security: critical fixes from audit
CI / test (push) Successful in 1m58s

- Rotate 5 exposed production secrets (JWT, ENCRYPTION, ADMIN, POSTGRES, REDIS)
- Fix MOCK_PAYMENTS opt-in (now defaults to disabled)
- HMAC-SHA256 webhook verification with timing-safe comparison
- Purge dangling git blobs (git gc --prune=now)
- Rate limiting on auth routes (10/15min per IP)
- CORS middleware restricted to falahos.my
- Fix walletBalance → flhBalance (Prisma schema mismatch)
This commit is contained in:
2026-06-27 17:54:34 +08:00
parent bfd3509add
commit 0c3521ba4c
8 changed files with 127 additions and 24 deletions
+1
View File
@@ -39,3 +39,4 @@ yarn-error.log*
# typescript
*.tsbuildinfo
next-env.d.ts
.gstack/