Merge pull request #72 from Gbangbolaoluwagbemiga/issue-56-secure-secret-management

feat(security): implement secure secret management and redact debug routes

Author: ritik4ever

backend/src/config/featureFlags.ts

@@ -20,7 +20,7 @@ export const getFeatureFlags = (env: NodeJS.ProcessEnv = process.env): FeatureFl
 
     const demoMode = parseBoolean(env.DEMO_MODE, !isProduction)
     const allowFallbackPrices = parseBoolean(env.ALLOW_FALLBACK_PRICES, !isProduction)
-    const enableDebugRoutes = parseBoolean(env.ENABLE_DEBUG_ROUTES, !isProduction)
+    const enableDebugRoutes = parseBoolean(env.ENABLE_DEBUG_ROUTES, false) // Default to false even in dev
     const allowMockPriceHistory = parseBoolean(env.ALLOW_MOCK_PRICE_HISTORY, demoMode)
     const allowDemoBalanceFallback = parseBoolean(env.ALLOW_DEMO_BALANCE_FALLBACK, demoMode)
     const enableDemoDbSeed = parseBoolean(env.ENABLE_DEMO_DB_SEED, demoMode)

backend/src/index.ts

@@ -19,6 +19,241 @@ import { startPortfolioCheckWorker, stopPortfolioCheckWorker } from './queue/wor
 import { startRebalanceWorker, stopRebalanceWorker } from './queue/workers/rebalanceWorker.js'
 import { startAnalyticsSnapshotWorker, stopAnalyticsSnapshotWorker } from './queue/workers/analyticsSnapshotWorker.js'
 
+let startupConfig: StartupConfig
+try {
+    startupConfig = validateStartupConfigOrThrow(process.env)
+    logger.info('[STARTUP-CONFIG] Validation successful', buildStartupSummary(startupConfig))
+} catch (error) {
+    const message = error instanceof Error ? error.message : String(error)
+    console.error(message)
+    process.exit(1)
+}
+
+const app = express()
+const port = startupConfig.port
+const featureFlags = getFeatureFlags()
+const publicFeatureFlags = getPublicFeatureFlags()
+
+const isProduction = startupConfig.nodeEnv === 'production'
+const allowedOrigins = startupConfig.corsOrigins
+
+const corsOptions: cors.CorsOptions = {
+    origin: isProduction
+        ? allowedOrigins.length > 0
+            ? (origin, cb) => {
+                if (!origin || allowedOrigins.includes(origin)) cb(null, origin || true)
+                else cb(new Error('Not allowed by CORS'))
+            }
+            : false
+        : true,
+    credentials: true,
+    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH', 'HEAD'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'Accept', 'Origin', 'X-Requested-With', 'X-Public-Key', 'X-Message', 'X-Signature']
+}
+app.use(cors(corsOptions))
+
+app.options('*', (req, res) => {
+    const origin = req.get('Origin')
+    if (isProduction && allowedOrigins.length > 0) {
+        if (origin && allowedOrigins.includes(origin)) res.setHeader('Access-Control-Allow-Origin', origin)
+    } else {
+        res.setHeader('Access-Control-Allow-Origin', origin || '*')
+    }
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH')
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Accept, Origin, X-Requested-With, X-Public-Key, X-Message, X-Signature')
+    res.status(204).end()
+})
+
+// Trust proxy
+app.set('trust proxy', 1)
+
+// Body parsing
+app.use(express.json({ limit: '10mb' }))
+app.use(express.urlencoded({ extended: true, limit: '10mb' }))
+
+// Basic logging
+app.use((req, res, next) => {
+    console.log(`${req.method} ${req.url}`)
+    next()
+})
+
+app.use(globalRateLimiter)
+
+// Create auto-rebalancer instance
+const autoRebalancer = new AutoRebalancerService()
+
+// Health check endpoint
+app.get('/health', (req, res) => {
+    res.json({
+        status: 'healthy',
+        timestamp: new Date().toISOString(),
+        environment: process.env.NODE_ENV || 'development',
+        autoRebalancer: autoRebalancer ? autoRebalancer.getStatus() : { isRunning: false }
+    })
+})
+
+// CORS test endpoint
+app.get('/test/cors', (req, res) => {
+    if (!featureFlags.enableDebugRoutes) {
+        return res.status(404).json({ error: 'Route not found' })
+    }
+    res.json({
+        success: true,
+        message: 'CORS working!',
+        origin: req.get('Origin'),
+        timestamp: new Date().toISOString()
+    })
+})
+
+// CoinGecko test endpoint with detailed debugging
+app.get('/test/coingecko', async (req, res) => {
+    if (!featureFlags.enableDebugRoutes) {
+        return res.status(404).json({ error: 'Route not found' })
+    }
+    try {
+        console.log('[TEST] Testing CoinGecko API...')
+        const { ReflectorService } = await import('./services/reflector.js')
+        const reflector = new ReflectorService()
+
+        // Test connectivity first
+        const testResult = await reflector.testApiConnectivity()
+
+        if (!testResult.success) {
+            return res.status(500).json({
+                success: false,
+                error: testResult.error
+            })
+        }
+
+        // Try to get actual prices
+        reflector.clearCache()
+        const prices = await reflector.getCurrentPrices()
+
+        res.json({
+            success: true,
+            prices,
+            testResult,
+            environment: process.env.NODE_ENV
+        })
+    } catch (error) {
+        res.status(500).json({
+            success: false,
+            error: error instanceof Error ? error.message : String(error)
+        })
+    }
+})
+
+// Root route
+app.get('/', (req, res) => {
+    res.json({
+        message: 'Stellar Portfolio Rebalancer API',
+        status: 'running',
+        version: '1.0.0',
+        timestamp: new Date().toISOString(),
+        features: {
+            automaticRebalancing: !!autoRebalancer?.getStatus().isRunning,
+            priceFeeds: true,
+            riskManagement: true,
+            portfolioManagement: true,
+            featureFlags: publicFeatureFlags
+        },
+        endpoints: {
+            health: '/health',
+            corsTest: '/test/cors',
+            coinGeckoTest: '/test/coingecko',
+            autoRebalancerStatus: '/api/auto-rebalancer/status',
+            queueHealth: '/api/queue/health'
+        }
+    })
+})
+
+// Mount API routes
+app.use('/api', portfolioRouter)
+app.use('/', portfolioRouter)
+
+// 404 handler
+app.use((req, res) => {
+    console.log(`404 - Route not found: ${req.method} ${req.url}`)
+    res.status(404).json({
+        error: 'Route not found',
+        method: req.method,
+        url: req.url,
+        availableEndpoints: {
+            health: '/health',
+            api: '/api/*',
+            autoRebalancer: '/api/auto-rebalancer/*',
+            queueHealth: '/api/queue/health'
+        }
+    })
+})
+
+// Error handler
+app.use((error: any, req: express.Request, res: express.Response, next: express.NextFunction) => {
+    console.error('Server error:', error)
+    res.status(500).json({
+        error: 'Internal server error',
+        message: error.message || 'Unknown error'
+    })
+})
+
+// Create server
+const server = createServer(app)
+
+// WebSocket setup
+const wss = new WebSocketServer({ server })
+
+wss.on('connection', (ws) => {
+    console.log('WebSocket connection established')
+    ws.send(JSON.stringify({
+        type: 'connection',
+        message: 'Connected',
+        autoRebalancerStatus: autoRebalancer.getStatus()
+    }))
+
+    ws.on('error', (error) => {
+        console.error('WebSocket error:', error)
+    })
+})
+
+// Start existing rebalancing service (now queue-backed, no cron)
+try {
+    const rebalancingService = new RebalancingService(wss)
+    rebalancingService.start()
+    console.log('[REBALANCING-SERVICE] Monitoring service started (queue-backed)')
+} catch (error) {
+    console.error('Failed to start rebalancing service:', error)
+}
+
+// Start server
+server.listen(port, async () => {
+    console.log(`🚀 Server running on port ${port}`)
+    console.log(`Environment: ${process.env.NODE_ENV || 'development'}`)
+    console.log(`CoinGecko API Key: ${!!process.env.COINGECKO_API_KEY ? 'SET' : 'NOT SET'}`)
+
+    // ── BullMQ / Redis setup ────────────────────────────────────────────────
+    const redisAvailable = await isRedisAvailable()
+    logQueueStartup(redisAvailable)
+
+    if (redisAvailable) {
+        // Start all three workers
+        startPortfolioCheckWorker()
+        startRebalanceWorker()
+        startAnalyticsSnapshotWorker()
+
+        // Register repeatable jobs (scheduler)
+        try {
+            await startQueueScheduler()
+            console.log('[SCHEDULER] ✅ Queue scheduler registered')
+        } catch (err) {
+            console.error('[SCHEDULER] ❌ Failed to register scheduler:', err)
+        }
+    }
+
+    // ── Auto-rebalancer (queue-backed) ──────────────────────────────────────
+    const shouldStartAutoRebalancer =
+        process.env.NODE_ENV === 'production' ||
+        process.env.ENABLE_AUTO_REBALANCER === 'true'
+
     if (shouldStartAutoRebalancer) {
         try {
             console.log('[AUTO-REBALANCER] Starting automatic rebalancing service...')
@@ -43,13 +278,6 @@ import { startAnalyticsSnapshotWorker, stopAnalyticsSnapshotWorker } from './que
         console.log('[AUTO-REBALANCER] Set ENABLE_AUTO_REBALANCER=true to enable in development')
     }
 
-    // Contract event indexer (on-chain source-of-truth history)
-    try {
-        await contractEventIndexerService.start()
-    } catch (error) {
-        console.error('[CHAIN-INDEXER] Failed to start:', error)
-    }
-
     console.log('Available endpoints:')
     console.log(`  Health: http://localhost:${port}/health`)
     console.log(`  CORS Test: http://localhost:${port}/test/cors`)
@@ -91,13 +319,6 @@ const gracefulShutdown = async (signal: string) => {
     }
 
     // Close database connection
-    try {
-        await contractEventIndexerService.stop()
-        console.log('[SHUTDOWN] Contract event indexer stopped')
-    } catch (error) {
-        console.error('[SHUTDOWN] Error stopping contract event indexer:', error)
-    }
-
     try {
         databaseService.close()
         console.log('[SHUTDOWN] Database connection closed')

backend/src/services/reflector.ts

@@ -1,6 +1,7 @@
 import { SorobanRpc } from '@stellar/stellar-sdk'
 import type { PricesMap, PriceData } from '../types/index.js'
 import { getFeatureFlags } from '../config/featureFlags.js'
+import { logger } from '../utils/logger.js' // Added logger import
 
 export class ReflectorService {
     private coinGeckoApiKey: string
@@ -25,20 +26,20 @@ export class ReflectorService {
 
     async getCurrentPrices(): Promise<PricesMap> {
         try {
-            console.log('[DEBUG] Fetching prices from CoinGecko with smart caching')
+            logger.info('[DEBUG] Fetching prices from CoinGecko with smart caching')
             const assets = ['XLM', 'BTC', 'ETH', 'USDC']
 
             // Check if we have fresh cached data for all assets
             const cachedPrices = this.getCachedPrices(assets)
             if (Object.keys(cachedPrices).length === assets.length) {
-                console.log('[DEBUG] Using cached prices for all assets')
+                logger.info('[DEBUG] Using cached prices for all assets')
                 return cachedPrices
             }
 
             // Check rate limiting more strictly
             const now = Date.now()
             if (now - this.lastRequestTime < this.MIN_REQUEST_INTERVAL) {
-                console.log('[DEBUG] Rate limiting - using cached prices only')
+                logger.info('[DEBUG] Rate limiting - using cached prices only')
                 if (Object.keys(cachedPrices).length > 0) {
                     return cachedPrices
                 }
@@ -60,7 +61,7 @@ export class ReflectorService {
             const assets = ['XLM', 'BTC', 'ETH', 'USDC']
             const cachedPrices = this.getCachedPrices(assets)
             if (Object.keys(cachedPrices).length > 0) {
-                console.log('[DEBUG] Using cached prices due to API error')
+                logger.info('[DEBUG] Using cached prices due to API error')
                 return cachedPrices
             }
 
@@ -91,7 +92,7 @@ export class ReflectorService {
 
         // Rate limiting - don't make requests too frequently
         if (now - this.lastRequestTime < this.MIN_REQUEST_INTERVAL) {
-            console.log('[DEBUG] Rate limiting - using cached prices')
+            logger.info('[DEBUG] Rate limiting - using cached prices')
             return {}
         }
 
@@ -102,8 +103,8 @@ export class ReflectorService {
 
             // FIXED: Use correct API endpoints
             const baseUrl = 'https://api.coingecko.com/api/v3'
-            console.log('[DEBUG] Using API:', apiKey ? 'CoinGecko Pro' : 'CoinGecko Free')
-            console.log('[DEBUG] Base URL:', baseUrl)
+            logger.info('[DEBUG] Using API:', apiKey ? 'CoinGecko Pro' : 'CoinGecko Free')
+            logger.info('[DEBUG] Base URL:', baseUrl)
 
             const headers: Record<string, string> = {
                 'Accept': 'application/json',
@@ -116,7 +117,7 @@ export class ReflectorService {
                 .filter(Boolean)
                 .join(',')
 
-            console.log('[DEBUG] Coin IDs:', coinIds)
+            logger.info('[DEBUG] Coin IDs:', coinIds)
 
             // FIXED: Correct API endpoint and parameters
             const endpoint = '/simple/price'
@@ -128,8 +129,8 @@ export class ReflectorService {
             })
 
             const url = `${baseUrl}${endpoint}?${params.toString()}`
-            console.log('[DEBUG] Full URL:', url)
-            console.log('[DEBUG] Headers:', headers)
+            logger.info('[DEBUG] Full URL:', url)
+            logger.info('[DEBUG] Headers:', headers)
 
             const controller = new AbortController()
             const timeoutId = setTimeout(() => controller.abort(), 15000)
@@ -142,8 +143,8 @@ export class ReflectorService {
 
             clearTimeout(timeoutId)
 
-            console.log('[DEBUG] Response status:', response.status)
-            console.log('[DEBUG] Response headers:', Object.fromEntries(response.headers.entries()))
+            logger.info('[DEBUG] Response status:', response.status)
+            logger.info('[DEBUG] Response headers:', Object.fromEntries(response.headers.entries()))
 
             if (!response.ok) {
                 // Get the actual error response
@@ -169,7 +170,7 @@ export class ReflectorService {
             }
 
             const data = await response.json()
-            console.log('[DEBUG] CoinGecko response data:', data)
+            logger.info('[DEBUG] CoinGecko response data:', data)
 
             const prices: PricesMap = {}