Fix MEDIUM security issues, add logging and request timeout

- Password minimum increased from 8 to 12 characters
- CORS configurable via CORS_ORIGINS env var (comma-separated whitelist)
- Pagination empty string q param handled via preprocess
- Request timeout set to 30 seconds
- Log file output via LOG_FILE env var (stdout + file in production)
- Pino-pretty in development, JSON to stdout + file in production

packages/backend/src/main.ts

@@ -19,9 +19,21 @@ export async function buildApp() {
   const app = Fastify({
     logger: {
       level: process.env.LOG_LEVEL ?? 'info',
-      ...(process.env.NODE_ENV === 'development' ? { transport: { target: 'pino-pretty' } } : {}),
+      ...(process.env.NODE_ENV === 'development'
+        ? { transport: { target: 'pino-pretty' } }
+        : process.env.LOG_FILE
+          ? {
+              transport: {
+                targets: [
+                  { target: 'pino/file', options: { destination: 1 } }, // stdout
+                  { target: 'pino/file', options: { destination: process.env.LOG_FILE, mkdir: true } },
+                ],
+              },
+            }
+          : {}),
     },
     genReqId: () => crypto.randomUUID(),
+    requestTimeout: 30000, // 30 seconds
   })
 
   // Plugins

packages/backend/src/plugins/cors.ts

@@ -2,7 +2,16 @@ import fp from 'fastify-plugin'
 import cors from '@fastify/cors'
 
 export const corsPlugin = fp(async (app) => {
-  await app.register(cors, {
-    origin: process.env.NODE_ENV === 'development' ? true : false,
-  })
+  const corsOrigins = process.env.CORS_ORIGINS
+  let origin: boolean | string[]
+
+  if (process.env.NODE_ENV === 'development') {
+    origin = true // allow all in dev
+  } else if (corsOrigins) {
+    origin = corsOrigins.split(',').map((o) => o.trim())
+  } else {
+    origin = false
+  }
+
+  await app.register(cors, { origin })
 })