fix(security): explicit JWT algorithm; body size limit

Restrict JWT sign/verify to HS256 explicitly — prevents algorithm
confusion attacks if the library ever changes its default or an attacker
crafts a token with alg:none.

Add express.json({ limit: '10kb' }) to make the default body size limit
explicit and prevent oversized payload abuse.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: conorluddy

package-lock.json

@@ -42,7 +42,7 @@ if (process.env.NODE_ENV === 'development') {
 app.disable('x-powered-by')
 app.use(helmet())
 app.use(rateLimiter)
-app.use(express.json())
+app.use(express.json({ limit: '10kb' }))
 
 // Health check
 app.get('/health', (_req, res) => {

src/index.ts

@@ -20,7 +20,7 @@ export const authenticateToken = (req: ResidentRequest, _res: Response<ResidentR
     throw new InternalServerError(MESSAGES.JWT_SECRET_NOT_DEFINED)
   }
 
-  jwt.verify(token, secret, (err, user) => {
+  jwt.verify(token, secret, { algorithms: ['HS256'] }, (err, user) => {
     if (err) {
       throw new UnauthorizedError(MESSAGES.TOKEN_INVALID)
     }

src/middleware/auth/jsonWebTokens.ts

@@ -12,6 +12,7 @@ export const generateJwtFromUser = (user: User | SafeUser | PublicUser, expiryOv
     throw new Error(MESSAGES.JWT_SECRET_NOT_FOUND)
   }
   return jwt.sign(userToPublicUser(user), JWT_TOKEN_SECRET, {
+    algorithm: 'HS256',
     expiresIn: (expiryOverride ?? EXPIRATION_JWT_TOKEN ?? DEFAULT_EXPIRATION) as StringValue,
   })
 }