Harden credentials and authentication security by Cangerana · Pull Request #20 · JoseAP0/Zenrunner_api

Cangerana · 2026-05-10T23:33:17Z

Summury

Remove tracked database credentials and add safe example env/database config files
Harden production SSL, host allowlisting, JWT secret handling, and production DB credential requirements
Add Rack::Attack throttling for login/register endpoints with focused request specs
Document required production environment variables in the README

`git diff --check main...HEAD`
`bundle exec rubocop Gemfile app/services/auth/json_web_token.rb config/initializers/rack_attack.rb spec/support/rack_attack.rb spec/requests/api/v1/auth/sessions_spec.rb spec/requests/api/v1/auth/registrations_spec.rb spec/services/auth/json_web_token_spec.rb`
`bundle exec brakeman --no-pager`
`bundle exec bundler-audit --config config/bundler-audit.yml`
`bundle exec rails middleware | rg "Rack::Attack"`
`docker compose run --rm -e RAILS_ENV=test web bundle exec rspec spec/requests/api/v1/auth/sessions_spec.rb spec/requests/api/v1/auth/registrations_spec.rb spec/services/auth/json_web_token_spec.rb`

Full suite still has unrelated existing failures in the user role enum spec and Stripe env setup specs.
If previously committed DB credentials were pushed/shared, rotate those passwords even after this PR merges."

cangerana added 9 commits May 10, 2026 17:59

Remove tracked database credentials

d9007e6

Add environment variable example file

87201c3

Harden production SSL and host settings

2a90508

Require SSL in production

3993fcd

Require JWT secret in production

7c9792b

Rate limit authentication endpoints

8696699

Isolate Rack Attack in request specs

bec4f9f

Require production database credentials

7590ad3

Document production environment variables

eb14163

Cangerana merged commit be6e620 into main May 10, 2026
2 of 3 checks passed