Feat/secure

backend/src/app.module.ts

@@ -13,11 +13,11 @@
 import { getRedisConnectionOptions } from "./config/redis.config";
 
 import { AnalyticsModule } from "./analytics/analytics.module";
 import { CommonModule } from "./common/common.module";
 import { ComplianceModule } from "./compliance/compliance.module";
 import { CollaborationModule } from "./collaboration/collaboration.module";
 import { DashboardModule } from "./dashboard/dashboard.module";
 import { DebtSimplificationModule } from "./debt-simplification/debt-simplification.module";
 import { DisputesModule } from "./disputes/disputes.module";
 import { EmailModule } from "./email/email.module";
 import { ExportModule } from "./export/export.module";
@@ -45,9 +45,7 @@
 import { SplitTemplateModule } from "./split-template/split-template.module";
 import { StellarModule } from "./stellar/stellar.module";
 import { TemplatesModule } from "./templates/templates.module";
-import { UploadModule } from "./uploads/upload.module";
-import { ShortLinksModule } from "./short-links/short-links.module";
-import { WebhooksModule } from "./webhooks/webhooks.module";
+import { FraudDetectionModule } from "./fraud-detection/fraud-detection.module";
 // Duplicate imports removed; already imported above.
 // Load environment variables
 dotenv.config({
@@ -133,6 +131,7 @@
         CollaborationModule,
         DashboardModule,
         ShortLinksModule,
+        FraudDetectionModule,
         // Duplicated modules were already included earlier.
     ],
 })

backend/src/compliance/compliance.controller.ts

@@ -1,16 +1,24 @@
-import { Controller, Post, Get, Put, Body, Param, Query, UseGuards } from '@nestjs/common';
+import { Controller, Post, Get, Put, Body, Param, Query, UseGuards, Req } from '@nestjs/common';
 import { ComplianceService } from './compliance.service';
 import { ExpenseCategory } from './entities/expense-category.entity';
+import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
+import { AuthorizationGuard } from '../auth/guards/authorization.guard';
+import { RequirePermissions } from '../auth/decorators/permissions.decorator';
+import { Permissions } from '../auth/decorators/permissions.decorator';
+
+interface AuthRequest {
+  user: { walletAddress: string };
+}
 
 @Controller('api/compliance')
+@UseGuards(JwtAuthGuard, AuthorizationGuard)
 export class ComplianceController {
     constructor(private readonly complianceService: ComplianceService) { }
 
     @Post('export/request')
-    async requestExport(@Body() data: any) {
-        // In a real app, userId would come from auth guard
-        const userId = data.userId;
-        return this.complianceService.requestExport(userId, data);
+    @RequirePermissions(Permissions.CAN_CREATE_EXPORT)
+    async requestExport(@Body() data: any, @Req() req: AuthRequest) {
+        return this.complianceService.requestExport(req.user.walletAddress, data);
     }
 
     @Get('export/:requestId/status')
@@ -19,28 +27,32 @@ export class ComplianceController {
     }
 
     @Get('categories')
-    async getCategories(@Query('userId') userId: string) {
-        return this.complianceService.getCategories(userId);
+    @RequirePermissions(Permissions.CAN_READ_EXPORT)
+    async getCategories(@Req() req: AuthRequest) {
+        return this.complianceService.getCategories(req.user.walletAddress);
     }
 
     @Post('categories')
-    async createCategory(@Body() data: any) {
-        const userId = data.userId;
-        return this.complianceService.createCategory(userId, data);
+    @RequirePermissions(Permissions.CAN_CREATE_EXPORT)
+    async createCategory(@Body() data: any, @Req() req: AuthRequest) {
+        return this.complianceService.createCategory(req.user.walletAddress, data);
     }
 
     @Put('splits/:splitId/category')
+    @RequirePermissions(Permissions.CAN_UPDATE_SPLIT)
     async assignCategory(@Param('splitId') splitId: string, @Body('categoryId') categoryId: string) {
         return this.complianceService.assignCategoryToSplit(splitId, categoryId);
     }
 
     @Get('summary')
-    async getSummary(@Query('userId') userId: string, @Query('year') year: string) {
-        return this.complianceService.getSummary(userId, parseInt(year));
+    @RequirePermissions(Permissions.CAN_READ_EXPORT)
+    async getSummary(@Query('year') year: string, @Req() req: AuthRequest) {
+        return this.complianceService.getSummary(req.user.walletAddress, parseInt(year));
     }
 
-    @Get('tax-deductible-total')
-    async getTaxDeductibleTotal(@Query('userId') userId: string, @Query('period') period: string) {
-        return this.complianceService.getTaxDeductibleTotal(userId, period);
+    @Get('export/:requestId/download')
+    @RequirePermissions(Permissions.CAN_READ_EXPORT)
+    async downloadExport(@Param('requestId') requestId: string, @Req() req: AuthRequest) {
+        return this.complianceService.downloadExport(requestId, req.user.walletAddress);
     }
 }

backend/src/compliance/compliance.processor.ts

@@ -13,7 +13,7 @@ import { PDFExporterService } from "./exporters/pdf-exporter.service";
 import { QBOExporterService } from "./exporters/qbo-exporter.service";
 import { JSONExporterService } from "./exporters/json-exporter.service";
 import { OFXExporterService } from "./exporters/ofx-exporter.service";
-import { EmailService } from "../email/email.service";
+import { ProfileService } from "../profile/profile.service";
 import { Logger } from "@nestjs/common";
 import * as fs from "fs";
 import * as path from "path";
@@ -34,6 +34,7 @@ export class ComplianceProcessor {
     private jsonExporter: JSONExporterService,
     private ofxExporter: OFXExporterService,
     private emailService: EmailService,
+    private profileService: ProfileService,
   ) {
     if (!fs.existsSync(this.exportDir)) {
       fs.mkdirSync(this.exportDir);
@@ -99,25 +100,39 @@ export class ComplianceProcessor {
 
       await this.exportRepo.update(requestId, {
         status: ExportStatus.READY,
-        fileUrl: filePath, // Using local path for simplicity in this implementation
+        fileUrl: `http://localhost:3000/api/compliance/export/${requestId}/download`, // Secure download URL
         fileSize: fs.statSync(filePath).size,
         recordCount: splits.length,
         completedAt: new Date(),
         expiresAt,
       });
 
       // Send email notification
-      // In a real app, we'd look up the user's email by wallet address
-      // For now, we'll assume a dummy email or use a placeholder
-      await this.emailService["emailQueue"].add("sendEmail", {
-        to: "user@example.com", // Placeholder
-        type: "export_ready",
-        context: {
-          requestId,
-          format: request.exportFormat,
-          downloadUrl: `http://localhost:3000/api/compliance/export/${requestId}/download`,
-        },
-      });
+      try {
+        const profile = await this.profileService.getByWalletAddress(request.userId);
+        const userEmail = profile.email || 'user@example.com'; // fallback
+        await this.emailService["emailQueue"].add("sendEmail", {
+          to: userEmail,
+          type: "export_ready",
+          context: {
+            requestId,
+            format: request.exportFormat,
+            downloadUrl: `http://localhost:3000/api/compliance/export/${requestId}/download`,
+          },
+        });
+      } catch (error) {
+        this.logger.error(`Failed to get user email for export ${requestId}:`, error);
+        // Fallback to placeholder
+        await this.emailService["emailQueue"].add("sendEmail", {
+          to: "user@example.com",
+          type: "export_ready",
+          context: {
+            requestId,
+            format: request.exportFormat,
+            downloadUrl: `http://localhost:3000/api/compliance/export/${requestId}/download`,
+          },
+        });
+      }
 
       this.logger.log(`Export ${requestId} completed successfully`);
     } catch (error) {

backend/src/compliance/compliance.service.spec.ts

@@ -0,0 +1,86 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { getRepositoryToken } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { ComplianceService } from './compliance.service';
+import { TaxExportRequest, ExportStatus } from './entities/tax-export-request.entity';
+import { ExpenseCategory } from './entities/expense-category.entity';
+import { Split } from '../entities/split.entity';
+import { BullModule } from '@nestjs/bull';
+
+describe('ComplianceService', () => {
+  let service: ComplianceService;
+  let exportRepo: Repository<TaxExportRequest>;
+  let categoryRepo: Repository<ExpenseCategory>;
+  let splitRepo: Repository<Split>;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      imports: [BullModule.registerQueue({ name: 'compliance-export' })],
+      providers: [
+        ComplianceService,
+        {
+          provide: getRepositoryToken(TaxExportRequest),
+          useClass: Repository,
+        },
+        {
+          provide: getRepositoryToken(ExpenseCategory),
+          useClass: Repository,
+        },
+        {
+          provide: getRepositoryToken(Split),
+          useClass: Repository,
+        },
+      ],
+    }).compile();
+
+    service = module.get<ComplianceService>(ComplianceService);
+    exportRepo = module.get<Repository<TaxExportRequest>>(getRepositoryToken(TaxExportRequest));
+    categoryRepo = module.get<Repository<ExpenseCategory>>(getRepositoryToken(ExpenseCategory));
+    splitRepo = module.get<Repository<Split>>(getRepositoryToken(Split));
+  });
+
+  it('should be defined', () => {
+    expect(service).toBeDefined();
+  });
+
+  describe('requestExport', () => {
+    it('should create export request with QUEUED status', async () => {
+      const mockRequest = {
+        id: 'test-id',
+        userId: 'user-1',
+        exportFormat: 'CSV',
+        periodStart: new Date('2023-01-01'),
+        periodEnd: new Date('2023-12-31'),
+        status: ExportStatus.QUEUED,
+      };
+      jest.spyOn(exportRepo, 'create').mockReturnValue(mockRequest as any);
+      jest.spyOn(exportRepo, 'save').mockResolvedValue(mockRequest as any);
+
+      const result = await service.requestExport('user-1', {
+        exportFormat: 'CSV',
+        periodStart: '2023-01-01',
+        periodEnd: '2023-12-31',
+      });
+
+      expect(result.status).toBe(ExportStatus.QUEUED);
+    });
+  });
+
+  describe('getExportStatus', () => {
+    it('should return READY status', async () => {
+      const mockRequest = { id: 'test-id', status: ExportStatus.READY };
+      jest.spyOn(exportRepo, 'findOne').mockResolvedValue(mockRequest as any);
+
+      const result = await service.getExportStatus('test-id');
+      expect(result.status).toBe(ExportStatus.READY);
+    });
+
+    it('should return FAILED status', async () => {
+      const mockRequest = { id: 'test-id', status: ExportStatus.FAILED };
+      jest.spyOn(exportRepo, 'findOne').mockResolvedValue(mockRequest as any);
+
+      const result = await service.getExportStatus('test-id');
+      expect(result.status).toBe(ExportStatus.FAILED);
+    });
+  });
+});

backend/src/compliance/compliance.service.ts

@@ -95,9 +95,34 @@ export class ComplianceService {
         return summary;
     }
 
-    async getTaxDeductibleTotal(userId: string, period: string) {
-        const year = parseInt(period);
-        const summary = await this.getSummary(userId, year);
+    async downloadExport(requestId: string, userId: string) {
+        const request = await this.exportRepo.findOne({ where: { id: requestId, userId } });
+        if (!request) throw new NotFoundException('Export request not found or access denied');
+        if (request.status !== ExportStatus.READY) throw new BadRequestException('Export not ready');
+
+        // Return the file content or stream
+        const fs = require('fs');
+        const path = require('path');
+        const filePath = path.join(process.cwd(), 'exports', `tax-export-${requestId}.${request.exportFormat.toLowerCase()}`);
+        if (!fs.existsSync(filePath)) throw new NotFoundException('File not found');
+
+        return {
+            fileName: `tax-export-${requestId}.${request.exportFormat.toLowerCase()}`,
+            content: fs.readFileSync(filePath),
+            mimeType: this.getMimeType(request.exportFormat),
+        };
+    }
+
+    private getMimeType(format: ExportFormat): string {
+        switch (format) {
+            case ExportFormat.CSV: return 'text/csv';
+            case ExportFormat.PDF: return 'application/pdf';
+            case ExportFormat.QBO: return 'application/octet-stream';
+            case ExportFormat.JSON: return 'application/json';
+            case ExportFormat.OFX: return 'application/xml';
+            default: return 'application/octet-stream';
+        }
+    }
 
         return Object.values(summary).reduce((acc, curr) => acc + curr.deductible, 0);
     }

backend/src/fraud-detection/fraud-detection.controller.ts

@@ -14,6 +14,10 @@ import { Repository } from "typeorm";
 
 import { FraudDetectionService } from "./fraud-detection.service";
 import { FraudAlert, AlertStatus } from "./entities/fraud-alert.entity";
+import { JwtAuthGuard } from "../auth/guards/jwt-auth.guard";
+import { AuthorizationGuard } from "../auth/guards/authorization.guard";
+import { RequirePermissions } from "../auth/decorators/permissions.decorator";
+import { Permissions } from "../auth/decorators/permissions.decorator";
 import {
   AnalyzeSplitRequestDto,
   AnalyzePaymentRequestDto,
@@ -22,6 +26,7 @@ import {
 } from "./dto/analyze-split.dto";
 
 @Controller("fraud")
+@UseGuards(JwtAuthGuard, AuthorizationGuard)
 export class FraudDetectionController {
   constructor(
     private readonly fraudDetectionService: FraudDetectionService,
@@ -33,6 +38,7 @@ export class FraudDetectionController {
    * Get all fraud alerts
    */
   @Get("alerts")
+  @RequirePermissions(Permissions.CAN_READ_FRAUD_ALERTS)
   async getAlerts(
     @Query("status") status?: AlertStatus,
     @Query("page") page: number = 1,
@@ -45,6 +51,7 @@ export class FraudDetectionController {
    * Get a single alert
    */
   @Get("alerts/:id")
+  @RequirePermissions(Permissions.CAN_READ_SPLIT)
   async getAlert(@Param("id") id: string) {
     const alert = await this.fraudDetectionService.getAlert(id);
     if (!alert) {
@@ -57,6 +64,7 @@ export class FraudDetectionController {
    * Resolve a fraud alert
    */
   @Post("alerts/:id/resolve")
+  @RequirePermissions(Permissions.CAN_UPDATE_SPLIT)
   @HttpCode(HttpStatus.OK)
   async resolveAlert(
     @Param("id") id: string,
@@ -70,6 +78,7 @@ export class FraudDetectionController {
    * Get analysis for a specific split
    */
   @Get("splits/:id/analysis")
+  @RequirePermissions(Permissions.CAN_READ_SPLIT)
   async getSplitAnalysis(@Param("id") id: string) {
     return this.fraudDetectionService.getSplitAnalysis(id);
   }
@@ -78,6 +87,7 @@ export class FraudDetectionController {
    * Get fraud detection statistics
    */
   @Get("stats")
+  @RequirePermissions(Permissions.CAN_READ_SPLIT)
   async getStats() {
     return this.fraudDetectionService.getStats();
   }

backend/src/fraud-detection/fraud-detection.service.ts

@@ -320,16 +320,8 @@ export class FraudDetectionService {
       where: { status: AlertStatus.FALSE_POSITIVE },
     });
 
-    // Calculate accuracy
-    const reviewed = await this.fraudAlertRepository.count({
-      where: [{ status: AlertStatus.RESOLVED }, { status: AlertStatus.FALSE_POSITIVE }],
-    });
-
-    const truePositives = await this.fraudAlertRepository.count({
-      where: { is_true_positive: true },
-    });
-
-    const accuracy = reviewed > 0 ? (truePositives + falsePositives) / reviewed : 0;
+    // Calculate accuracy as precision: true positives / (true positives + false positives)
+    const accuracy = reviewed > 0 ? truePositives / reviewed : 0;
 
     return {
       totalAlerts: total,