de415633be
- #42: Remove hardcoded ENCRYPTION_KEY fallback from config.js, add startup validation for BOT_TOKEN and ENCRYPTION_KEY length - #43: Fix SQL injection vulnerabilities — add ALLOWED_TABLES whitelist in database.js, ALLOWED_USER_FIELDS in userService.js, validate table names before PRAGMA - #44: Fix race condition in purchaseService.js — wrap createPurchase in BEGIN IMMEDIATE TRANSACTION, add atomic balance/stock checks - #41: Move all secrets from docker-compose.yml to .env file, use env_file directive - #45: Replace MD5 tx_hash with crypto.randomUUID() - #46: Upgrade KDF from SHA-256 to HKDF for mnemonic encryption, add backward compatibility for legacy format - #47: Add input validation across all handlers — walletType whitelist, string length limits, numeric ID checks, price bounds New files: - src/utils/encryption.js (HKDF key derivation) - src/__tests__/security.test.js (SQL injection prevention tests) Closes: #41, #42, #43, #44, #45, #46, #47
28 lines
1.1 KiB
YAML
28 lines
1.1 KiB
YAML
version: "3.3"
|
|
services:
|
|
telegram_shop_prod:
|
|
build:
|
|
context: .
|
|
dockerfile: ./Dockerfile
|
|
hostname: telegram_shop_prod
|
|
container_name: telegram_shop_prod
|
|
restart: always
|
|
env_file:
|
|
- .env
|
|
volumes:
|
|
- ./db:/app/db/ # Синхронизация базы данных
|
|
- ./src:/app/src/ # Синхронизация исходного кода
|
|
- ./package.json:/app/package.json # Синхронизация package.json
|
|
- ./package-lock.json:/app/package-lock.json # Синхронизация package-lock.json
|
|
- ./wg/config/wg0.conf:/etc/wireguard/wg0.conf # Монтируем конфиг WireGuard
|
|
- ./wg/config/resolv.conf:/etc/resolv.conf # Монтируем resolv.conf
|
|
- ./wg/start.sh:/app/start.sh # Монтируем start.sh
|
|
cap_add: # Необходимо для работы WireGuard
|
|
- NET_ADMIN
|
|
- SYS_MODULE
|
|
sysctls:
|
|
- net.ipv4.conf.all.src_valid_mark=1 # Необходимо для маршрутизации
|
|
privileged: true # Даем контейнеру повышенные привилегии
|
|
networks:
|
|
default:
|