Security

Authentication

• Firebase Auth on the client; auth state provided via AuthContext and gated by middleware.js using the firebase-token cookie.
• Auth routes: /login, /signup; protected routes: /, /posts, /company-posts, /settings, /admin.

API Protection

• All HTTPS functions that expose business data validate header x-api-key against process.env.API_KEY.
• Set API_KEY in your functions environment (e.g., firebase functions:config:set or env during deploy).

Data Access

• Firestore collections: businesses, businesses/{id}/participants, businesses/{id}/posts, businesses/{id}/companyLinkedInPosts.
• Ensure Firestore Security Rules restrict access appropriately (rules are not included in this repo and must be configured in your Firebase project).

External Webhooks

• POST /api/linkedin-webhook forwards payloads to an n8n endpoint, currently with TLS verification disabled via undici.Agent for self-signed certs. Use only in trusted environments; prefer valid certificates.