Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ihsanalapsi/secure-clinic-api-suite

A production-ready Healthcare API with advanced scheduling logic and a comprehensive Security Audit & Remediation report covering 18 critical OWASP vulnerabilities.
https://github.com/ihsanalapsi/secure-clinic-api-suite

audit backend cybersecurity docker nodejs owasp postgresql prisma rbac security typescript

Last synced: about 1 month ago
JSON representation

A production-ready Healthcare API with advanced scheduling logic and a comprehensive Security Audit & Remediation report covering 18 critical OWASP vulnerabilities.

Awesome Lists containing this project

README 

          


  Secure Healthcare API & Security Audit Suite



  # Secure Healthcare API & Security Audit Suite

  

  


    A Senior-Level Portfolio Piece Demonstrating Advanced Backend Architecture & Offensive/Defensive Cybersecurity

  


  

  ![Security Audit](https://img.shields.io/badge/Security-OWASP_Top_10_Audited-brightgreen)

  ![Architecture](https://img.shields.io/badge/Architecture-Modular_Monolith-blue)

  ![TypeScript](https://img.shields.io/badge/TypeScript-Strict_Mode-blue)

  ![License](https://img.shields.io/badge/License-MIT-gray)








## 🌟 At a Glance



| Metric | Details |

| --- | --- |

| **Modules Built** | 4 Domain Modules (Auth, Patients, Doctors, Appointments) |

| **Vulnerabilities Fixed** | 18 Critical & High Vulnerabilities (OWASP Top 10) |

| **Architecture** | Scalable Modular Monolith with bounded contexts |

| **Database** | PostgreSQL optimized via Prisma ORM |

| **Security Layer** | Fail-closed RBAC, Zod Validation, Advanced Concurrency Safe |



---



## 🎯 Quick Navigation for Reviewers



If you are a **Tech Lead** or **Technical Recruiter** reviewing this repository, here is where you should look first based on your interest:



| Focus Area | File / Folder | What to expect |

| :--- | :--- | :--- |

| **System Architecture** | [`clinic-api-build/src/modules/`](clinic-api-build/src/modules/) | Cleanly bounded contexts, separation of routes, controllers, and services. |

| **Concurrency Logic** | [`Appointment Service`](clinic-api-build/src/modules/appointments/appointments.service.ts) | Custom overlap-checking algorithm for safe booking under load. |

| **Security Audit Skills** | [`FINAL_SECURITY_AUDIT_REPORT.md`](security-audit-remediation/FINAL_SECURITY_AUDIT_REPORT.md) | Professional offensive assessment & detailed remediation strategies. |

| **Data modeling** | [`schema.prisma`](clinic-api-build/prisma/schema.prisma) | Advanced PostgreSQL table modeling, strict relations, and indexes. |



---



## 📖 Overview



Welcome to the **Secure Healthcare API & Security Audit Suite** authored by **Ihsan Alapsi**. 



This repository serves as a comprehensive demonstration of enterprise-grade software engineering, bridging the gap between **high-performance backend architecture** and **critical application security**. It is divided into two major tracks:



1. **Clinic API Build**: A high-performance Clinic Appointment System designed and built from scratch using a robust, modular architecture.

2. **Security Audit & Remediation**: A comprehensive OWASP Top 10 security audit and full code remediation of a legacy healthcare API, demonstrating a highly defensive, "fail-closed" engineering mindset.



---



## 🏗️ Part 1: Clinic Appointment System



Located in [`clinic-api-build/`](clinic-api-build/)



A robust, scalable REST API built to manage patients, doctors, and highly-concurrent appointment bookings without conflicts. 

### 🏛️ Architecture (Modular Monolith)



```mermaid

graph TD

    Client([Client / Frontend]) --> API[Express Router & Validation]

    

    subgraph "Modules (Domain Logic)"

        direction TB

        Auth["Auth Module
(JWT, RBAC)"]

        Patients["Patients Module
(Healthcare Records)"]

        Doctors["Doctors Module
(Schedules)"]

        Appointments["Appointments Module
(Overlap Checking)"]

        

        API --> Auth

        API --> Patients

        API --> Doctors

        API --> Appointments

    end

    

    subgraph "Data Access & Persistence"

        Prisma[Prisma ORM Client]

        PostgreSQL[(PostgreSQL)]

        Prisma --> PostgreSQL

    end

    

    Auth --> Prisma

    Patients --> Prisma

    Doctors --> Prisma

    Appointments --> Prisma

```



### Key Highlights

- **Modular Monolith Architecture**: Clean separation of domains ensuring maintainable and testable code.

- **Advanced Concurrency handling**: Implemented an overlap-check algorithm for appointments to prevent double-booking safely.

- **Fail-Closed RBAC**: Extensible Role-Based Access Control ensuring secure access boundaries by default.

- **Data Layer**: Powered by **PostgreSQL** and **Prisma ORM** for type-safe database interactions.

- **Dockerized**: Fully containerized environment for seamless spin-up and deployments (`docker-compose.yml` included).



---



## 🛡️ Part 2: Security Audit & Remediation



Located in [`security-audit-remediation/`](security-audit-remediation/)



A critical analysis and refactor of an intentionally vulnerable legacy Medical Records API. It simulates a real-world blue-team/secure-engineering effort to harden an existing service before production.



### Key Highlights

- **Full OWASP Top 10 Audit**: Methodical identification of critical security flaws.

- **18 Vulnerabilities Remediated**: Applied structural and functional fixes for:

  - SQL Injection (SQLi)

  - Path Traversal

  - Insecure Direct Object References (IDOR)

  - Plaintext Credential Storage

  - JWT Misconfigurations

  - Missing Input Validation & Rate Limiting

- **Professional Assessment**: Includes a complete [Security Audit Report](security-audit-remediation/FINAL_SECURITY_AUDIT_REPORT.md) detailing the findings, impact, and precise remediation strategies applied.



---



## ⚙️ Tech Stack



This project leverages a modern, fully-typed ecosystem for both parts:



- **Node.js** & **Express.js**

- **TypeScript** (Strict Mode)

- **PostgreSQL**

- **Prisma ORM**

- **Docker**

- **Zod** (Request validation)

- **Bcrypt** & **JWT** (Authentication & Hashing)



---



## Getting Started



Each system is completely self-contained. For detailed instructions on how to run them locally, please see the specific READMEs in their respective directories:



- 👉 [Clinic Appointment API Setup](clinic-api-build/README.md)

- 👉 [Security Remediated API Setup](security-audit-remediation/README.md)