chore: ran security check for OWASP top 10

api/vitest.security.config.ts

@@ -0,0 +1,38 @@
+import { defineConfig } from "vitest/config";
+
+const dbSecurityTestsEnabled = process.env.SECURITY_DB_TESTS === "1";
+const baseSecurityTests = [
+  "tests/security-misconfiguration.test.ts",
+  "tests/software-supply-chain-failures.test.ts",
+  "tests/cryptographic-failures.test.ts",
+  "tests/cryptographic-failures.runtime.test.ts",
+  "tests/injection-safety.test.ts",
+  "tests/software-data-integrity-failures.test.ts",
+  "tests/security-logging-monitoring-failures.test.ts",
+  "tests/server-side-request-forgery.test.ts",
+];
+const dbSecurityTests = [
+  "tests/insecure-design.test.ts",
+  "tests/identification-auth-failures.test.ts",
+];
+
+export default defineConfig({
+  test: {
+    environment: "node",
+    include: dbSecurityTestsEnabled
+      ? [...baseSecurityTests, ...dbSecurityTests]
+      : baseSecurityTests,
+    pool: "threads",
+    poolOptions: { threads: { singleThread: true } },
+    testTimeout: 30_000,
+    setupFiles: dbSecurityTestsEnabled ? ["tests/setup.ts"] : [],
+    env: {
+      NODE_ENV: "test",
+      DATABASE_URL: "postgres://app:app@127.0.0.1:5432/skymoney",
+      AUTH_DISABLED: "1",
+      SEED_DEFAULT_BUDGET: "1",
+      JWT_SECRET: "test-jwt-secret-32-chars-min-abcdef",
+      COOKIE_SECRET: "test-cookie-secret-32-chars-abcdef",
+    },
+  },
+});