Add production-readiness features: health checks, security, pagination, sanitization

[madhavcodez]

Summary

This PR hardens the backend for production deployment by adding comprehensive health checks, security headers, API documentation, cursor-based pagination, input sanitization, and improved environment configuration validation.

Key Changes

Security & Headers

• Added Helmet integration for security headers (X-Content-Type-Options, X-Frame-Options, etc.)
• Implemented CORS with explicit origin allowlist from environment configuration
• Added request ID tracking via x-request-id header for observability

Health Checks & Observability

• Enhanced /health endpoint to perform actual database and Redis connectivity probes
• Returns 503 Service Unavailable when services are degraded
• Improved logging configuration with structured serializers and configurable log levels
• Added graceful shutdown handling for SIGINT/SIGTERM signals

API Documentation

• Integrated Fastify Swagger for OpenAPI 3.1.0 documentation
• Exposed API docs at /docs endpoint with JSON schema at /docs/json

Pagination

• Created pagination.ts utility with cursor-based pagination support
• Implemented parsePaginationParams() and buildPaginatedResponse() helpers
• Applied pagination to /v1/search, /v1/feed, and /v1/log/recently-played endpoints
• Cursor validation prevents SQL injection with length and character checks

Input Sanitization

• Added sanitize.ts module with stripHtml() function for plain-text fields
• Applied HTML stripping to review bodies and list descriptions
• Prevents XSS by encoding special characters

Database Improvements

• Added migration 006_session_expiry_and_indexes.sql:
  • Session expiration support with expires_at column
  • Full-text search vector on albums with automatic trigger updates
  • Missing performance indexes on ratings, reviews, activity_events, listening_events, and notifications
• Updated session queries to filter expired sessions with expires_at > NOW()

HTTP Status Codes

• Changed signup and POST endpoints to return 201 Created instead of 200 OK
• Updated follow, rating, review, and list creation endpoints accordingly

Environment Configuration

• Replaced ad-hoc env parsing with Zod schema validation
• Production mode enforces explicit DATABASE_URL and REDIS_URL (no dev defaults)
• Added NODE_ENV, LOG_LEVEL, and ALLOWED_ORIGINS configuration
• Validates all environment variables at startup with clear error messages

Docker & Deployment

• Added Dockerfile with multi-stage build (builder + production)
• Added docker-compose.prod.yml with resource limits and health checks
• Added .dockerignore to optimize image size
• Added backend/.dockerignore for production builds

Testing & CI

• Added comprehensive production-readiness.test.ts covering:
  • Health check endpoint validation
  • Security headers presence
  • OpenAPI documentation availability
  • Database schema requirements (session expiry, search vectors, indexes)
  • Pagination functionality on feed and search
  • HTTP status codes (201 for creation)
  • HTML sanitization in reviews
• Updated existing tests to expect 201 status codes
• Added npm audit step to CI pipeline
• Added Dependabot configuration for automated dependency updates

Dependencies

• Added @fastify/helmet for security headers
• Added @fastify/swagger and @fastify/swagger-ui for API documentation
• Added Node.js version constraint (>=20.0.0) in package.json

Notable Implementation Details

• Pagination uses cursor-based approach (not offset) for better performance at scale
• Feed caching only applies to first page (no cursor) to maintain consistency
• Search supports both full-text search vectors and LIKE fallback for compatibility
• Database connection timeout set to 5 seconds for faster failure detection
• Redis retry strategy limited to 3 attempts to fail fast
• Session cleanup can be automated via scheduled job querying idx_sessions_expires index

https://claude.ai/code/session_01HXWnSTisXW9rizJZW4mV7X