fix: implement all LOW severity fixes with 19 tests (167 total)

- Update tsconfig target from es5 to es2020 for modern JS features
- Remove X-Powered-By header to prevent server fingerprinting
- Add Permissions-Policy header (camera, microphone, geolocation denied)
- Add CORS preflight cache (maxAge: 86400) to reduce OPTIONS requests
- Rename auth.gaurd.ts to auth.guard.ts and update all 11 controller imports
- Add WebSocket authentication with JWT verification on connection
- Add session ID format validation to prevent injection attacks
- Replace console.log/error/warn with NestJS Logger in critical services:
  - FailedWebhookRetry usecase
  - UploadCleanupScheduler service
  - AuthController
- Normalize error responses in production (exception filter hides internals)
- Add 19 new tests covering all LOW severity fixes

https://claude.ai/code/session_01KCbLtPYD29xF1zCFukZmbQ

Author: claude

apps/api/src/app/activity/activity.controller.ts

@@ -4,7 +4,7 @@ import { ValidateMongoId } from '@shared/validations/valid-mongo-id.validation';
 
 import { UploadSummary, UploadHistory, RetryUpload, WebhookLogs } from './usecases';
 import { ACCESS_KEY_NAME, Defaults } from '@impler/shared';
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { isDateString } from '@shared/helpers/common.helper';
 
 @Controller('/activity')

apps/api/src/app/auth/auth.controller.ts

@@ -6,6 +6,7 @@ import {
   ClassSerializerInterceptor,
   Controller,
   Get,
+  Logger,
   Post,
   Put,
   Res,
@@ -47,6 +48,8 @@ import {
 @ApiExcludeController()
 @UseInterceptors(ClassSerializerInterceptor)
 export class AuthController {
+  private readonly logger = new Logger(AuthController.name);
+
   constructor(
     private verify: Verify,
     private resendOTP: ResendOTP,
@@ -99,7 +102,7 @@ export class AuthController {
 
       return response.redirect(url);
     } catch (error) {
-      console.error('[AuthController] GitHub OAuth callback failed:', error?.message || error);
+      this.logger.error(`GitHub OAuth callback failed: ${error?.message || error}`);
 
       return response.redirect(`${process.env.WEB_BASE_URL}/auth/signin?error=AuthenticationError`);
     }

apps/api/src/app/column/column.controller.ts

@@ -3,7 +3,7 @@ import { Controller, Put, Param, Body, UseGuards, Post, Delete } from '@nestjs/c
 import { ValidateMongoId } from '@shared/validations/valid-mongo-id.validation';
 
 import { ACCESS_KEY_NAME } from '@impler/shared';
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { ColumnRequestDto } from './dtos/column-request.dto';
 import { ColumnResponseDto } from './dtos/column-response.dto';
 import { AddColumn, UpdateColumn, DeleteColumn } from './usecases';

apps/api/src/app/common/common.controller.ts

@@ -13,7 +13,7 @@ import {
 } from '@nestjs/common';
 
 import { ACCESS_KEY_NAME, IImportConfig } from '@impler/shared';
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { ValidRequestDto, SignedUrlDto } from './dtos';
 import { ValidImportFile } from '@shared/validations/valid-import-file.validation';
 import { ValidRequestCommand, GetSignedUrl, ValidRequest, GetImportConfig, GetSheetNames } from './usecases';

apps/api/src/app/failed-webhook-request-retry/usecase/failed-webhook-request-retry.usecase.ts

@@ -1,4 +1,4 @@
-import { Injectable } from '@nestjs/common';
+import { Injectable, Logger } from '@nestjs/common';
 import { Cron, CronExpression } from '@nestjs/schedule';
 
 import { QueuesEnum } from '@impler/shared';
@@ -7,6 +7,7 @@ import { FailedWebhookRetryRequestsEntity, FailedWebhookRetryRequestsRepository
 
 @Injectable()
 export class FailedWebhookRetry {
+  private readonly logger = new Logger(FailedWebhookRetry.name);
   constructor(
     private failedWebhookRetryRequestsRepository: FailedWebhookRetryRequestsRepository = new FailedWebhookRetryRequestsRepository(),
     private queueService: QueueService
@@ -18,20 +19,20 @@ export class FailedWebhookRetry {
     const memUsageStart = process.memoryUsage();
     const cpuUsageStart = process.cpuUsage();
 
-    console.log('========================================');
-    console.log(`[FAILED-WEBHOOK-RETRY] Cron Started at ${startTime.toISOString()}`);
-    console.log(`[FAILED-WEBHOOK-RETRY] Memory Usage (Start): RSS=${(memUsageStart.rss / 1024 / 1024).toFixed(2)}MB, Heap=${(memUsageStart.heapUsed / 1024 / 1024).toFixed(2)}MB`);
-    console.log('========================================');
+    this.logger.log('========================================');
+    this.logger.log(`[FAILED-WEBHOOK-RETRY] Cron Started at ${startTime.toISOString()}`);
+    this.logger.log(`[FAILED-WEBHOOK-RETRY] Memory Usage (Start): RSS=${(memUsageStart.rss / 1024 / 1024).toFixed(2)}MB, Heap=${(memUsageStart.heapUsed / 1024 / 1024).toFixed(2)}MB`);
+    this.logger.log('========================================');
 
     try {
       const failedWebhooks: FailedWebhookRetryRequestsEntity[] = await this.failedWebhookRetryRequestsRepository.find({
         nextRequestTime: { $lt: new Date() },
       });
 
-      console.log(`[FAILED-WEBHOOK-RETRY] Found ${failedWebhooks.length} failed webhooks to retry`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Found ${failedWebhooks.length} failed webhooks to retry`);
 
       if (!failedWebhooks.length) {
-        console.log(`[FAILED-WEBHOOK-RETRY] No webhooks to process, exiting`);
+        this.logger.log(`[FAILED-WEBHOOK-RETRY] No webhooks to process, exiting`);
         return;
       }
 
@@ -47,49 +48,49 @@ export class FailedWebhookRetry {
       const memUsageEnd = process.memoryUsage();
       const cpuUsageEnd = process.cpuUsage(cpuUsageStart);
 
-      console.log('========================================');
-      console.log(`[FAILED-WEBHOOK-RETRY] Cron Completed at ${endTime.toISOString()}`);
-      console.log(`[FAILED-WEBHOOK-RETRY] Results - Successful: ${successful}, Failed: ${failed}, Total: ${failedWebhooks.length}`);
-      console.log(`[FAILED-WEBHOOK-RETRY] Processing Duration: ${processDuration}ms`);
-      console.log(`[FAILED-WEBHOOK-RETRY] Total Duration: ${duration}ms`);
-      console.log(`[FAILED-WEBHOOK-RETRY] Memory Usage (End): RSS=${(memUsageEnd.rss / 1024 / 1024).toFixed(2)}MB, Heap=${(memUsageEnd.heapUsed / 1024 / 1024).toFixed(2)}MB`);
-      console.log(`[FAILED-WEBHOOK-RETRY] Memory Delta: RSS=${((memUsageEnd.rss - memUsageStart.rss) / 1024 / 1024).toFixed(2)}MB, Heap=${((memUsageEnd.heapUsed - memUsageStart.heapUsed) / 1024 / 1024).toFixed(2)}MB`);
-      console.log(`[FAILED-WEBHOOK-RETRY] CPU Usage: User=${(cpuUsageEnd.user / 1000).toFixed(2)}ms, System=${(cpuUsageEnd.system / 1000).toFixed(2)}ms`);
+      this.logger.log('========================================');
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Cron Completed at ${endTime.toISOString()}`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Results - Successful: ${successful}, Failed: ${failed}, Total: ${failedWebhooks.length}`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Processing Duration: ${processDuration}ms`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Total Duration: ${duration}ms`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Memory Usage (End): RSS=${(memUsageEnd.rss / 1024 / 1024).toFixed(2)}MB, Heap=${(memUsageEnd.heapUsed / 1024 / 1024).toFixed(2)}MB`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Memory Delta: RSS=${((memUsageEnd.rss - memUsageStart.rss) / 1024 / 1024).toFixed(2)}MB, Heap=${((memUsageEnd.heapUsed - memUsageStart.heapUsed) / 1024 / 1024).toFixed(2)}MB`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] CPU Usage: User=${(cpuUsageEnd.user / 1000).toFixed(2)}ms, System=${(cpuUsageEnd.system / 1000).toFixed(2)}ms`);
 
       if (duration > 5000) {
-        console.warn(`[FAILED-WEBHOOK-RETRY] ⚠️ WARNING: Cron execution took ${duration}ms (>5s threshold)`);
+        this.logger.warn(`[FAILED-WEBHOOK-RETRY] ⚠️ WARNING: Cron execution took ${duration}ms (>5s threshold)`);
       }
 
       if (failedWebhooks.length > 100) {
-        console.warn(`[FAILED-WEBHOOK-RETRY] ⚠️ WARNING: Processing large batch of ${failedWebhooks.length} webhooks`);
+        this.logger.warn(`[FAILED-WEBHOOK-RETRY] ⚠️ WARNING: Processing large batch of ${failedWebhooks.length} webhooks`);
       }
 
-      console.log('========================================');
+      this.logger.log('========================================');
     } catch (error) {
       const endTime = new Date();
       const duration = endTime.getTime() - startTime.getTime();
 
-      console.error('========================================');
-      console.error(`[FAILED-WEBHOOK-RETRY] ❌ ERROR at ${endTime.toISOString()}`);
-      console.error(`[FAILED-WEBHOOK-RETRY] Duration before error: ${duration}ms`);
-      console.error('[FAILED-WEBHOOK-RETRY] Error details:', error);
-      console.error('========================================');
+      this.logger.error('========================================');
+      this.logger.error(`[FAILED-WEBHOOK-RETRY] ❌ ERROR at ${endTime.toISOString()}`);
+      this.logger.error(`[FAILED-WEBHOOK-RETRY] Duration before error: ${duration}ms`);
+      this.logger.error('[FAILED-WEBHOOK-RETRY] Error details:', error);
+      this.logger.error('========================================');
       throw error;
     }
   }
 
   private async processWebhook(webhook: FailedWebhookRetryRequestsEntity) {
     const webhookStartTime = Date.now();
     try {
-      console.log(`[FAILED-WEBHOOK-RETRY] Processing webhook - ID: ${webhook._id}, Time: ${new Date().toISOString()}`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Processing webhook - ID: ${webhook._id}, Time: ${new Date().toISOString()}`);
 
       this.queueService.publishToQueue(QueuesEnum.SEND_FAILED_WEBHOOK_DATA, webhook._id as string);
 
       const webhookDuration = Date.now() - webhookStartTime;
-      console.log(`[FAILED-WEBHOOK-RETRY] Webhook queued - ID: ${webhook._id}, Duration: ${webhookDuration}ms`);
+      this.logger.log(`[FAILED-WEBHOOK-RETRY] Webhook queued - ID: ${webhook._id}, Duration: ${webhookDuration}ms`);
     } catch (error) {
       const webhookDuration = Date.now() - webhookStartTime;
-      console.error(`[FAILED-WEBHOOK-RETRY] ❌ Error processing webhook - ID: ${webhook._id}, Duration: ${webhookDuration}ms, Time: ${new Date().toISOString()}`, error);
+      this.logger.error(`[FAILED-WEBHOOK-RETRY] ❌ Error processing webhook - ID: ${webhook._id}, Duration: ${webhookDuration}ms, Time: ${new Date().toISOString()}`, error);
       throw error;
     }
   }

apps/api/src/app/import-jobs/import-jobs.controller.ts

@@ -12,7 +12,7 @@ import {
   UserJobTerminate,
 } from './usecase';
 import { ACCESS_KEY_NAME } from '@impler/shared';
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { UpdateJobDto, CreateUserJobDto, UpdateJobMappingDto } from './dtos';
 
 @ApiTags('Import Jobs')

apps/api/src/app/mapping/mapping.controller.ts

@@ -2,7 +2,7 @@ import { Body, Controller, Get, Param, ParseArrayPipe, Post, UseGuards } from '@
 import { ApiTags, ApiSecurity, ApiOperation, ApiBody } from '@nestjs/swagger';
 import { ACCESS_KEY_NAME, Defaults, ITemplateSchemaItem, UploadStatusEnum } from '@impler/shared';
 
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { validateNotFound } from '@shared/helpers/common.helper';
 import { validateUploadStatus } from '@shared/helpers/upload.helpers';
 import { GetUpload } from '@shared/usecases/get-upload/get-upload.usecase';

apps/api/src/app/project/project.controller.ts

@@ -37,7 +37,7 @@ import {
 } from './usecases';
 import { AuthService } from 'app/auth/services/auth.service';
 import { CONSTANTS, COOKIE_CONFIG } from '@shared/constants';
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { EnvironmentResponseDto } from 'app/environment/dtos/environment-response.dto';
 
 @Controller('/project')

apps/api/src/app/review/review.controller.ts

@@ -13,7 +13,7 @@ import {
 } from '@nestjs/common';
 
 import { APIMessages } from '@shared/constants';
-import { JwtAuthGuard } from '@shared/framework/auth.gaurd';
+import { JwtAuthGuard } from '@shared/framework/auth.guard';
 import { validateUploadStatus } from '@shared/helpers/upload.helpers';
 import { Defaults, ACCESS_KEY_NAME, UploadStatusEnum, ReviewDataTypesEnum } from '@impler/shared';
 

apps/api/src/app/shared/filters/exception.filter.ts

@@ -1,14 +1,32 @@
-import { Catch, ArgumentsHost, HttpServer, HttpException } from '@nestjs/common';
+import { Catch, ArgumentsHost, HttpServer, HttpException, Logger } from '@nestjs/common';
 import { AbstractHttpAdapter, BaseExceptionFilter } from '@nestjs/core';
 import * as Sentry from '@sentry/node';
 
 @Catch()
 export class SentryFilter extends BaseExceptionFilter {
+  private readonly logger = new Logger(SentryFilter.name);
+
   catch(exception: unknown, host: ArgumentsHost): void {
     // Only report non-HTTP exceptions (unexpected errors) to Sentry
     if (!(exception instanceof HttpException)) {
       Sentry.captureException(exception);
     }
+
+    // In production, normalize unexpected error responses to avoid leaking internals
+    if (process.env.NODE_ENV === 'production' && !(exception instanceof HttpException)) {
+      this.logger.error('Unhandled exception', exception instanceof Error ? exception.stack : String(exception));
+      const ctx = host.switchToHttp();
+      const response = ctx.getResponse();
+      if (response && typeof response.status === 'function') {
+        response.status(500).json({
+          statusCode: 500,
+          message: 'Internal server error',
+        });
+
+        return;
+      }
+    }
+
     super.catch(exception, host);
   }
 
@@ -18,6 +36,22 @@ export class SentryFilter extends BaseExceptionFilter {
     applicationRef: HttpServer<any, any> | AbstractHttpAdapter<any, any, any>
   ): void {
     Sentry.captureException(exception);
+
+    // In production, normalize unknown errors
+    if (process.env.NODE_ENV === 'production') {
+      this.logger.error('Unknown error', exception?.stack || String(exception));
+      const ctx = host.switchToHttp();
+      const response = ctx.getResponse();
+      if (response && typeof response.status === 'function') {
+        response.status(500).json({
+          statusCode: 500,
+          message: 'Internal server error',
+        });
+
+        return;
+      }
+    }
+
     super.handleUnknownError(exception, host, applicationRef);
   }
 }