{"id":50187897,"url":"https://github.com/ihsanalapsi/secure-clinic-api-suite","last_synced_at":"2026-05-25T11:05:55.282Z","repository":{"id":342798882,"uuid":"1173815609","full_name":"ihsanalapsi/secure-clinic-api-suite","owner":"ihsanalapsi","description":"A production-ready Healthcare API with advanced scheduling logic and a comprehensive Security Audit \u0026 Remediation report covering 18 critical OWASP vulnerabilities.","archived":false,"fork":false,"pushed_at":"2026-03-07T12:38:43.000Z","size":1005,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-07T18:50:47.277Z","etag":null,"topics":["audit","backend","cybersecurity","docker","nodejs","owasp","postgresql","prisma","rbac","security","typescript"],"latest_commit_sha":null,"homepage":"https://linkedin.com/in/ihsan-alapsi","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ihsanalapsi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-audit-remediation/FINAL_SECURITY_AUDIT_REPORT.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-05T19:28:51.000Z","updated_at":"2026-03-07T12:38:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ihsanalapsi/secure-clinic-api-suite","commit_stats":null,"previous_names":["ihsanalapsi/secure-clinic-api-suite"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/ihsanalapsi/secure-clinic-api-suite","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ihsanalapsi%2Fsecure-clinic-api-suite","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ihsanalapsi%2Fsecure-clinic-api-suite/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ihsanalapsi%2Fsecure-clinic-api-suite/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ihsanalapsi%2Fsecure-clinic-api-suite/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ihsanalapsi","download_url":"https://codeload.github.com/ihsanalapsi/secure-clinic-api-suite/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ihsanalapsi%2Fsecure-clinic-api-suite/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33471542,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-25T06:32:55.349Z","status":"ssl_error","status_checked_at":"2026-05-25T06:32:35.322Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","backend","cybersecurity","docker","nodejs","owasp","postgresql","prisma","rbac","security","typescript"],"created_at":"2026-05-25T11:05:54.414Z","updated_at":"2026-05-25T11:05:55.259Z","avatar_url":"https://github.com/ihsanalapsi.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"assets/hero_banner.png\" alt=\"Secure Healthcare API \u0026 Security Audit Suite\" width=\"100%\" /\u003e\n\n  # Secure Healthcare API \u0026 Security Audit Suite\n  \n  \u003cp align=\"center\"\u003e\n    \u003cb\u003eA Senior-Level Portfolio Piece Demonstrating Advanced Backend Architecture \u0026 Offensive/Defensive Cybersecurity\u003c/b\u003e\n  \u003c/p\u003e\n  \n  ![Security Audit](https://img.shields.io/badge/Security-OWASP_Top_10_Audited-brightgreen)\n  ![Architecture](https://img.shields.io/badge/Architecture-Modular_Monolith-blue)\n  ![TypeScript](https://img.shields.io/badge/TypeScript-Strict_Mode-blue)\n  ![License](https://img.shields.io/badge/License-MIT-gray)\n\u003c/div\u003e\n\n\u003cbr /\u003e\n\n## 🌟 At a Glance\n\n| Metric | Details |\n| --- | --- |\n| **Modules Built** | 4 Domain Modules (Auth, Patients, Doctors, Appointments) |\n| **Vulnerabilities Fixed** | 18 Critical \u0026 High Vulnerabilities (OWASP Top 10) |\n| **Architecture** | Scalable Modular Monolith with bounded contexts |\n| **Database** | PostgreSQL optimized via Prisma ORM |\n| **Security Layer** | Fail-closed RBAC, Zod Validation, Advanced Concurrency Safe |\n\n---\n\n## 🎯 Quick Navigation for Reviewers\n\nIf you are a **Tech Lead** or **Technical Recruiter** reviewing this repository, here is where you should look first based on your interest:\n\n| Focus Area | File / Folder | What to expect |\n| :--- | :--- | :--- |\n| **System Architecture** | [`clinic-api-build/src/modules/`](clinic-api-build/src/modules/) | Cleanly bounded contexts, separation of routes, controllers, and services. |\n| **Concurrency Logic** | [`Appointment Service`](clinic-api-build/src/modules/appointments/appointments.service.ts) | Custom overlap-checking algorithm for safe booking under load. |\n| **Security Audit Skills** | [`FINAL_SECURITY_AUDIT_REPORT.md`](security-audit-remediation/FINAL_SECURITY_AUDIT_REPORT.md) | Professional offensive assessment \u0026 detailed remediation strategies. |\n| **Data modeling** | [`schema.prisma`](clinic-api-build/prisma/schema.prisma) | Advanced PostgreSQL table modeling, strict relations, and indexes. |\n\n---\n\n## 📖 Overview\n\nWelcome to the **Secure Healthcare API \u0026 Security Audit Suite** authored by **Ihsan Alapsi**. \n\nThis repository serves as a comprehensive demonstration of enterprise-grade software engineering, bridging the gap between **high-performance backend architecture** and **critical application security**. It is divided into two major tracks:\n\n1. **Clinic API Build**: A high-performance Clinic Appointment System designed and built from scratch using a robust, modular architecture.\n2. **Security Audit \u0026 Remediation**: A comprehensive OWASP Top 10 security audit and full code remediation of a legacy healthcare API, demonstrating a highly defensive, \"fail-closed\" engineering mindset.\n\n---\n\n## 🏗️ Part 1: Clinic Appointment System\n\nLocated in [`clinic-api-build/`](clinic-api-build/)\n\nA robust, scalable REST API built to manage patients, doctors, and highly-concurrent appointment bookings without conflicts. \n### 🏛️ Architecture (Modular Monolith)\n\n```mermaid\ngraph TD\n    Client([Client / Frontend]) --\u003e API[Express Router \u0026 Validation]\n    \n    subgraph \"Modules (Domain Logic)\"\n        direction TB\n        Auth[\"Auth Module\u003cbr/\u003e(JWT, RBAC)\"]\n        Patients[\"Patients Module\u003cbr/\u003e(Healthcare Records)\"]\n        Doctors[\"Doctors Module\u003cbr/\u003e(Schedules)\"]\n        Appointments[\"Appointments Module\u003cbr/\u003e(Overlap Checking)\"]\n        \n        API --\u003e Auth\n        API --\u003e Patients\n        API --\u003e Doctors\n        API --\u003e Appointments\n    end\n    \n    subgraph \"Data Access \u0026 Persistence\"\n        Prisma[Prisma ORM Client]\n        PostgreSQL[(PostgreSQL)]\n        Prisma --\u003e PostgreSQL\n    end\n    \n    Auth --\u003e Prisma\n    Patients --\u003e Prisma\n    Doctors --\u003e Prisma\n    Appointments --\u003e Prisma\n```\n\n### Key Highlights\n- **Modular Monolith Architecture**: Clean separation of domains ensuring maintainable and testable code.\n- **Advanced Concurrency handling**: Implemented an overlap-check algorithm for appointments to prevent double-booking safely.\n- **Fail-Closed RBAC**: Extensible Role-Based Access Control ensuring secure access boundaries by default.\n- **Data Layer**: Powered by **PostgreSQL** and **Prisma ORM** for type-safe database interactions.\n- **Dockerized**: Fully containerized environment for seamless spin-up and deployments (`docker-compose.yml` included).\n\n---\n\n## 🛡️ Part 2: Security Audit \u0026 Remediation\n\nLocated in [`security-audit-remediation/`](security-audit-remediation/)\n\nA critical analysis and refactor of an intentionally vulnerable legacy Medical Records API. It simulates a real-world blue-team/secure-engineering effort to harden an existing service before production.\n\n### Key Highlights\n- **Full OWASP Top 10 Audit**: Methodical identification of critical security flaws.\n- **18 Vulnerabilities Remediated**: Applied structural and functional fixes for:\n  - SQL Injection (SQLi)\n  - Path Traversal\n  - Insecure Direct Object References (IDOR)\n  - Plaintext Credential Storage\n  - JWT Misconfigurations\n  - Missing Input Validation \u0026 Rate Limiting\n- **Professional Assessment**: Includes a complete [Security Audit Report](security-audit-remediation/FINAL_SECURITY_AUDIT_REPORT.md) detailing the findings, impact, and precise remediation strategies applied.\n\n---\n\n## ⚙️ Tech Stack\n\nThis project leverages a modern, fully-typed ecosystem for both parts:\n\n- **Node.js** \u0026 **Express.js**\n- **TypeScript** (Strict Mode)\n- **PostgreSQL**\n- **Prisma ORM**\n- **Docker**\n- **Zod** (Request validation)\n- **Bcrypt** \u0026 **JWT** (Authentication \u0026 Hashing)\n\n---\n\n## Getting Started\n\nEach system is completely self-contained. For detailed instructions on how to run them locally, please see the specific READMEs in their respective directories:\n\n- 👉 [Clinic Appointment API Setup](clinic-api-build/README.md)\n- 👉 [Security Remediated API Setup](security-audit-remediation/README.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fihsanalapsi%2Fsecure-clinic-api-suite","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fihsanalapsi%2Fsecure-clinic-api-suite","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fihsanalapsi%2Fsecure-clinic-api-suite/lists"}