Merge branch 'main' into codex/fix-backend-issues-for-sponsor-system

Author: fuzziecoder

.github/workflows/backend.yml

@@ -0,0 +1,32 @@
+name: Backend CI
+
+on:
+  pull_request:
+    paths:
+      - 'backend/**'
+
+jobs:
+  backend-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install backend dependencies
+        run: npm install
+        working-directory: backend
+
+      - name: Start backend briefly
+        run: |
+          node backend/server.js &
+          sleep 5
+          kill $! || true
+
+      - name: Run security audit
+        run: npm audit || true

.gitignore

@@ -27,3 +27,6 @@ dist-ssr
 *.njsproj
 *.sln
 *.sw?
+
+# Local backend datastore
+backend/data/

README.md

@@ -83,6 +83,9 @@ BroCode Spot is a full-stack web application designed to streamline group orderi
    VITE_SUPABASE_URL=your_supabase_project_url
    VITE_SUPABASE_ANON_KEY=your_supabase_anon_key
    ```
+   ### Environment Validation
+   The backend validates environment variables at startup.
+   If required variables are missing or invalid, the server will stop immediately with a clear error message.
 
 4. **Set up Supabase**
 

backend/README.md

@@ -1,6 +1,6 @@
 # Backend API
 
-A minimal Node.js backend for BroCode Spot backed by a persistent SQLite database.
+A minimal Node.js backend for BroCode Spot backed by a persistent JSON file database.
 
 ## Start
 
@@ -14,8 +14,8 @@ Server starts at `http://localhost:4000` by default.
 
 ### Issue #26: Move from in-memory store to persistent DB
 
-- Uses `node:sqlite` with a local database file at `backend/data/brocode.sqlite`.
-- You can override the location with `BROCODE_DB_PATH=/custom/path.sqlite npm run backend`.
+- Uses a local JSON database file at `backend/data/brocode.json`.
+- You can override the location with `BROCODE_DB_PATH=/custom/path.json npm run backend`.
 - On first start, seed data is inserted for users, spots, catalog items, and a sample order.
 - New orders are validated against DB data (known `spotId`, `userId`, `productId`) and item pricing is always derived from catalog prices in the database.
 
@@ -24,6 +24,16 @@ Server starts at `http://localhost:4000` by default.
 - Passwords are stored as salted `scrypt` hashes (not plaintext).
 - Legacy plaintext user passwords are auto-migrated to hashed values on successful login.
 
+### Issue #29: Protect login endpoint from brute-force attempts
+
+- Login is now rate-limited per `IP + username` key.
+- Defaults: 5 failed attempts within 15 minutes triggers a 15 minute temporary block (`429`).
+- Configure via env vars:
+  - `LOGIN_RATE_LIMIT_MAX_ATTEMPTS`
+  - `LOGIN_RATE_LIMIT_WINDOW_MS`
+  - `LOGIN_RATE_LIMIT_BLOCK_MS`
+
+
 ## Available endpoints
 
 - `GET /api/health`
@@ -34,6 +44,7 @@ Server starts at `http://localhost:4000` by default.
 - `GET /api/orders?spotId=...&userId=...`
 - `POST /api/orders`
 - `GET /api/bills/:spotId`
+- `DELETE /api/users/:userId` (removes the user and all related records)
 
 ## Example login payload