ShellFusion-mcp-server

1. **API Key Bypass:** The `apiKeyAuth` middleware (backend/src/middlewares/apiKeyAuth.ts) explicitly bypasses API key authentication if the `BACKEND_API_KEY` environment variable is not set. This could unintentionally expose protected API routes if the variable is omitted in a production environment. 2. **Hardcoded Docker Credentials:** Default hardcoded MongoDB root ('root'/'example') and application-specific ('appuser'/'apppass') credentials are used in `docker-compose.yml` and `mongo-init/001-init.js`. While common for local development, these are **critical security risks** if deployed in a production environment without immediate and strong modification. 3. **Missing Security Headers:** The `helmet` dependency is listed in `backend/package.json` but is not explicitly utilized in `backend/src/index.ts`, missing out on a straightforward way to implement crucial security headers for HTTP responses. 4. **CORS Configuration:** CORS is configured to allow `FRONTEND_ORIGIN`. Ensure this variable is strictly controlled and not set to `*` in production to prevent unintended cross-origin access. 5. **JWT Handling:** JWT tokens are signed with `process.env.TOKEN_SECRET` and expire in '8h'. The `Authorization` cookie is set with `httpOnly` and `secure` flags conditionally based on `NODE_ENV`, which is good practice. 6. **Password Hashing:** Passwords are securely hashed using `bcryptjs` with 12 salt rounds.