Security: Zero Authentication on 31/34 API Endpoints + Hardcoded Credentials in Public Repo (18 Findings)

[lighthousekeeper1212]

Summary

This pharmacy management system has zero authentication on 31 of 34 backend API endpoints. Only 3 supplier endpoints (POST/PUT/DELETE) use checkAuth middleware. All other endpoints — inventory, sales, doctor orders, user management — are fully accessible without login. Additionally, MongoDB Atlas credentials, Gmail SMTP credentials, and JWT signing keys are hardcoded in the source code of this public repository.

Critical: Hardcoded Credentials (3 findings)

1. MongoDB Atlas (app.js:18): mongodb+srv://lalana:OJx2X4IllVNl9up4@... — anyone can connect directly to the database
2. SMTP (inventory.js:224): pharmacare.contactus@gmail.com / lalana1011294
3. JWT Secret (user.js:63): 'this_is_the_webToken_secret_key' — anyone can forge valid tokens

Immediate action needed: Rotate all credentials. These are exposed in a public GitHub repository.

Critical: Zero Authentication (7 finding groups)

4. All 10 inventory endpoints (inventory.js) — full CRUD on drug inventory without auth
5. All 3 sales endpoints (sales.js) — financial data readable/writable
6. All 3 doctor order endpoints (doctorOders.js) — create/view/delete orders
7. All 3 verified order endpoints (verifiedDoctorOder.js) — verify/delete orders
8. All 2 picked-up order endpoints (pickedUpOders.js) — complete order flow
9. All 5 user management endpoints (user.js:80-126) — list/update/delete users (returns password hashes!)
10. All 5 doctor management endpoints (doctorUser.js:78-122) — same as above for doctors

Critical: Self-Registration with Arbitrary Role

11. POST /api/user/signup (user.js:7-34): Accepts role from request body — anyone self-registers as admin.

High Findings

12. Supplier GET endpoints unauthenticated (supplier.js:41,51) — 1-of-N: POST/PUT/DELETE have auth, GET does not
13. NoSQL injection in login (user.js:40) — findOne({email: req.body.email}) without type validation
14. Unauthenticated email relay (4 /sendmail endpoints) — SMTP abuse
15. HTML injection in email templates — user input interpolated into HTML emails
16. JWT secret mismatch (check-docAuth.js:6) — doctor auth middleware permanently broken (verifies with '..._keys' vs signed with '..._key')
17. Password hashes in API responses — no .select('-password') on queries

Medium

18. Frontend-only AuthGuard — Angular guard on 2 of ~20 routes

Impact

This is a pharmacy system handling controlled substances. An attacker can:

• Access all drug inventory and modify quantities/prices
• Create fraudulent doctor orders for controlled substances
• Self-verify and mark orders as picked up
• Read all user/doctor PII including password hashes
• Register as admin
• Send emails via the pharmacy's SMTP account

Recommended Fixes

1. Rotate all hardcoded credentials immediately — MongoDB password, Gmail password, JWT secret
2. Move secrets to environment variables — use .env file with dotenv, add .env to .gitignore
3. Apply checkAuth middleware globally — add to all route files, not just supplier
4. Validate role on signup — reject or ignore role from request body, default to lowest privilege
5. Add .select('-password') to all user/doctor queries
6. Fix JWT secret mismatch in check-docAuth.js
7. Add input validation — use a library like express-validator or joi to validate request bodies before passing to MongoDB