signal-works/ice
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Update documentation with security and testing information

Browse source 
README.md:
- Add comprehensive API endpoint documentation with admin routes
- Update security section with detailed protections and limits
- Add rate limiting, input validation, and authentication details
- Include testing information (125+ tests, 76% coverage)
- Update technology stack with TypeScript and security features

CLAUDE.md:
- Add detailed testing coverage information
- Document security features in API endpoints section
- Update key design patterns with security-by-design and testing
- Include input validation limits and rate limiting details
- Clarify admin-only DELETE functionality

Both files now accurately reflect:
- Current security implementations
- Comprehensive test suite
- TypeScript architecture
- Rate limiting and input validation
- Admin authentication requirements

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Code 2025-07-05 21:58:18 -04:00
parent 88f7e72501
commit 1918217449
2 changed files with 60 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

42
CLAUDE.md
View file

@ -60,13 +60,19 @@ npm run watch-css
### Testing
```bash
# Run all tests
# Run all tests (125+ tests with TypeScript)
npm test
# Run tests with coverage report
# Run tests with coverage report (76% overall coverage)
npm run test:coverage
```
**Test Coverage:**
- **Unit Tests:** Location/ProfanityWord models, DatabaseService, ProfanityFilterService
- **Integration Tests:** Public API routes, Admin API routes with authentication
- **Security Tests:** Rate limiting, input validation, authentication flows
- **Coverage:** 76% statements, 63% branches, 78% lines
### Environment Setup
Before running the application, you must configure environment variables:
```bash
@ -140,18 +146,27 @@ Multiple map implementations for flexibility:
### API Endpoints
Public endpoints:
**Public endpoints:**
- `GET /api/config`: Returns MapBox token for frontend geocoding
- `GET /api/locations`: Active locations (< 48 hours old or persistent)
- `POST /api/locations`: Submit new location report (with profanity filtering)
- `POST /api/locations`: Submit new location report (rate limited: 10/15min per IP)
- **Input Validation:** Address ≤500 chars, Description ≤1000 chars
- **Profanity Filtering:** Automatic content moderation with rejection
- **Security:** Rate limiting prevents spam and DoS attacks
Admin endpoints (require Bearer token):
**Admin endpoints (require Bearer token):**
- `POST /api/admin/login`: Authenticate and receive token
- `GET /api/admin/locations`: All locations including expired
- `PUT /api/admin/locations/:id`: Update location details
- `PATCH /api/admin/locations/:id/persistent`: Toggle persistent status
- `DELETE /api/admin/locations/:id`: Delete location
- Profanity management: `/api/admin/profanity-words` (GET, POST, PUT, DELETE)
- `DELETE /api/admin/locations/:id`: Delete location (admin-only)
- **Profanity management:** `/api/admin/profanity-words` (GET, POST, PUT, DELETE)
**Security Features:**
- **Rate Limiting:** Express-rate-limit middleware on public endpoints
- **Authentication:** Bearer token authentication for admin routes
- **Input Validation:** Strict length limits and type checking
- **Audit Logging:** Suspicious activity detection and logging
### SCSS Organization
SCSS files are in `src/scss/`:
@ -164,12 +179,13 @@ SCSS files are in `src/scss/`:
### Key Design Patterns
1. **TypeScript-First Architecture**: Full type safety with strict type checking
2. **Modular Route Architecture**: Routes accept dependencies as parameters for testability
3. **Dual Database Design**: Separate databases for application data and content moderation
4. **Type-Safe Database Operations**: All database interactions use typed models
5. **Graceful Degradation**: Fallback geocoding providers and error handling
6. **Automated Maintenance**: Cron-based cleanup of expired reports
7. **Security**: Server-side content filtering, environment-based configuration
2. **Security-by-Design**: Rate limiting, input validation, and authentication built into core routes
3. **Modular Route Architecture**: Routes accept dependencies as parameters for testability
4. **Dual Database Design**: Separate databases for application data and content moderation
5. **Type-Safe Database Operations**: All database interactions use typed models
6. **Comprehensive Testing**: 125+ tests covering units, integration, and security scenarios
7. **Graceful Degradation**: Fallback geocoding providers and error handling
8. **Automated Maintenance**: Cron-based cleanup of expired reports
### Deployment
- Automated deployment script for Debian 12 ARM64 in `scripts/deploy.sh`