testing backend security

2026-01-08 15:10:27 +07:00 · 2026-01-08 15:10:27 +07:00 · f42da23b00
parent f725a80100
commit f42da23b00
6 changed files with 39 additions and 188 deletions
--- a/.gitea/workflows/dev-deploy.yml
+++ b/.gitea/workflows/dev-deploy.yml
@ -1,62 +0,0 @@
-name: Deploy Backend Development Environment
-
-on:
-  push:
-    branches: [ dev ]
-  workflow_dispatch:
-
-env:
-  ENV_NAME: dev
-  IMAGE_NAME: csa-backend
-  REGISTRY: ${{ secrets.REGISTRY_URL }}
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Set image tag
-      run: |
-        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-    - name: Login to registry
-      run: |
-        echo "${{ secrets.REGISTRY_PASSWORD }}" | sudo docker login $REGISTRY \
-          -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
-
-    - name: Build and push image
-      run: |
-        sudo docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG .
-        sudo docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Clone manifest repo
-      run: |
-        git clone https://oauth2:${{ secrets.MANIFEST_REPO_TOKEN }}@${{ secrets.MANIFEST_REPO_URL }} manifest
-        cd manifest
-        git checkout $ENV_NAME
-
-    - name: Install kustomize
-      run: |
-        curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
-        sudo mv kustomize /usr/local/bin/
-
-    - name: Update kustomization (DEV)
-      run: |
-        cd manifest/overlays
-        kustomize edit set image \
-          $REGISTRY/$IMAGE_NAME=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Commit manifest update
-      run: |
-        cd manifest
-        git config user.name "csa-ci"
-        git config user.email "ci@gitea.local"
-        git commit -am "deploy(${ENV_NAME}): update backend image to $IMAGE_TAG"
-        git push origin $ENV_NAME
-
-    - name: Cleanup workspace
-      run: |
-        rm -rf manifest
--- a/.gitea/workflows/live-deploy.yaml
+++ b/.gitea/workflows/live-deploy.yaml
@ -1,62 +0,0 @@
-name: Deploy Backend Production Environment
-
-on:
-  push:
-    branches: [ prod ]
-  workflow_dispatch:
-
-env:
-  ENV_NAME: prod
-  IMAGE_NAME: csa-backend
-  REGISTRY: ${{ secrets.REGISTRY_URL }}
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout source code
-      uses: actions/checkout@v4
-
-    - name: Set image tag
-      run: |
-        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV        
-
-    - name: Login to registry
-      run: |
-        echo "${{ secrets.REGISTRY_PASSWORD }}" | sudo docker login $REGISTRY \
-          -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin        
-
-    - name: Build and push image
-      run: |
-        sudo docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG .
-        sudo docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG        
-
-    - name: Clone manifest repo
-      run: |
-        git clone https://oauth2:${{ secrets.MANIFEST_REPO_TOKEN }}@${{ secrets.MANIFEST_REPO_URL }} manifest
-        cd manifest
-        git checkout $ENV_NAME
-
-    - name: Install kustomize
-      run: |
-        curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
-        sudo mv kustomize /usr/local/bin/        
-
-    - name: Update kustomization (PROD)
-      run: |
-        cd manifest/overlays
-        kustomize edit set image \
-          $REGISTRY/$IMAGE_NAME=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG        
-
-    - name: Commit manifest update
-      run: |
-        cd manifest
-        git config user.name "csa-ci"
-        git config user.email "ci@gitea.local"
-        git commit -am "deploy(${ENV_NAME}): update backend image to $IMAGE_TAG"
-        git push origin $ENV_NAME        
-
-    - name: Cleanup workspace
-      run: |
-        rm -rf manifest
--- a/.gitea/workflows/staging-deploy.yaml
+++ b/.gitea/workflows/staging-deploy.yaml
@ -1,62 +0,0 @@
-name: Deploy Backend Production Environment
-
-on:
-  push:
-    branches: [ staging ]
-  workflow_dispatch:
-
-env:
-  ENV_NAME: staging
-  IMAGE_NAME: csa-backend
-  REGISTRY: ${{ secrets.REGISTRY_URL }}
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout source code
-      uses: actions/checkout@v4
-
-    - name: Set image tag
-      run: |
-        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-    - name: Login to registry
-      run: |
-        echo "${{ secrets.REGISTRY_PASSWORD }}" | sudo docker login $REGISTRY \
-          -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
-
-    - name: Build and push image
-      run: |
-        sudo docker build -t $REGISTRY/$IMAGE_NAME:$IMAGE_TAG .
-        sudo docker push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Clone manifest repo
-      run: |
-        git clone https://oauth2:${{ secrets.MANIFEST_REPO_TOKEN }}@${{ secrets.MANIFEST_REPO_URL }} manifest
-        cd manifest
-        git checkout $ENV_NAME
-
-    - name: Install kustomize
-      run: |
-        curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
-        sudo mv kustomize /usr/local/bin/
-
-    - name: Update kustomization (STAGING)
-      run: |
-        cd manifest/overlays
-        kustomize edit set image \
-          $REGISTRY/$IMAGE_NAME=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG
-
-    - name: Commit manifest update
-      run: |
-        cd manifest
-        git config user.name "csa-ci"
-        git config user.email "ci@gitea.local"
-        git commit -am "deploy(${ENV_NAME}): update backend image to $IMAGE_TAG"
-        git push origin $ENV_NAME
-
-    - name: Cleanup workspace
-      run: |
-        rm -rf manifest
--- a/.gitea/workflows/testing.yaml
+++ b/.gitea/workflows/testing.yaml
@ -0,0 +1,35 @@
+name: Backend SonarQube Check testing
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  sonar-check:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v4
+
+    - name: Set image tag
+      run: |
+        echo "IMAGE_TAG=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@v2
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_BACKEND_TEST }}
+      with:
+        args: >
+          -Dsonar.projectKey=csa-backend-production
+          -Dsonar.sources=.
+
+    - name: SonarQube Quality Gate
+      uses: sonarsource/sonarqube-quality-gate-action@v1
+      timeout-minutes: 5
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_BACKEND_TEST }}
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,5 @@ node_modules
 app.log
 # Ignore generated Prisma client
 /app/generated/prisma
+# Firebase service account
+app/config/serviceAccountKey.json
--- a/index.js
+++ b/index.js
@ -45,11 +45,11 @@ app.use(compression());
 app.use(upload.any());

 // FIREBASE
-const serviceAccount = require(path.join(__dirname, "app/config/serviceAccountKey.json"));
+//const serviceAccount = require(path.join(__dirname, "app/config/serviceAccountKey.json"));

 if (!admin.apps.length) {
    admin.initializeApp({
-        credential: admin.credential.cert(serviceAccount),
+        credential: admin.credential.applicationDefault(),
        storageBucket: "cifowallet.firebasestorage.app",
    });
 }