hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e236883c645058655ab2a34d45a8d080f75487aa
tk-factory-services/tkpurchase/api/index.js
Hyungi Ahn 12367dd3a1 fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정 
Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00

68 lines
2.1 KiB
JavaScript
Raw Blame History

const express = require('express');
const cors = require('cors');
const cron = require('node-cron');
const partnerRoutes = require('./routes/partnerRoutes');
const dayLaborRoutes = require('./routes/dayLaborRoutes');
const scheduleRoutes = require('./routes/scheduleRoutes');
const checkinRoutes = require('./routes/checkinRoutes');
const workReportRoutes = require('./routes/workReportRoutes');
const partnerAccountRoutes = require('./routes/partnerAccountRoutes');
const projectRoutes = require('./routes/projectRoutes');
const app = express();
const PORT = process.env.PORT || 3000;
const allowedOrigins = [
'https://tkfb.technicalkorea.net',
'https://tkreport.technicalkorea.net',
'https://tkqc.technicalkorea.net',
'https://tkuser.technicalkorea.net',
'https://tkpurchase.technicalkorea.net',
'https://tksafety.technicalkorea.net',
];
if (process.env.NODE_ENV === 'development') {
allowedOrigins.push('http://localhost:30080', 'http://localhost:30480');
}
app.use(cors({
origin: function(origin, cb) {
if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
cb(new Error('CORS blocked: ' + origin));
},
credentials: true
}));
app.use(express.json());
// Health check
app.get('/health', (req, res) => {
res.json({ status: 'ok', service: 'tkpurchase-api', timestamp: new Date().toISOString() });
});
// Routes
app.use('/api/partners', partnerRoutes);
app.use('/api/day-labor', dayLaborRoutes);
app.use('/api/schedules', scheduleRoutes);
app.use('/api/checkins', checkinRoutes);
app.use('/api/work-reports', workReportRoutes);
app.use('/api/partner-accounts', partnerAccountRoutes);
app.use('/api/projects', projectRoutes);
// 404
app.use((req, res) => {
res.status(404).json({ success: false, error: 'Not Found' });
});
// Error handler
app.use((err, req, res, next) => {
console.error('tkpurchase-api Error:', err.message);
res.status(err.status || 500).json({
success: false,
error: '서버 오류가 발생했습니다'
});
});
app.listen(PORT, () => {
console.log(`tkpurchase-api running on port ${PORT}`);
});
module.exports = app;
Reference in New Issue View Git Blame Copy Permalink