Fix identified issues with server consolidation

inventory-server/chat/package.json

@@ -2,6 +2,7 @@
   "name": "chat-server",
   "version": "1.0.0",
   "description": "Chat archive server for Rocket.Chat data",
+  "type": "module",
   "main": "server.js",
   "scripts": {
     "start": "node server.js",
@@ -12,7 +13,10 @@
     "cors": "^2.8.5",
     "pg": "^8.11.0",
     "dotenv": "^16.0.3",
-    "morgan": "^1.10.0"
+    "morgan": "^1.10.0",
+    "jsonwebtoken": "^9.0.2",
+    "pino": "^9.5.0",
+    "pino-http": "^10.3.0"
   },
   "devDependencies": {
     "nodemon": "^2.0.22"

inventory-server/chat/routes.js

@@ -1,5 +1,12 @@
-const express = require('express');
-const path = require('path');
+import express from 'express';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// ESM polyfill — Phase 9 §9.1. Handlers below use __dirname to resolve the
+// db-convert/db/files/{uploads,avatars} static asset paths.
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
 const router = express.Router();
 
 // Serve uploaded files with proper mapping from database paths to actual file locations
@@ -646,4 +653,4 @@ router.get('/users/:userId/search', async (req, res) => {
   }
 });
 
-module.exports = router; 
+export default router;

inventory-server/chat/server.js

@@ -1,23 +1,62 @@
-require('dotenv').config({ path: '../.env' });
-const express = require('express');
-const cors = require('cors');
-const { Pool } = require('pg');
-const morgan = require('morgan');
-const chatRoutes = require('./routes');
+// chat-server — Phase 9 §9.1 of CONSOLIDATION_PLAN.md.
+//
+// ESM conversion + in-process authenticate() defense-in-depth. Previously this
+// service relied on the Caddy `forward_auth` gate alone — `localhost:3014`
+// was reachable unauthenticated. Now:
+//   1. Bound to 127.0.0.1 (was 0.0.0.0) so direct-port access is impossible.
+//   2. authenticate() runs against an in-process `inventory_db` pool before
+//      any route handler sees the request.
+//
+// Two pools intentionally:
+//   - `inventoryPool`: used by authenticate() for users/permissions lookups
+//     against the main inventory_db (matches DB_* env vars).
+//   - `pool` (set as global.pool for routes.js): the existing
+//     `rocketchat_converted` pool driven by CHAT_DB_* env vars. routes.js
+//     reads global.pool throughout — no handler-body changes needed.
+
+import { config as loadEnv } from 'dotenv';
+import express from 'express';
+import cors from 'cors';
+import morgan from 'morgan';
+import pg from 'pg';
+import path from 'node:path';
+import fs from 'node:fs';
+import { fileURLToPath } from 'node:url';
+
+import { authenticate } from '../shared/auth/middleware.js';
+import { corsOptions } from '../shared/cors/policy.js';
+import { errorHandler } from '../shared/errors/handler.js';
+import { requestLog } from '../shared/logging/request-log.js';
+
+import chatRoutes from './routes.js';
+
+const { Pool } = pg;
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+// Env layering matches dashboard-server (Deviation #18): shared .env wins on
+// collisions for security-critical vars, local .env supplies CHAT_DB_*.
+const sharedEnvPath = '/var/www/inventory/.env';
+const localEnvPath = path.resolve(__dirname, '.env');
+if (fs.existsSync(sharedEnvPath)) loadEnv({ path: sharedEnvPath });
+if (fs.existsSync(localEnvPath)) loadEnv({ path: localEnvPath });
+
+if (!process.env.JWT_SECRET) {
+  console.error('JWT_SECRET is not set; refusing to start (per Phase 6.4)');
+  process.exit(1);
+}
+
+const app = express();
+const port = Number(process.env.CHAT_PORT) || 3014;
 
-// Log startup configuration
 console.log('Starting chat server with config:', {
   host: process.env.CHAT_DB_HOST,
   user: process.env.CHAT_DB_USER,
   database: process.env.CHAT_DB_NAME || 'rocketchat_converted',
   port: process.env.CHAT_DB_PORT,
-  chat_port: process.env.CHAT_PORT || 3014
+  chat_port: port,
 });
 
-const app = express();
-const port = process.env.CHAT_PORT || 3014;
-
-// Database configuration for rocketchat_converted database
+// Rocket.Chat archive pool — routes.js reads it via global.pool.
 const pool = new Pool({
   host: process.env.CHAT_DB_HOST,
   user: process.env.CHAT_DB_USER,
@@ -25,59 +64,69 @@ const pool = new Pool({
   database: process.env.CHAT_DB_NAME || 'rocketchat_converted',
   port: process.env.CHAT_DB_PORT,
 });
-
-// Make pool available globally
 global.pool = pool;
 
-// Middleware
+// inventory_db pool — used by authenticate() for user/permission lookups.
+const inventoryPool = new Pool({
+  host: process.env.DB_HOST,
+  user: process.env.DB_USER,
+  password: process.env.DB_PASSWORD,
+  database: process.env.DB_NAME,
+  port: Number(process.env.DB_PORT) || 5432,
+  ssl: process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : false,
+});
+
+app.use(requestLog());
 app.use(express.json());
 app.use(morgan('combined'));
-app.use(cors({
-  origin: ['http://localhost:5175', 'http://localhost:5174', 'https://inventory.kent.pw', 'https://acot.site', 'https://tools.acherryontop.com'],
-  credentials: true
-}));
+app.use(cors(corsOptions));
 
-// Test database connection endpoint
-app.get('/test-db', async (req, res) => {
+// /health stays unauthenticated for out-of-band probes — mounted BEFORE
+// authenticate() so monitoring tools on the host can poll without a JWT.
+// Only reachable via localhost:3014 directly (Caddy routes /health to
+// inventory-server:3010, not here).
+app.get('/health', (req, res) => res.json({ status: 'healthy' }));
+
+// Phase 9 §9.1 — per-server auth re-verification. Every chat route must pass
+// authenticate() in addition to the Caddy forward_auth gate.
+app.use(authenticate({ pool: inventoryPool, secret: process.env.JWT_SECRET }));
+
+app.get('/test-db', async (req, res, next) => {
   try {
     const result = await pool.query('SELECT COUNT(*) as user_count FROM users WHERE active = true');
     const messageResult = await pool.query('SELECT COUNT(*) as message_count FROM message');
     const roomResult = await pool.query('SELECT COUNT(*) as room_count FROM room');
-    
     res.json({
       status: 'success',
       database: 'rocketchat_converted',
       stats: {
-        active_users: parseInt(result.rows[0].user_count),
-        total_messages: parseInt(messageResult.rows[0].message_count),
-        total_rooms: parseInt(roomResult.rows[0].room_count)
-      }
-    });
-  } catch (error) {
-    console.error('Database test error:', error);
-    res.status(500).json({ 
-      status: 'error',
-      error: 'Database connection failed',
-      details: error.message
+        active_users: parseInt(result.rows[0].user_count, 10),
+        total_messages: parseInt(messageResult.rows[0].message_count, 10),
+        total_rooms: parseInt(roomResult.rows[0].room_count, 10),
+      },
     });
+  } catch (err) {
+    next(err);
   }
 });
 
-// Mount all routes from routes.js
 app.use('/', chatRoutes);
 
-// Health check endpoint
-app.get('/health', (req, res) => {
-  res.json({ status: 'healthy' });
+app.use(errorHandler);
+
+// Phase 9 §9.1 — bind to 127.0.0.1. Caddy reverse_proxy targets localhost:3014
+// already; this closes the gap where unauthenticated direct-port access from
+// any host on the network was possible.
+const server = app.listen(port, '127.0.0.1', () => {
+  console.log(`Chat server running on 127.0.0.1:${port}`);
 });
 
-// Error handling middleware
-app.use((err, req, res, next) => {
-  console.error(err.stack);
-  res.status(500).json({ error: 'Something broke!' });
-});
-
-// Start server
-app.listen(port, () => {
-  console.log(`Chat server running on port ${port}`);
-}); 
+const shutdown = async (signal) => {
+  console.log(`chat-server shutting down (${signal})`);
+  server.close();
+  try { await pool.end(); } catch { /* ignore */ }
+  try { await inventoryPool.end(); } catch { /* ignore */ }
+  process.exit(0);
+};
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+process.on('SIGINT', () => shutdown('SIGINT'));