Merge pull request #104 from CruGlobal/jh/auditFix

Updates to securily harden our running service.

Author: johnny-hausman

.dockerignore

@@ -0,0 +1,39 @@
+# Dependencies (reinstalled in image)
+node_modules
+**/node_modules
+
+# Version control and CI
+.git
+.gitignore
+.github
+
+# Local and sensitive files
+.env
+.env.*
+!.env.example
+*.log
+npm-debug.log*
+# Our services actually DO want to include this file.
+#config/local.js
+
+# Test and dev
+test
+*.test.js
+.mocharc.js
+coverage
+.nyc_output
+.eslintrc*
+eslint.config.mjs
+.prettier*
+
+# IDE and OS
+.vscode
+.idea
+*.swp
+.DS_Store
+
+# Docs and misc (optional: remove if you need these in image)
+README.md
+Makefile
+*.md
+!AppBuilder/**/*.md

.eslintrc.js

@@ -3,26 +3,46 @@
 ##
 ## This is our microservice for the users in an AB managed site.
 ##
+## Security: image runs as non-root user (node). For production, prefer
+## pinning the base image by digest and overriding CMD to remove --inspect.
+##
 ## Docker Commands:
 ## ---------------
 ## $ docker build -t digiserve/ab-user-manager:master .
 ## $ docker push digiserve/ab-user-manager:master
 ##
+## Multi-platform (M1/M2/M3 Mac → amd64 + arm64):
+## $ docker buildx create --use  # once, if no builder
+## $ docker buildx build --provenance=true --sbom=true --platform linux/amd64,linux/arm64 -t digiserve/ab-user-manager:master --push .
+## Or use: $ DOCKER_ARGS="--platform linux/amd64,linux/arm64 --push" ./build.sh
+## Supply chain: use --provenance=true --sbom=true when pushing to a registry for Docker Hub attestations and license visibility.
+##
 
 ARG BRANCH=master
 
 FROM digiserve/service-cli:${BRANCH}
 
+# OCI labels for Docker Hub / Scout (license, description)
+LABEL org.opencontainers.image.title="User Manager" \
+   org.opencontainers.image.description="Microservice for managing users in an AB managed site" \
+   org.opencontainers.image.licenses="MIT"
+
 COPY . /app
 
 WORKDIR /app
 
-RUN npm i -f
+# Reproducible install; use npm i -f only if npm ci fails (e.g. peer deps, git deps)
+RUN npm ci && npm cache clean --force
 
 WORKDIR /app/AppBuilder
 
-RUN npm i -f
+RUN npm ci && npm cache clean --force
 
 WORKDIR /app
 
+# Security: run as non-root (base image should provide node user)
+RUN chown -R node:node /app
+USER node
+
+# --inspect=0.0.0.0:9229 exposes debugger to the network; omit in production or bind to 127.0.0.1
 CMD [ "node", "--inspect=0.0.0.0:9229", "app.js" ]

Dockerfile

@@ -9,7 +9,7 @@ if (AB.defaults.env("TELEMETRY_PROVIDER", "sentry") == "sentry") {
    AB.telemetry.init("sentry", {
       dsn: AB.defaults.env(
          "SENTRY_DSN",
-         "https://74d87e0653ba19e70a16e38945dc847d@o144358.ingest.sentry.io/4506143933202432"
+         "https://74d87e0653ba19e70a16e38945dc847d@o144358.ingest.sentry.io/4506143933202432",
       ),
       release: version,
    });

app.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
+# Supply chain: --provenance and --sbom are required for Docker Hub attestations; they are preserved when using --push.
+
 git submodule update --init --recursive
 
-docker buildx build $DOCKER_ARGS \
-  .
+docker buildx build --provenance=true --sbom=true $DOCKER_ARGS .

build.sh

@@ -0,0 +1,49 @@
+//   ╔═╗╔═╗╦  ╦╔╗╔╔╦╗┬─┐┌─┐
+//   ║╣ ╚═╗║  ║║║║ ║ ├┬┘│
+//  o╚═╝╚═╝╩═╝╩╝╚╝ ╩ ┴└─└─┘
+// Flat config for ESLint v9+. Replaces .eslintrc.js and test/.eslintrc.js.
+import js from "@eslint/js";
+import globals from "globals";
+import eslintConfigPrettier from "eslint-config-prettier/flat";
+import eslintPluginPrettier from "eslint-plugin-prettier";
+
+export default [
+   js.configs.recommended,
+
+   // Main project: Node + ES2022, Prettier, custom rules
+   {
+      files: ["**/*.js"],
+      languageOptions: {
+         ecmaVersion: 2022,
+         globals: { ...globals.node },
+      },
+      plugins: { prettier: eslintPluginPrettier },
+      rules: {
+         "prettier/prettier": [
+            "error",
+            {
+               arrowParens: "always",
+               endOfLine: "lf",
+               printWidth: 80,
+               tabWidth: 3,
+               trailingComma: "all",
+            },
+         ],
+         "no-console": "off", // allow console.log() in our services
+      },
+   },
+
+   // Test files: Mocha globals + no-unused-vars ignore for should/expect
+   {
+      files: ["test/**/*.js"],
+      languageOptions: {
+         globals: { ...globals.node, ...globals.mocha },
+      },
+      rules: {
+         "no-unused-vars": ["error", { varsIgnorePattern: "should|expect" }],
+      },
+   },
+
+   // Prettier disables conflicting rules — must be last
+   eslintConfigPrettier,
+];

eslint.config.mjs

@@ -20,7 +20,7 @@ function hashCode(str) {
       .reduce(
          (prevHash, currVal) =>
             ((prevHash << 5) - prevHash + currVal.charCodeAt(0)) | 0,
-         0
+         0,
       );
 }
 

handlers/config-user-version.js

@@ -62,7 +62,7 @@ module.exports = {
             req.log(
                `user[${user.username}] with roles:[${list
                   .map((l) => l.uuid)
-                  .join(", ")}]`
+                  .join(", ")}]`,
             );
             cb(null, user);
          })

handlers/config.js

@@ -96,7 +96,8 @@ module.exports = {
          })
          .catch((err) => {
             req.notify.developer(err, {
-               context: "Service:user_manager.password-reset: Error initializing ABFactory",
+               context:
+                  "Service:user_manager.password-reset: Error initializing ABFactory",
             });
             cb(err);
          });

handlers/password-reset.js

@@ -84,7 +84,7 @@ module.exports = {
                   if (user && user.failedLogins > config.maxFailedLogins) {
                      req.log("Too many failed attempts");
                      var errorFailedAttempts = new Error(
-                        "Too many failed attempts. Please contact an admin."
+                        "Too many failed attempts. Please contact an admin.",
                      );
                      errorFailedAttempts.code = "EFAILEDATTEMPTS";
                      cb(errorFailedAttempts);
@@ -99,7 +99,7 @@ module.exports = {
                            } else {
                               req.log("invalid password.");
                               var pwError = new Error(
-                                 "invalid username/password"
+                                 "invalid username/password",
                               );
                               pwError.code = "EINVALIDLOGIN";
                               cb(pwError);