This document captures concrete weaknesses observed in the current codebase and why they matter. Each point references the relevant files so the team can verify and prioritize fixes.
GraphQL auth bypass exposes user data.✅ FIXED: The/graphqlendpoint now requiresrequireCoreAuthand derivesuserIdfrom verified auth context. Users can only access their own bids and balances.GraphiQL is always enabled.✅ FIXED: GraphiQL is now only enabled whenconfig.env !== "production".
GraphQL ObjectId handling is broken.✅ FIXED: AddedparseObjectId()helper that validates and converts string IDs to properObjectIdinstances. All resolvers now use this helper.GraphQL balance math uses non-existent totals keys.✅ FIXED: Balance resolver now uses correctLedgerEntryTypekeys:deposit_confirmed,hold_created,hold_released,hold_captured,withdrawal_requested,withdrawal_confirmed,withdrawal_failed.Webhook dispatcher uses string IDs against ObjectId collections.✅ FIXED:WebhookDelivery.webhookIdis now typed asObjectId. All CRUD operations use proper ObjectId conversion withObjectId.isValid()validation.
Webhook SSRF exposure.✅ FIXED: AddedisPrivateOrBlockedUrl()validation that blocks:- Private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x)
- IPv6 private/link-local addresses
- localhost, *.local, *.internal hostnames
- Cloud metadata endpoints (169.254.169.254)
Webhook secrets stored in plaintext.✅ FIXED: Secrets are now hashed with HMAC-SHA256 before storage. The plaintext secret is only returned once during webhook registration.
- KMS integration for webhook secrets - Current implementation uses local hashing. For higher security, consider integrating with AWS KMS, HashiCorp Vault, or similar.
- Rate limiting on GraphQL - Consider adding query complexity limits or rate limiting per user.
- Audit logging - Consider logging all auth failures and sensitive operations for security monitoring.