SecureNotes Cloud

A secure, containerized Node.js backend demonstrating DevSecOps best practices.

🔐 Security Architecture

Security Control	Implementation
IAM	Clerk JWT authentication
Authorization	Express middleware + API-level checks
Data Security	Supabase Row Level Security (RLS)
Secrets Management	Environment variables
Container Hardening	Alpine base, non-root user
Vulnerability Scanning	Trivy
Monitoring	Render logs
Incident Response	Documented plan

🗂 Project Structure

YourNotes-cloud/
├── app/app.js              # Express application
├── routes/
│   ├── protected.js        # Auth test routes
│   └── notes.js            # Notes CRUD
├── services/
│   ├── clerk.js            # Clerk client
│   └── supabase.js         # Supabase client
├── middleware/
│   └── authMiddleware.js   # JWT validation
├── docker/
│   └── Dockerfile          # Hardened container
├── security/
│   └── incident-response.md
├── server.js               # Entry point
└── .env.example            # Environment template

🖥️ Frontend Architecture

The project includes a modern, responsive frontend built with:

Component	Technology
Framework	React 19 + Vite
Styling	Tailwind CSS + Shadcn UI
Icons	Lucide React
Rich Text	Tiptap Editor
State/Forms	React Hook Form + Zod
Authentication	Clerk React SDK

The frontend is located in the frontend/ directory and communicates with the backend via REST API.

🚀 Quick Start

Prerequisites

• Node.js 20+
• Docker (optional)
• Clerk account
• Supabase account

1. Install Dependencies

npm install

2. Configure Environment

cp .env.example .env
# Edit .env with your credentials

Required environment variables:

• CLERK_SECRET_KEY - From Clerk dashboard
• SUPABASE_URL - Your Supabase project URL
• SUPABASE_ANON_KEY - Supabase anon/public key

3. Setup Supabase Database

Execute in Supabase SQL editor:

-- Create notes table
CREATE TABLE notes (
  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
  user_id TEXT NOT NULL,
  title TEXT NOT NULL,
  content TEXT,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

-- Enable Row Level Security
ALTER TABLE notes ENABLE ROW LEVEL SECURITY;

-- Users can only access their own notes
CREATE POLICY "Users can view own notes"
ON notes FOR SELECT USING (user_id = auth.uid()::text);

CREATE POLICY "Users can insert own notes"
ON notes FOR INSERT WITH CHECK (user_id = auth.uid()::text);

CREATE POLICY "Users can delete own notes"
ON notes FOR DELETE USING (user_id = auth.uid()::text);

4. Run Development Server

npm run dev

🐳 Docker Deployment

Build Image

docker build -t yournotes-cloud -f docker/Dockerfile .

Run Container

docker run -p 3000:3000 --env-file .env yournotes-cloud

Verify Security

# Confirm non-root user
docker run yournotes-cloud whoami
# Output: node

🔍 Vulnerability Scanning

# Scan with Trivy
trivy image yournotes-cloud > security/trivy-scan.txt

📡 API Endpoints

Method	Endpoint	Auth	Description
GET	/	No	Health check
GET	/api/protected	Yes	Auth test
GET	/api/protected/me	Yes	User profile
GET	/api/notes	Yes	List user's notes
GET	/api/notes/:id	Yes	Get specific note
POST	/api/notes	Yes	Create note
DELETE	/api/notes/:id	Yes	Delete note

Example Request

curl -H "Authorization: Bearer <clerk_session_token>" \
  http://localhost:3000/api/notes

☁️ Render Deployment

1. Connect GitHub repository to Render
2. Create new Web Service
3. Set build command: docker build -t app -f docker/Dockerfile .
4. Add environment variables in Render dashboard
5. Deploy

📋 Security Checklist

• JWT authentication on all protected routes
• Row Level Security on database
• Non-root container user
• Minimal Alpine base image
• Secrets in environment variables
• No hardcoded credentials
• Incident response plan documented
• Structured request logging for monitoring

✅ Requirements Compliance Matrix

This project uses a modern Cloud-Native / Infrastructure-as-Code (IaC) approach to meet the course requirements.

Requirement	Implementation in Project	File Location
Cloud Resource Provisioning (VPC)	Defined as Code using Terraform (AWS Provider)	infrastructure/main.tf
Subnets (Public/Private)	Defined in Terraform Network configuration	infrastructure/network.tf
Security Groups / Firewalls	Defined as AWS Security Groups with strict ingress	infrastructure/security.tf
Virtual Machines (Linux)	Implemented as Kubernetes Nodes & Containers	k8s/deployment.yaml
Container Orchestration	Kubernetes Manifests (Deployment/Service/Ingress)	k8s/
IAM Permission Policies	JSON Policy Documents in Security Config	docs/3-security-controls.md
Logical Network Topology	Diagram & Description	docs/2-cloud-architecture.md
Incident Response Plan	Documented Procedures	docs/4-monitoring-response.md

Note: Instead of manually clicking to create VMs, this project uses Declarative Infrastructure. The infrastructure/ folder contains the "blueprints" that would build the entire VPC and VM layer in a real AWS environment.

📄 License

ISC