    SECURITY_HEADERS_CONFIG.removeHeaders.forEach((header) => {
+      res.removeHeader(header);
+    });
+
+    // Cache control based on content type
+    res.on('finish', () => {
+      const contentType = res.getHeader('Content-Type') as string;
+      if (!contentType) return;
+
+      if (contentType.includes('application/json')) {
+        res.setHeader('Cache-Control', SECURITY_HEADERS_CONFIG.cacheControl.dynamic);
+      } else if (contentType.startsWith('text/') || contentType.includes('javascript') || contentType.includes('css')) {
+        res.setHeader('Cache-Control', SECURITY_HEADERS_CONFIG.cacheControl.static);
+      } else {
+        res.setHeader('Cache-Control', SECURITY_HEADERS_CONFIG.cacheControl.private);
+      }
+    });
+
+    next();
+  }
+}

backend/src/middleware/transaction/transaction.logger.ts

@@ -0,0 +1,14 @@
+import { Injectable, Logger } from '@nestjs/common';
+
+@Injectable()
+export class TransactionLogger {
+  private readonly logger = new Logger('Transaction');
+
+  log(message: string) {
+    this.logger.log(message);
+  }
+
+  error(message: string, error: any) {
+    this.logger.error(`${message}: ${error.message}`, error.stack);
+  }
+}

backend/src/middleware/transaction/transaction.manager.ts

@@ -0,0 +1,36 @@
+import { DataSource, QueryRunner } from 'typeorm';
+
+export class TransactionManager {
+  private queryRunner: QueryRunner;
+
+  constructor(private readonly dataSource: DataSource) {
+    this.queryRunner = this.dataSource.createQueryRunner();
+  }
+
+  async startTransaction(isolation: 'READ COMMITTED' | 'REPEATABLE READ' | 'SERIALIZABLE' = 'READ COMMITTED') {
+    await this.queryRunner.connect();
+    await this.queryRunner.startTransaction(isolation);
+  }
+
+  async commitTransaction() {
+    await this.queryRunner.commitTransaction();
+    await this.queryRunner.release();
+  }
+
+  async rollbackTransaction() {
+    await this.queryRunner.rollbackTransaction();
+    await this.queryRunner.release();
+  }
+
+  async createSavepoint(name: string) {
+    await this.queryRunner.query(`SAVEPOINT ${name}`);
+  }
+
+  async rollbackToSavepoint(name: string) {
+    await this.queryRunner.query(`ROLLBACK TO SAVEPOINT ${name}`);
+  }
+
+  getManager() {
+    return this.queryRunner.manager;
+  }
+}

backend/src/middleware/transaction/transaction.middleware.ts

@@ -0,0 +1,37 @@
+import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import { DataSource } from 'typeorm';
+import { TransactionManager } from './transaction.manager';
+import { TransactionLogger } from './transaction.logger';
+
+@Injectable()
+export class TransactionMiddleware implements NestMiddleware {
+  constructor(private readonly dataSource: DataSource, private readonly logger: TransactionLogger) {}
+
+  async use(req: Request, res: Response, next: NextFunction) {
+    const manager = new TransactionManager(this.dataSource);
+
+    try {
+      await manager.startTransaction();
+
+      // Attach transaction manager to request for manual control if needed
+      (req as any).transactionManager = manager;
+
+      res.on('finish', async () => {
+        if (res.statusCode >= 200 && res.statusCode < 400) {
+          await manager.commitTransaction();
+          this.logger.log('Transaction committed successfully');
+        } else {
+          await manager.rollbackTransaction();
+          this.logger.log('Transaction rolled back due to error');
+        }
+      });
+
+      next();
+    } catch (error) {
+      await manager.rollbackTransaction();
+      this.logger.error('Transaction failed', error);
+      next(error);
+    }
+  }
+}