three issues fixed just backing up

src/config/sso.ts

@@ -4,7 +4,8 @@ import { SSOConfig, SSOUserData } from '../types/auth.types';
 // This ensures values are read after secrets are loaded from Google Secret Manager
 const ssoConfig: SSOConfig = {
   get jwtSecret() { return process.env.JWT_SECRET || ''; },
-  get jwtExpiry() { return process.env.JWT_EXPIRY || '24h'; },
+  // VAPT: reduce access token lifetime to 30 minutes by default
+  get jwtExpiry() { return process.env.JWT_EXPIRY || '30m'; },
   get refreshTokenExpiry() { return process.env.REFRESH_TOKEN_EXPIRY || '7d'; },
   get sessionSecret() { return process.env.SESSION_SECRET || ''; },
   // Use only FRONTEND_URL from environment - no fallbacks

src/controllers/form16.controller.ts

@@ -23,6 +23,26 @@ import { Dealer } from '@models/Dealer';
  */
 
 export class Form16Controller {
+  // Minimal PII masking for 26AS APIs – mask PAN in all responses
+  private maskPan(pan: unknown): string | undefined {
+    if (pan == null) return undefined;
+    const s = String(pan).trim();
+    if (!s) return undefined;
+    const last4 = s.slice(-4);
+    if (s.length <= 4) return 'XXXX';
+    return `XXXXXXX${last4}`;
+  }
+
+  private mask26asEntry(entry: any): any {
+    if (!entry) return entry;
+    const plain = typeof entry.toJSON === 'function' ? entry.toJSON() : entry;
+    const masked = { ...plain };
+    if (masked.panNumber) {
+      masked.panNumber = this.maskPan(masked.panNumber);
+    }
+    return masked;
+  }
+
   private toSapCsv(sap: {
     trnsUniqNo?: string | null;
     tdsTransId?: string | null;
@@ -257,11 +277,8 @@ export class Form16Controller {
         limit,
         offset,
       });
-      return ResponseHandler.success(
-        res,
-        { entries: result.rows, total: result.total, summary: result.summary },
-        '26AS entries fetched'
-      );
+      const entries = (result.rows || []).map((row: any) => this.mask26asEntry(row));
+      return ResponseHandler.success(res, { entries, total: result.total, summary: result.summary }, '26AS entries fetched');
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
       logger.error('[Form16Controller] list26as error:', error);
@@ -300,7 +317,8 @@ export class Form16Controller {
         statusOltas: (body.statusOltas as string) || undefined,
         remarks: (body.remarks as string) || undefined,
       });
-      return ResponseHandler.success(res, { entry }, '26AS entry created');
+      const masked = this.mask26asEntry(entry);
+      return ResponseHandler.success(res, { entry: masked }, '26AS entry created');
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
       logger.error('[Form16Controller] create26as error:', error);
@@ -339,7 +357,8 @@ export class Form16Controller {
       if (!entry) {
         return ResponseHandler.error(res, '26AS entry not found', 404);
       }
-      return ResponseHandler.success(res, { entry }, '26AS entry updated');
+      const masked = this.mask26asEntry(entry);
+      return ResponseHandler.success(res, { entry: masked }, '26AS entry updated');
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
       logger.error('[Form16Controller] update26as error:', error);

src/routes/form16.routes.ts

@@ -45,10 +45,10 @@ const upload = multer({
   limits: { fileSize: 15 * 1024 * 1024 },
 });
 
-// 26AS upload: .txt only, 5MB, memory storage (parse then bulk insert)
+// 26AS upload: .txt only, 40MB, memory storage (parse then bulk insert)
 const upload26asTxt = multer({
   storage: multer.memoryStorage(),
-  limits: { fileSize: 5 * 1024 * 1024 },
+  limits: { fileSize: 40 * 1024 * 1024 },
   fileFilter: (_req, file, cb) => {
     const ext = path.extname(file.originalname || '').toLowerCase();
     const isTxt = ext === '.txt' || (file.mimetype && (file.mimetype === 'text/plain' || file.mimetype === 'application/octet-stream'));