Fix MEDIUM security issues, add logging and request timeout

- Password minimum increased from 8 to 12 characters
- CORS configurable via CORS_ORIGINS env var (comma-separated whitelist)
- Pagination empty string q param handled via preprocess
- Request timeout set to 30 seconds
- Log file output via LOG_FILE env var (stdout + file in production)
- Pino-pretty in development, JSON to stdout + file in production

packages/shared/src/schemas/auth.schema.ts

@@ -5,7 +5,7 @@ export type UserRole = z.infer<typeof UserRole>
 
 export const RegisterSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(8).max(128),
+  password: z.string().min(12).max(128),
   firstName: z.string().min(1).max(100),
   lastName: z.string().min(1).max(100),
   role: UserRole.default('staff'),

packages/shared/src/schemas/pagination.schema.ts

@@ -5,7 +5,7 @@ export const PaginationSchema = z.object({
   limit: z.coerce.number().int().min(1).max(100).default(25),
   sort: z.string().max(50).optional(),
   order: z.enum(['asc', 'desc']).default('asc'),
-  q: z.string().max(255).optional(),
+  q: z.preprocess((v) => (v === '' ? undefined : v), z.string().max(255).optional()),
 })
 export type PaginationInput = z.infer<typeof PaginationSchema>