Skip to content

Security hardening for Netlify serverless functions#48

Merged
ArnavBallinCode merged 1 commit into
monorepo-test-narenfrom
copilot/sub-pr-44-yet-again
Dec 19, 2025
Merged

Security hardening for Netlify serverless functions#48
ArnavBallinCode merged 1 commit into
monorepo-test-narenfrom
copilot/sub-pr-44-yet-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 30, 2025
edited
Loading

Previous review identified critical security vulnerabilities in the Netlify functions: wildcard CORS, missing input validation, exposed internal errors, inefficient N+1 queries, and weak username generation.

Changes

CORS Hardening (utils/cors.js)

  • Replaced '*' wildcard with environment-aware origin allowlist
  • Supports ALLOWED_ORIGINS env var or defaults to localhost + production URLs

Input Validation (utils/validation.js)

  • Email format validation with length limits
  • User ID / Session ID format validation (alphanumeric + UUID patterns)
  • JWT credential format and length validation

Supabase Security (utils/supabase.js)

  • Environment variable presence validation before use
  • Throws on missing keys instead of exposing "undefined" in headers

Error Handling (utils/errors.js)

  • Generic user-facing error messages
  • Internal details logged server-side only

Query Safety

  • All user inputs URL-encoded with encodeURIComponent() before Supabase queries
  • Batched user fetch in leaderboard to eliminate N+1 pattern

Username Generation (auth-google.js)

// Before: Random 1000-9999 suffix, loops indefinitely if collisions
const username = `${base}_${Math.floor(Math.random() * 9000) + 1000}`;

// After: Timestamp + random suffix, collision-resistant
const username = `${base}_${Date.now().toString(36)}${Math.random().toString(36).slice(2, 7)}`;

Outstanding

  • Rate limiting on auth endpoints requires external service (Upstash Redis or Netlify Edge)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Nov 30, 2025
Merged
@netlify
Copy link
Copy Markdown

netlify Bot commented Nov 30, 2025
edited
Loading

Deploy Preview for quantum-escape ready!

Name Link
🔨 Latest commit d7bb4ae
🔍 Latest deploy log https://app.netlify.com/projects/quantum-escape/deploys/692c80152273260008f173a3
😎 Deploy Preview https://deploy-preview-48--quantum-escape.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI changed the title [WIP] Migrate project to Netlify serverless monorepo architecture Security hardening for Netlify serverless functions Nov 30, 2025
@ArnavBallinCode ArnavBallinCode marked this pull request as ready for review December 19, 2025 02:34
@ArnavBallinCode ArnavBallinCode merged commit 231b252 into monorepo-test-naren Dec 19, 2025
5 checks passed
@ArnavBallinCode ArnavBallinCode deleted the copilot/sub-pr-44-yet-again branch December 19, 2025 05:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArnavBallinCode ArnavBallinCode Awaiting requested review from ArnavBallinCode

Assignees

@ArnavBallinCode ArnavBallinCode

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ArnavBallinCode