Feature/rate limit hardening

[saidai-bhuvanesh]

Title

security: implement rate limiting, audit logging, validation hardening, and backend reliability improvements

Summary

This PR delivers a comprehensive backend security, reliability, and performance upgrade for Brownie-Bliss.

The changes focus on protecting critical APIs from abuse, strengthening authentication and OTP workflows, improving order integrity, adding audit traceability for administrative actions, optimizing database access patterns, and expanding automated test coverage.

Key Improvements

Security Hardening

• Added centralized rate limiting for:

  • OTP generation
  • OTP verification
  • Admin login
  • Order creation
  • Public order lookup

• Enforced JWT verification using explicit HS256 algorithm validation.

• Added structured request validation using Zod schemas.

• Strengthened OTP verification with:

  • Retry limits
  • Expiration enforcement
  • Abuse protection
  • Request cooldown handling

Order Integrity & Reliability

• Added duplicate order detection logic.
• Introduced concurrency-safe order processing protection.
• Prevented rapid duplicate submissions.
• Improved request validation and error handling.

Audit Logging System

• Added immutable AuditLog model.

• Implemented centralized audit logging service.

• Added audit events for:

  • Admin login success
  • Admin login failures
  • Payment confirmations
  • Order status updates

• Added protected audit log retrieval endpoint.

• Implemented automatic retention cleanup using TTL indexes.

Database Performance

• Added indexes for:

  • Orders
  • OTP records
  • Product lookups
  • Audit logs

• Refactored dashboard statistics endpoint to use a single $facet aggregation pipeline.

• Reduced database round trips and improved query efficiency.

API Validation Improvements

• Added Zod validation schemas for:

  • Admin authentication
  • OTP workflows

• Improved validation error consistency.

• Improved API safety against malformed requests.

Error Handling Improvements

• Added environment-aware global error responses.
• Improved production-safe error handling.
• Prevented stack trace exposure in production environments.

Testing

• Added backend integration tests covering:

  • Authentication
  • OTP workflows
  • Duplicate order protection
  • Audit logging
  • Database statistics aggregation
  • Rate limiting behavior
  • Authorization checks

Impact

• Improved backend security
• Improved operational visibility
• Improved order reliability
• Improved abuse protection
• Improved database performance
• Expanded automated test coverage
• Increased production readiness

Verification

• All automated tests pass successfully.
• Authentication workflows verified.
• OTP workflows verified.
• Order processing verified.
• Audit logging verified.
• Statistics aggregation verified.
• Backward compatibility maintained.

[vercel]

Someone is attempting to deploy a commit to the adithyansubramani1-1657's projects Team on Vercel.

A member of the Team first needs to authorize it.