Skip to content

Security: Hardcoded database credentials, systemic missing auth, NoSQL injectionΒ #258

New issue
New issue
Open
Open
Security: Hardcoded database credentials, systemic missing auth, NoSQL injection#258
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Mar 3, 2026

Summary

Critical security vulnerabilities including hardcoded production credentials, systemic missing authentication on 17+ API routes, and NoSQL injection at login.

Findings

1. Hardcoded MongoDB Atlas credentials (CRITICAL)

backend/app.js line 18 β€” MongoDB connection string with username and password committed to public repository. These credentials should be rotated immediately and moved to environment variables.

2. Hardcoded Gmail SMTP credentials (CRITICAL)

backend/routes/inventory.js, doctorOders.js, verifiedDoctorOder.js β€” Gmail email and password hardcoded in three files. Password should be rotated immediately.

3. Systemic missing auth middleware (CRITICAL)

17+ API routes have no authentication middleware despite checkAuth being imported. Affected: ALL user CRUD (/api/user/*), ALL inventory CRUD (/api/inventory/*), ALL doctor user CRUD (/api/doctorUser/*), ALL order management, ALL sales records. Only supplier routes correctly apply checkAuth. Any anonymous user has full CRUD on all data.

4. NoSQL injection at login (HIGH)

user.js line 40, doctorUser.js line 42 β€” req.body.email passed directly to User.findOne(). Sending {"email": {"$gt": ""}} allows authentication bypass.

5. Self-assigned role at signup (HIGH)

user.js line 16 β€” role: req.body.role β€” user controls their own role at registration.

6. Broken JWT secret mismatch (HIGH)

check-auth.js verifies with 'this_is_the_webToken_secret_key' but check-docAuth.js uses 'this_is_the_webToken_secret_keys' (extra 's'). All doctor tokens fail verification.

7. No RBAC enforcement (HIGH)

JWT payload contains only email and userId, never role. No route checks user role. Cashier tokens work on admin endpoints.

8. Unauthenticated email relay (MEDIUM)

4 email-sending endpoints accept arbitrary recipient addresses without auth.

Immediate Actions Required

  1. Rotate MongoDB Atlas password and move to environment variable
  2. Rotate Gmail password and use app password or OAuth
  3. Apply checkAuth middleware to all routes
  4. Validate req.body.email is a string (not object) to prevent NoSQL injection
  5. Remove role from signup request body
  6. Fix JWT secret in check-docAuth.js

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions