feat: add core security utilities for checksum-based share links

- Add HMAC-SHA256 checksum generation and validation (shareChecksum.ts) - Add PDF magic bytes validation to prevent file spoofing (pdfValidator.ts) - Add IP-based rate limiting for upload abuse prevention (uploadRateLimiter.ts) - Update BillingLocation interface with shareTTL and shareFirstVisitedAt fields - Add environment variables for share link security and TTL configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-08 00:14:20 +01:00
parent 4a5195c938
commit a6ab35a959
5 changed files with 185 additions and 1 deletions
--- a/.env
+++ b/.env
@@ -9,4 +9,15 @@ LINKEDIN_SECRET=ugf61aJ2iyErLK40
 USE_MOCK_AUTH=true

 MAX_BILL_ATTACHMENT_UPLOAD_SIZE_KB=1024
-MAX_PROOF_OF_PAYMENT_UPLOAD_SIZE_KB=1024
+MAX_PROOF_OF_PAYMENT_UPLOAD_SIZE_KB=1024
+
+# Share link security
+SHARE_LINK_SECRET=fb831e43b5ab594106e093f86fa8cb2a2405c564a61c3a7681079ec416528654
+
+# Share link TTL configuration
+SHARE_TTL_INITIAL_DAYS=10
+SHARE_TTL_AFTER_VISIT_HOURS=1
+
+# Rate limiting for uploads
+UPLOAD_RATE_LIMIT_PER_IP=5
+UPLOAD_RATE_LIMIT_WINDOW_MS=3600000