Summary
Critical security vulnerabilities including hardcoded production credentials, systemic missing authentication on 17+ API routes, and NoSQL injection at login.
Findings
1. Hardcoded MongoDB Atlas credentials (CRITICAL)
backend/app.js line 18 β MongoDB connection string with username and password committed to public repository. These credentials should be rotated immediately and moved to environment variables.
2. Hardcoded Gmail SMTP credentials (CRITICAL)
backend/routes/inventory.js, doctorOders.js, verifiedDoctorOder.js β Gmail email and password hardcoded in three files. Password should be rotated immediately.
3. Systemic missing auth middleware (CRITICAL)
17+ API routes have no authentication middleware despite checkAuth being imported. Affected: ALL user CRUD (/api/user/*), ALL inventory CRUD (/api/inventory/*), ALL doctor user CRUD (/api/doctorUser/*), ALL order management, ALL sales records. Only supplier routes correctly apply checkAuth. Any anonymous user has full CRUD on all data.
4. NoSQL injection at login (HIGH)
user.js line 40, doctorUser.js line 42 β req.body.email passed directly to User.findOne(). Sending {"email": {"$gt": ""}} allows authentication bypass.
5. Self-assigned role at signup (HIGH)
user.js line 16 β role: req.body.role β user controls their own role at registration.
6. Broken JWT secret mismatch (HIGH)
check-auth.js verifies with 'this_is_the_webToken_secret_key' but check-docAuth.js uses 'this_is_the_webToken_secret_keys' (extra 's'). All doctor tokens fail verification.
7. No RBAC enforcement (HIGH)
JWT payload contains only email and userId, never role. No route checks user role. Cashier tokens work on admin endpoints.
8. Unauthenticated email relay (MEDIUM)
4 email-sending endpoints accept arbitrary recipient addresses without auth.
Immediate Actions Required
- Rotate MongoDB Atlas password and move to environment variable
- Rotate Gmail password and use app password or OAuth
- Apply
checkAuth middleware to all routes
- Validate
req.body.email is a string (not object) to prevent NoSQL injection
- Remove
role from signup request body
- Fix JWT secret in
check-docAuth.js
Summary
Critical security vulnerabilities including hardcoded production credentials, systemic missing authentication on 17+ API routes, and NoSQL injection at login.
Findings
1. Hardcoded MongoDB Atlas credentials (CRITICAL)
backend/app.jsline 18 β MongoDB connection string with username and password committed to public repository. These credentials should be rotated immediately and moved to environment variables.2. Hardcoded Gmail SMTP credentials (CRITICAL)
backend/routes/inventory.js,doctorOders.js,verifiedDoctorOder.jsβ Gmail email and password hardcoded in three files. Password should be rotated immediately.3. Systemic missing auth middleware (CRITICAL)
17+ API routes have no authentication middleware despite
checkAuthbeing imported. Affected: ALL user CRUD (/api/user/*), ALL inventory CRUD (/api/inventory/*), ALL doctor user CRUD (/api/doctorUser/*), ALL order management, ALL sales records. Only supplier routes correctly applycheckAuth. Any anonymous user has full CRUD on all data.4. NoSQL injection at login (HIGH)
user.jsline 40,doctorUser.jsline 42 βreq.body.emailpassed directly toUser.findOne(). Sending{"email": {"$gt": ""}}allows authentication bypass.5. Self-assigned role at signup (HIGH)
user.jsline 16 βrole: req.body.roleβ user controls their own role at registration.6. Broken JWT secret mismatch (HIGH)
check-auth.jsverifies with'this_is_the_webToken_secret_key'butcheck-docAuth.jsuses'this_is_the_webToken_secret_keys'(extra 's'). All doctor tokens fail verification.7. No RBAC enforcement (HIGH)
JWT payload contains only
emailanduserId, neverrole. No route checks user role. Cashier tokens work on admin endpoints.8. Unauthenticated email relay (MEDIUM)
4 email-sending endpoints accept arbitrary recipient addresses without auth.
Immediate Actions Required
checkAuthmiddleware to all routesreq.body.emailis a string (not object) to prevent NoSQL injectionrolefrom signup request bodycheck-docAuth.js