testing backend security

.gitea/workflows/dev-deploy.yml

@@ -1,62 +0,0 @@
-name: Deploy Backend Development Environment
-
-on:
-  push:
-    branches: [ dev ]
-  workflow_dispatch:
-
-env:
-  ENV_NAME: dev
-  IMAGE_NAME: csa-backend
-  REGISTRY: ${{ secrets.REGISTRY_URL }}
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Set image tag
-      run: |
-        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-    - name: Login to registry
-      run: |
-        echo "${{ secrets.REGISTRY_PASSWORD }}" | sudo docker login $REGISTRY \
-          -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
-
-    - name: Build and push image
-      run: |
-        sudo docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG .
-        sudo docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Clone manifest repo
-      run: |
-        git clone https://oauth2:${{ secrets.MANIFEST_REPO_TOKEN }}@${{ secrets.MANIFEST_REPO_URL }} manifest
-        cd manifest
-        git checkout $ENV_NAME
-
-    - name: Install kustomize
-      run: |
-        curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
-        sudo mv kustomize /usr/local/bin/
-
-    - name: Update kustomization (DEV)
-      run: |
-        cd manifest/overlays
-        kustomize edit set image \
-          $REGISTRY/$IMAGE_NAME=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Commit manifest update
-      run: |
-        cd manifest
-        git config user.name "csa-ci"
-        git config user.email "ci@gitea.local"
-        git commit -am "deploy(${ENV_NAME}): update backend image to $IMAGE_TAG"
-        git push origin $ENV_NAME
-
-    - name: Cleanup workspace
-      run: |
-        rm -rf manifest

.gitea/workflows/live-deploy.yaml

@@ -1,62 +0,0 @@
-name: Deploy Backend Production Environment
-
-on:
-  push:
-    branches: [ prod ]
-  workflow_dispatch:
-
-env:
-  ENV_NAME: prod
-  IMAGE_NAME: csa-backend
-  REGISTRY: ${{ secrets.REGISTRY_URL }}
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout source code
-      uses: actions/checkout@v4
-
-    - name: Set image tag
-      run: |
-        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV        
-
-    - name: Login to registry
-      run: |
-        echo "${{ secrets.REGISTRY_PASSWORD }}" | sudo docker login $REGISTRY \
-          -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin        
-
-    - name: Build and push image
-      run: |
-        sudo docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG .
-        sudo docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG        
-
-    - name: Clone manifest repo
-      run: |
-        git clone https://oauth2:${{ secrets.MANIFEST_REPO_TOKEN }}@${{ secrets.MANIFEST_REPO_URL }} manifest
-        cd manifest
-        git checkout $ENV_NAME
-
-    - name: Install kustomize
-      run: |
-        curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
-        sudo mv kustomize /usr/local/bin/        
-
-    - name: Update kustomization (PROD)
-      run: |
-        cd manifest/overlays
-        kustomize edit set image \
-          $REGISTRY/$IMAGE_NAME=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG        
-
-    - name: Commit manifest update
-      run: |
-        cd manifest
-        git config user.name "csa-ci"
-        git config user.email "ci@gitea.local"
-        git commit -am "deploy(${ENV_NAME}): update backend image to $IMAGE_TAG"
-        git push origin $ENV_NAME        
-
-    - name: Cleanup workspace
-      run: |
-        rm -rf manifest

.gitea/workflows/staging-deploy.yaml

@@ -1,62 +0,0 @@
-name: Deploy Backend Production Environment
-
-on:
-  push:
-    branches: [ staging ]
-  workflow_dispatch:
-
-env:
-  ENV_NAME: staging
-  IMAGE_NAME: csa-backend
-  REGISTRY: ${{ secrets.REGISTRY_URL }}
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout source code
-      uses: actions/checkout@v4
-
-    - name: Set image tag
-      run: |
-        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-    - name: Login to registry
-      run: |
-        echo "${{ secrets.REGISTRY_PASSWORD }}" | sudo docker login $REGISTRY \
-          -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
-
-    - name: Build and push image
-      run: |
-        sudo docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG .
-        sudo docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Clone manifest repo
-      run: |
-        git clone https://oauth2:${{ secrets.MANIFEST_REPO_TOKEN }}@${{ secrets.MANIFEST_REPO_URL }} manifest
-        cd manifest
-        git checkout $ENV_NAME
-
-    - name: Install kustomize
-      run: |
-        curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
-        sudo mv kustomize /usr/local/bin/
-
-    - name: Update kustomization (STAGING)
-      run: |
-        cd manifest/overlays
-        kustomize edit set image \
-          $REGISTRY/$IMAGE_NAME=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Commit manifest update
-      run: |
-        cd manifest
-        git config user.name "csa-ci"
-        git config user.email "ci@gitea.local"
-        git commit -am "deploy(${ENV_NAME}): update backend image to $IMAGE_TAG"
-        git push origin $ENV_NAME
-
-    - name: Cleanup workspace
-      run: |
-        rm -rf manifest

.gitea/workflows/testing.yaml

@@ -0,0 +1,35 @@
+name: Backend SonarQube Check testing
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  sonar-check:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v4
+
+    - name: Set image tag
+      run: |
+        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@v2
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_BACKEND_TEST }}
+      with:
+        args: >
+          -Dsonar.projectKey=csa-backend-production
+          -Dsonar.sources=.
+
+    - name: SonarQube Quality Gate
+      uses: sonarsource/sonarqube-quality-gate-action@v1
+      timeout-minutes: 5
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_BACKEND_TEST }}

.gitignore

@@ -7,3 +7,5 @@ node_modules
 app.log
 # Ignore generated Prisma client
 /app/generated/prisma
+# Firebase service account
+app/config/serviceAccountKey.json

index.js

@@ -45,11 +45,11 @@ app.use(compression());
 app.use(upload.any());
 
 // FIREBASE
-const serviceAccount = require(path.join(__dirname, "app/config/serviceAccountKey.json"));
+//const serviceAccount = require(path.join(__dirname, "app/config/serviceAccountKey.json"));
 
 if (!admin.apps.length) {
     admin.initializeApp({
-        credential: admin.credential.cert(serviceAccount),
+        credential: admin.credential.applicationDefault(),
         storageBucket: "cifowallet.firebasestorage.app",
     });
 }