From 3327b09fdad19816a9d64b7178cbb8b473ac9de4 Mon Sep 17 00:00:00 2001
From: Demian <demian@gitaddremote.com>
Date: Sat, 11 Apr 2026 01:10:27 -0400
Subject: [PATCH 1/2] fix: remove debug artifacts and fix password reset token
 log exposure

- Delete GET /auth/test debug endpoint and bcrypt import
- Remove raw reset token and reset URL from application logs; replace
  with neutral 'Password reset requested for user ID: X' log entry
- Gate Swagger UI behind NODE_ENV !== 'production'
- Remove persistAuthorization from Swagger options

Closes #99
---
 backend/src/main.ts                         | 86 ++++++++++-----------
 backend/src/modules/auth/auth.controller.ts | 28 +------
 backend/src/modules/auth/auth.service.ts    |  8 +-
 3 files changed, 44 insertions(+), 78 deletions(-)

diff --git a/backend/src/main.ts b/backend/src/main.ts
index c52a1af..b25c0c6 100644
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -34,51 +34,49 @@ async function bootstrap() {
   // Global Exception Filter for standardized error responses
   app.useGlobalFilters(new HttpExceptionFilter());
 
-  // Swagger/OpenAPI Documentation Setup
-  const config = new DocumentBuilder()
-    .setTitle('Station API')
-    .setDescription(
-      'API documentation for Station - Gaming guild and organization management portal',
-    )
-    .setVersion('1.0')
-    .addTag('auth', 'Authentication endpoints')
-    .addTag('users', 'User management endpoints')
-    .addTag('organizations', 'Organization management endpoints')
-    .addTag('roles', 'Role management endpoints')
-    .addTag(
-      'user-organization-roles',
-      'User-Organization-Role assignment endpoints',
-    )
-    .addTag('permissions', 'Permission aggregation endpoints')
-    .addBearerAuth(
-      {
-        type: 'http',
-        scheme: 'bearer',
-        bearerFormat: 'JWT',
-        name: 'JWT',
-        description: 'Enter JWT token',
-        in: 'header',
-      },
-      'access-token',
-    )
-    .addBearerAuth(
-      {
-        type: 'http',
-        scheme: 'bearer',
-        name: 'Refresh Token',
-        description: 'Enter refresh token',
-        in: 'header',
-      },
-      'refresh-token',
-    )
-    .build();
+  // Swagger/OpenAPI Documentation — development only
+  if (process.env.NODE_ENV !== 'production') {
+    const config = new DocumentBuilder()
+      .setTitle('Station API')
+      .setDescription(
+        'API documentation for Station - Gaming guild and organization management portal',
+      )
+      .setVersion('1.0')
+      .addTag('auth', 'Authentication endpoints')
+      .addTag('users', 'User management endpoints')
+      .addTag('organizations', 'Organization management endpoints')
+      .addTag('roles', 'Role management endpoints')
+      .addTag(
+        'user-organization-roles',
+        'User-Organization-Role assignment endpoints',
+      )
+      .addTag('permissions', 'Permission aggregation endpoints')
+      .addBearerAuth(
+        {
+          type: 'http',
+          scheme: 'bearer',
+          bearerFormat: 'JWT',
+          name: 'JWT',
+          description: 'Enter JWT token',
+          in: 'header',
+        },
+        'access-token',
+      )
+      .addBearerAuth(
+        {
+          type: 'http',
+          scheme: 'bearer',
+          name: 'Refresh Token',
+          description: 'Enter refresh token',
+          in: 'header',
+        },
+        'refresh-token',
+      )
+      .build();
 
-  const document = SwaggerModule.createDocument(app, config);
-  SwaggerModule.setup('api/docs', app, document, {
-    swaggerOptions: {
-      persistAuthorization: true,
-    },
-  });
+    const document = SwaggerModule.createDocument(app, config);
+    SwaggerModule.setup('api/docs', app, document);
+  }
 
   // Log application startup information
   await app.listen(port);
diff --git a/backend/src/modules/auth/auth.controller.ts b/backend/src/modules/auth/auth.controller.ts
index 765730c..080e06a 100644
--- a/backend/src/modules/auth/auth.controller.ts
+++ b/backend/src/modules/auth/auth.controller.ts
@@ -1,11 +1,4 @@
-import {
-  Controller,
-  Post,
-  UseGuards,
-  Request,
-  Body,
-  Get,
-} from '@nestjs/common';
+import { Controller, Post, UseGuards, Request, Body } from '@nestjs/common';
 import {
   ApiTags,
   ApiOperation,
@@ -19,7 +12,6 @@ import { JwtAuthGuard } from './jwt-auth.guard';
 import { RefreshTokenAuthGuard } from './refresh-token-auth.guard';
 import { UserDto } from '../users/dto/user.dto';
 import { Request as ExpressRequest } from 'express';
-import * as bcrypt from 'bcrypt';
 import {
   ChangePasswordDto,
   ForgotPasswordDto,
@@ -123,22 +115,4 @@ export class AuthController {
       newPassword,
     );
   }
-
-  @Get('test')
-  async testBCrypt() {
-    (async () => {
-      const plainPassword = 'securePassword123';
-      const saltRounds = 10;
-
-      // Simulate Registration
-      const hashedPassword = await bcrypt.hash(plainPassword, saltRounds);
-      console.log('Plain password:', plainPassword);
-      console.log('Hashed password:', hashedPassword);
-
-      // Simulate Login
-      const isMatch = await bcrypt.compare(plainPassword, hashedPassword);
-      console.log('Passwords match:', isMatch);
-      return isMatch;
-    })();
-  }
 }
diff --git a/backend/src/modules/auth/auth.service.ts b/backend/src/modules/auth/auth.service.ts
index 646febb..2917db2 100644
--- a/backend/src/modules/auth/auth.service.ts
+++ b/backend/src/modules/auth/auth.service.ts
@@ -174,13 +174,7 @@ export class AuthService {
     });
 
     // TODO: Send email with reset link
-    // For now, just log the token (in production, send via email service)
-    this.logger.log(
-      `Password reset token for ${email}: ${token} (expires at ${expiresAt})`,
-    );
-    this.logger.log(
-      `Reset link would be: ${this.configService.get('FRONTEND_URL') || 'http://localhost:5173'}/reset-password?token=${token}`,
-    );
+    this.logger.log(`Password reset requested for user ID: ${user.id}`);
 
     return successMessage;
   }

From 07f36679452345660e73d95451f0ff62880dbf1d Mon Sep 17 00:00:00 2001
From: Demian <demian@gitaddremote.com>
Date: Sat, 11 Apr 2026 19:47:23 -0400
Subject: [PATCH 2/2] fix: gate Swagger startup log to non-production
 environments

The Swagger docs URL was being logged unconditionally even when the
UI itself was not mounted in production. Moves the log line inside
the same NODE_ENV !== 'production' guard for consistency.
---
 backend/src/main.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/backend/src/main.ts b/backend/src/main.ts
index b25c0c6..04c2f9d 100644
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -84,10 +84,12 @@ async function bootstrap() {
     `🚀 Application '${appName}' is running on: http://localhost:${port}`,
     'Bootstrap',
   );
-  Logger.log(
-    `📚 Swagger documentation available at: http://localhost:${port}/api/docs`,
-    'Bootstrap',
-  );
+  if (process.env.NODE_ENV !== 'production') {
+    Logger.log(
+      `📚 Swagger documentation available at: http://localhost:${port}/api/docs`,
+      'Bootstrap',
+    );
+  }
 }
 
 bootstrap();