security: internal audit — batch 1

Fixes the critical + high + medium findings from our internal security review. Bundled into one PR because the changes overlap heavily (JWT verification unifies across three call sites; backup-code hashing and demo-email handling cross-cut several services); splitting them out would mean redundant reviews of the same files. Critical - CI-C1 — .github/workflows/test.yml: restore actions/{checkout,setup- node,upload-artifact} to @v4. The @v6 refs don't exist, so the test workflow was errorring before a single test ran. - SEC-C1 — mfaPolicy now extracts the token via extractToken() (cookie- first, Bearer fallback). Previously it only read Authorization, so every cookie-authenticated SPA session bypassed require_mfa entirely. - SEC-C2/C4/C6 — all JWT verification paths (MCP bearer, file download, photo route) now go through the shared verifyJwtAndLoadUser that checks password_version. resetPassword additionally deletes every mcp_tokens row and marks outstanding oauth_tokens revoked, so a password reset invalidates ALL credential classes — not just the cookie JWT. High - SEC-H2 — reset email URL is built from server-side APP_URL / ALLOWED_ORIGINS (via existing getAppUrl()), not request headers. Closes the host-header-injection vector into reset links. - SEC-H3 — OIDC findOrCreateUser wraps the invite-redemption UPDATE + user INSERT in a transaction. The UPDATE is the capacity check; if a concurrent callback takes the last slot, the whole transaction aborts with registration_disabled instead of double-creating users. - SEC-H4 — new verifyIdToken() performs full JWT signature verification via the provider's JWKS (Node's crypto.createPublicKey accepts JWK directly — no extra dependency), plus iss/aud/exp checks. The callback also rejects the login when userinfo.sub does not match id_token.sub. - SEC-H5 — OAuth DCR now validates redirect_uris against an allowlist of schemes: https, http-loopback, or a private custom scheme. Plain http://non-loopback is rejected. - SEC-H6 — oauthService audience defaults to mcpResource when the `resource` parameter is missing, so tokens are always audience-bound to /mcp instead of being issued with audience=null. - SEC-H7 — HSTS is enabled any time NODE_ENV=production (previously required FORCE_HTTPS=true), includeSubDomains defaults on and can be disabled with HSTS_INCLUDE_SUBDOMAINS=false. - SEC-H8 — trek_session cookie Secure flag is also driven by req.secure (which Express resolves from X-Forwarded-Proto once trust proxy is set), so instances behind a TLS-terminating proxy get Secure cookies without needing FORCE_HTTPS. Medium - SEC-M1 — permanentDeleteFile / emptyTrash / avatar unlink now use fs.promises.rm with { force: true } (one async op vs the previous existsSync + unlinkSync pair per file). - SEC-M2 — invalidatePermissionsCache() is called inside restoreFromZip so a restored DB with different permission rows is honoured immediately. - SEC-M3 + C1 — idempotency store bounds the key at 128 chars, caches only responses ≤ 256 KiB, and scopes the lookup by (key, user_id, method, path) rather than (key, user_id). Same key replayed against a different endpoint no longer returns a stale unrelated body. - SEC-M4 — share_tokens gets an expires_at column; new tokens default to 90-day TTL, expired tokens are denied at lookup. Existing tokens stay NULL = no expiry so already-published links don't break. - SEC-M5 — /uploads/photos/:filename now resolves the photo to its trip_id and requires the share token to cover THAT trip. Previously any share token for any trip would unlock any photo filename. - SEC-M6 — BLOCKED_EXTENSIONS is the single source of truth shared between fileService and collab uploads. The '*' allowed_file_types wildcard now still rejects executables/scripts. - SEC-M7 — single DEMO_EMAILS constant (services/demo.ts) used by demoUploadBlock, mfaPolicy, and every demo-mode guard in authService. The old demoUploadBlock only matched 'demo@nomad.app' so the seed 'demo@trek.app' could in fact upload in demo mode. - SEC-M8 — MFA backup codes are now bcrypt-hashed at rest (hashBackupCodeBcrypt). matchBackupCode accepts both bcrypt and legacy SHA-256 hex hashes, so existing installs keep working until the user regenerates codes via enableMfa. - SEC-M9 — document the "security via UUID v4 filename" model for /uploads/avatars|covers|journey. Requires no code change but captures the decision so future reviewers don't re-flag it. - SEC-M10 — already covered by the resetPassword revocation logic above: mcp_tokens DELETE + oauth_tokens UPDATE … SET revoked_at. Performance - PERF-H1 — new migration adds the indexes flagged in the audit: trips(user_id), trips(created_at DESC), photos(day_id), photos(place_id), reservations(day_id), share_tokens(token), plus conditional day_accommodations and notifications indexes depending on which columns are present. Tests - tests/integration/oidc.test.ts now mocks verifyIdToken and passes an id_token in the exchangeCodeForToken stub for the three flows that exercise a successful callback. The three remaining failures tests pointed out were all pre-existing (file-upload flakes + notificationPreferences event_types count drift), none introduced by this PR.
2026-06-21 14:21:46 +00:00 · 2026-04-20 20:36:52 +02:00
parent e612de9143
commit 2d0414b4a3
20 changed files with 539 additions and 127 deletions
@@ -39,7 +39,7 @@ import {
  requestPasswordReset,
  resetPassword,
 } from '../services/authService';
-import { sendPasswordResetEmail } from '../services/notifications';
+import { sendPasswordResetEmail, getAppUrl } from '../services/notifications';

 const router = express.Router();

@@ -127,10 +127,10 @@ router.get('/app-config', optionalAuth, (req: Request, res: Response) => {
  res.json(getAppConfig(user));
 });

-router.post('/demo-login', (_req: Request, res: Response) => {
+router.post('/demo-login', (req: Request, res: Response) => {
  const result = demoLogin();
  if (result.error) return res.status(result.status!).json({ error: result.error });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.json({ token: result.token, user: result.user });
 });

@@ -144,7 +144,7 @@ router.post('/register', authLimiter, (req: Request, res: Response) => {
  const result = registerUser(req.body);
  if (result.error) return res.status(result.status!).json({ error: result.error });
  writeAudit({ userId: result.auditUserId!, action: 'user.register', ip: getClientIp(req), details: result.auditDetails });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.status(201).json({ token: result.token, user: result.user });
 });

@@ -155,7 +155,7 @@ router.post('/login', authLimiter, (req: Request, res: Response) => {
  }
  if (result.error) return res.status(result.status!).json({ error: result.error });
  if (result.mfa_required) return res.json({ mfa_required: true, mfa_token: result.mfa_token });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.json({ token: result.token, user: result.user });
 });

@@ -178,11 +178,12 @@ router.post('/forgot-password', forgotLimiter, async (req: Request, res: Respons
  const outcome = requestPasswordReset(rawEmail, ip);

  if (outcome.reason === 'issued' && outcome.tokenForDelivery && outcome.userEmail) {
-    // Build the reset URL from the incoming request origin so dev /
-    // prod both work without extra config.
-    const origin = (req.headers['origin'] as string | undefined)
-      || (req.headers['referer'] ? new URL(req.headers['referer'] as string).origin : undefined)
-      || `${req.protocol}://${req.get('host')}`;
+    // Build the reset URL from the server-side canonical APP_URL (or
+    // first ALLOWED_ORIGINS entry) — never from request headers. A
+    // crafted `Origin` / `Host` / `Referer` would otherwise put an
+    // attacker-controlled domain into the emailed reset link while the
+    // token itself is still legitimate.
+    const origin = getAppUrl();
    const url = `${origin.replace(/\/$/, '')}/reset-password?token=${encodeURIComponent(outcome.tokenForDelivery)}`;

    // Audit the REQUEST always — even for "no user" — so abuse is visible.
@@ -231,8 +232,8 @@ router.get('/me', authenticate, (req: Request, res: Response) => {
  res.json({ user });
 });

-router.post('/logout', (_req: Request, res: Response) => {
-  clearAuthCookie(res);
+router.post('/logout', (req: Request, res: Response) => {
+  clearAuthCookie(res, req);
  res.json({ success: true });
 });

@@ -276,15 +277,15 @@ router.get('/me/settings', authenticate, (req: Request, res: Response) => {
  res.json({ settings: result.settings });
 });

-router.post('/avatar', authenticate, demoUploadBlock, avatarUpload.single('avatar'), (req: Request, res: Response) => {
+router.post('/avatar', authenticate, demoUploadBlock, avatarUpload.single('avatar'), async (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
  if (!req.file) return res.status(400).json({ error: 'No image uploaded' });
-  res.json(saveAvatar(authReq.user.id, req.file.filename));
+  res.json(await saveAvatar(authReq.user.id, req.file.filename));
 });

-router.delete('/avatar', authenticate, (req: Request, res: Response) => {
+router.delete('/avatar', authenticate, async (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
-  res.json(deleteAvatar(authReq.user.id));
+  res.json(await deleteAvatar(authReq.user.id));
 });

 router.get('/users', authenticate, (req: Request, res: Response) => {
@@ -329,7 +330,7 @@ router.post('/mfa/verify-login', mfaLimiter, (req: Request, res: Response) => {
  const result = verifyMfaLogin(req.body);
  if (result.error) return res.status(result.status!).json({ error: result.error });
  writeAudit({ userId: result.auditUserId!, action: 'user.login', ip: getClientIp(req), details: { mfa: true } });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.json({ token: result.token, user: result.user });
 });

@@ -9,6 +9,7 @@ import { validateStringLengths } from '../middleware/validate';
 import { checkPermission } from '../services/permissions';
 import { AuthRequest } from '../types';
 import { db } from '../db/database';
+import { BLOCKED_EXTENSIONS } from '../services/fileService';
 import {
  verifyTripAccess,
  listNotes,
@@ -41,8 +42,10 @@ const noteUpload = multer({
  defParamCharset: 'utf8',
  fileFilter: (_req, file, cb) => {
    const ext = path.extname(file.originalname).toLowerCase();
-    const BLOCKED = ['.svg', '.html', '.htm', '.xml', '.xhtml', '.js', '.jsx', '.ts', '.exe', '.bat', '.sh', '.cmd', '.msi', '.dll', '.com', '.vbs', '.ps1', '.php'];
-    if (BLOCKED.includes(ext) || file.mimetype.includes('svg') || file.mimetype.includes('html') || file.mimetype.includes('javascript')) {
+    // Share the single BLOCKED_EXTENSIONS list from fileService so
+    // executable/script attachments can't sneak in via collab when the
+    // main uploader already rejects them.
+    if (BLOCKED_EXTENSIONS.includes(ext) || file.mimetype.includes('svg') || file.mimetype.includes('html') || file.mimetype.includes('javascript')) {
      const err: Error & { statusCode?: number } = new Error('File type not allowed');
      err.statusCode = 400;
      return cb(err);
@@ -210,7 +210,7 @@ router.post('/:id/restore', authenticate, (req: Request, res: Response) => {
 });

 // Permanently delete from trash
-router.delete('/:id/permanent', authenticate, (req: Request, res: Response) => {
+router.delete('/:id/permanent', authenticate, async (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
  const { tripId, id } = req.params;

@@ -222,13 +222,13 @@ router.delete('/:id/permanent', authenticate, (req: Request, res: Response) => {
  const file = getDeletedFile(id, tripId);
  if (!file) return res.status(404).json({ error: 'File not found in trash' });

-  permanentDeleteFile(file);
+  await permanentDeleteFile(file);
  res.json({ success: true });
  broadcast(tripId, 'file:deleted', { fileId: Number(id) }, req.headers['x-socket-id'] as string);
 });

 // Empty entire trash
-router.delete('/trash/empty', authenticate, (req: Request, res: Response) => {
+router.delete('/trash/empty', authenticate, async (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
  const { tripId } = req.params;

@@ -237,7 +237,7 @@ router.delete('/trash/empty', authenticate, (req: Request, res: Response) => {
  if (!checkPermission('file_delete', authReq.user.role, trip.user_id, authReq.user.id, trip.user_id !== authReq.user.id))
    return res.status(403).json({ error: 'No permission' });

-  const deleted = emptyTrash(tripId);
+  const deleted = await emptyTrash(tripId);
  res.json({ success: true, deleted });
 });

@@ -205,6 +205,25 @@ oauthPublicRouter.post('/oauth/register', dcrLimiter, (req: Request, res: Respon
  if (redirectUris.length === 0) {
    return res.status(400).json({ error: 'invalid_redirect_uri', error_description: 'redirect_uris is required and must be a non-empty array' });
  }
+  // OAuth 2.1 + RFC 8252: confidential web apps need HTTPS; public
+  // clients (MCP, native) are limited to loopback or custom schemes.
+  // This rejects `http://evil.example` DCR payloads that today would
+  // otherwise be accepted since we previously only checked shape.
+  const allowed = redirectUris.every((u) => {
+    try {
+      const url = new URL(u);
+      if (url.protocol === 'https:') return true;
+      if (url.protocol === 'http:' && (url.hostname === 'localhost' || url.hostname === '127.0.0.1' || url.hostname === '[::1]')) return true;
+      // RFC 8252 custom scheme for native/MCP clients (e.g. "myapp://cb")
+      if (!/^https?:$/.test(url.protocol) && url.protocol.endsWith(':') && !url.protocol.includes(' ')) return true;
+      return false;
+    } catch {
+      return false;
+    }
+  });
+  if (!allowed) {
+    return res.status(400).json({ error: 'invalid_redirect_uri', error_description: 'redirect_uris must be HTTPS, loopback HTTP, or a private custom scheme' });
+  }

  const rawName = typeof body.client_name === 'string' ? body.client_name.trim().slice(0, 100) : '';
  const clientName = rawName || 'MCP Client';
@@ -9,6 +9,7 @@ import {
  consumeAuthCode,
  exchangeCodeForToken,
  getUserInfo,
+  verifyIdToken,
  findOrCreateUser,
  touchLastLogin,
  generateToken,
@@ -97,10 +98,40 @@ router.get('/callback', async (req: Request, res: Response) => {
      return res.redirect(frontendUrl('/login?oidc_error=token_failed'));
    }

+    // Strict id_token verification: signature via JWKS + iss + aud.
+    // Previously only the access_token was used to hit userinfo, so a
+    // compromised provider or MITM could supply a crafted userinfo
+    // response the server would blindly trust. When the id_token is
+    // missing from the token response (non-compliant provider) we still
+    // reject — an Authorization Code flow MUST return one per OIDC Core.
+    if (!tokenData.id_token) {
+      console.error('[OIDC] Token response missing id_token — refusing login');
+      return res.redirect(frontendUrl('/login?oidc_error=no_id_token'));
+    }
+    const idVerify = await verifyIdToken(
+      tokenData.id_token,
+      doc,
+      config.clientId,
+      doc.issuer || config.issuer,
+    );
+    if (idVerify.ok !== true) {
+      const reason = 'error' in idVerify ? idVerify.error : 'unknown';
+      console.error('[OIDC] id_token verification failed:', reason);
+      return res.redirect(frontendUrl('/login?oidc_error=id_token_invalid'));
+    }
+
    const userInfo = await getUserInfo(doc.userinfo_endpoint, tokenData.access_token);
    if (!userInfo.email) {
      return res.redirect(frontendUrl('/login?oidc_error=no_email'));
    }
+    // Cross-check: the userinfo response must be for the same subject
+    // the id_token signed. Catches a compromised userinfo endpoint that
+    // speaks for a different principal than the id_token's claim.
+    const tokenSub = idVerify.claims.sub;
+    if (typeof tokenSub === 'string' && userInfo.sub && userInfo.sub !== tokenSub) {
+      console.error('[OIDC] userinfo.sub does not match id_token.sub — refusing login');
+      return res.redirect(frontendUrl('/login?oidc_error=subject_mismatch'));
+    }

    const result = findOrCreateUser(userInfo, config, pending.inviteToken);
    if ('error' in result) {
@@ -126,7 +157,7 @@ router.get('/exchange', (req: Request, res: Response) => {
  const result = consumeAuthCode(code);
  if ('error' in result) return res.status(400).json({ error: result.error });

-  setAuthCookie(res, result.token);
+  setAuthCookie(res, result.token, req);
  res.json({ token: result.token });
 });