diff --git a/backend/src/routes/risk-score.ts b/backend/src/routes/risk-score.ts index 4b9a9b1..9581518 100644 --- a/backend/src/routes/risk-score.ts +++ b/backend/src/routes/risk-score.ts @@ -6,6 +6,7 @@ import express, { Response } from 'express'; import { riskDetectionService } from '../services/risk-detection/risk-detection-service'; import { riskNotificationService } from '../services/risk-detection/risk-notification-service'; import { authenticate, AuthenticatedRequest } from '../middleware/auth'; +import { adminAuth } from '../middleware/admin'; import logger from '../config/logger'; const router = express.Router(); @@ -155,8 +156,10 @@ router.get('/', async (req: AuthenticatedRequest, res: Response) => { * description: Recalculation result * 401: * description: Unauthorized + * 403: + * description: Forbidden - Admin access required */ -router.post('/recalculate', async (req: AuthenticatedRequest, res: Response) => { +router.post('/recalculate', adminAuth, async (req: AuthenticatedRequest, res: Response) => { try { const userId = req.user?.id; @@ -167,9 +170,6 @@ router.post('/recalculate', async (req: AuthenticatedRequest, res: Response) => }); } - // TODO: Add admin check - // For now, allow any authenticated user to trigger recalculation - logger.info('Manual risk recalculation triggered', { user_id: userId }); const result = await riskDetectionService.recalculateAllRisks(); diff --git a/client/lib/security-utils.ts b/client/lib/security-utils.ts index 07ad83c..5847f5e 100644 --- a/client/lib/security-utils.ts +++ b/client/lib/security-utils.ts @@ -167,13 +167,16 @@ export class SessionManager { } } -// Secure storage wrapper -export const secureStorage = { - set(key: string, value: any): void { +// Base64-encoded localStorage wrapper. +// WARNING: This is NOT encryption. Values can be trivially decoded with atob(). +// Do NOT use for API keys, tokens, passwords, or any sensitive data. +// For sensitive data, use server-side storage or the Web Crypto API. +export const encodedStorage = { + set(key: string, value: unknown): void { if (typeof window === "undefined") return try { - const encrypted = btoa(JSON.stringify(value)) - localStorage.setItem(key, encrypted) + const encoded = btoa(JSON.stringify(value)) + localStorage.setItem(key, encoded) } catch (error) { console.error("Failed to store data:", error) } @@ -182,9 +185,9 @@ export const secureStorage = { get(key: string): T | null { if (typeof window === "undefined") return null try { - const encrypted = localStorage.getItem(key) - if (!encrypted) return null - return JSON.parse(atob(encrypted)) as T + const encoded = localStorage.getItem(key) + if (!encoded) return null + return JSON.parse(atob(encoded)) as T } catch (error) { console.error("Failed to retrieve data:", error) return null