security: internal audit — batch 1

Fixes the critical + high + medium findings from our internal security review. Bundled into one PR because the changes overlap heavily (JWT verification unifies across three call sites; backup-code hashing and demo-email handling cross-cut several services); splitting them out would mean redundant reviews of the same files. Critical - CI-C1 — .github/workflows/test.yml: restore actions/{checkout,setup- node,upload-artifact} to @v4. The @v6 refs don't exist, so the test workflow was errorring before a single test ran. - SEC-C1 — mfaPolicy now extracts the token via extractToken() (cookie- first, Bearer fallback). Previously it only read Authorization, so every cookie-authenticated SPA session bypassed require_mfa entirely. - SEC-C2/C4/C6 — all JWT verification paths (MCP bearer, file download, photo route) now go through the shared verifyJwtAndLoadUser that checks password_version. resetPassword additionally deletes every mcp_tokens row and marks outstanding oauth_tokens revoked, so a password reset invalidates ALL credential classes — not just the cookie JWT. High - SEC-H2 — reset email URL is built from server-side APP_URL / ALLOWED_ORIGINS (via existing getAppUrl()), not request headers. Closes the host-header-injection vector into reset links. - SEC-H3 — OIDC findOrCreateUser wraps the invite-redemption UPDATE + user INSERT in a transaction. The UPDATE is the capacity check; if a concurrent callback takes the last slot, the whole transaction aborts with registration_disabled instead of double-creating users. - SEC-H4 — new verifyIdToken() performs full JWT signature verification via the provider's JWKS (Node's crypto.createPublicKey accepts JWK directly — no extra dependency), plus iss/aud/exp checks. The callback also rejects the login when userinfo.sub does not match id_token.sub. - SEC-H5 — OAuth DCR now validates redirect_uris against an allowlist of schemes: https, http-loopback, or a private custom scheme. Plain http://non-loopback is rejected. - SEC-H6 — oauthService audience defaults to mcpResource when the `resource` parameter is missing, so tokens are always audience-bound to /mcp instead of being issued with audience=null. - SEC-H7 — HSTS is enabled any time NODE_ENV=production (previously required FORCE_HTTPS=true), includeSubDomains defaults on and can be disabled with HSTS_INCLUDE_SUBDOMAINS=false. - SEC-H8 — trek_session cookie Secure flag is also driven by req.secure (which Express resolves from X-Forwarded-Proto once trust proxy is set), so instances behind a TLS-terminating proxy get Secure cookies without needing FORCE_HTTPS. Medium - SEC-M1 — permanentDeleteFile / emptyTrash / avatar unlink now use fs.promises.rm with { force: true } (one async op vs the previous existsSync + unlinkSync pair per file). - SEC-M2 — invalidatePermissionsCache() is called inside restoreFromZip so a restored DB with different permission rows is honoured immediately. - SEC-M3 + C1 — idempotency store bounds the key at 128 chars, caches only responses ≤ 256 KiB, and scopes the lookup by (key, user_id, method, path) rather than (key, user_id). Same key replayed against a different endpoint no longer returns a stale unrelated body. - SEC-M4 — share_tokens gets an expires_at column; new tokens default to 90-day TTL, expired tokens are denied at lookup. Existing tokens stay NULL = no expiry so already-published links don't break. - SEC-M5 — /uploads/photos/:filename now resolves the photo to its trip_id and requires the share token to cover THAT trip. Previously any share token for any trip would unlock any photo filename. - SEC-M6 — BLOCKED_EXTENSIONS is the single source of truth shared between fileService and collab uploads. The '*' allowed_file_types wildcard now still rejects executables/scripts. - SEC-M7 — single DEMO_EMAILS constant (services/demo.ts) used by demoUploadBlock, mfaPolicy, and every demo-mode guard in authService. The old demoUploadBlock only matched 'demo@nomad.app' so the seed 'demo@trek.app' could in fact upload in demo mode. - SEC-M8 — MFA backup codes are now bcrypt-hashed at rest (hashBackupCodeBcrypt). matchBackupCode accepts both bcrypt and legacy SHA-256 hex hashes, so existing installs keep working until the user regenerates codes via enableMfa. - SEC-M9 — document the "security via UUID v4 filename" model for /uploads/avatars|covers|journey. Requires no code change but captures the decision so future reviewers don't re-flag it. - SEC-M10 — already covered by the resetPassword revocation logic above: mcp_tokens DELETE + oauth_tokens UPDATE … SET revoked_at. Performance - PERF-H1 — new migration adds the indexes flagged in the audit: trips(user_id), trips(created_at DESC), photos(day_id), photos(place_id), reservations(day_id), share_tokens(token), plus conditional day_accommodations and notifications indexes depending on which columns are present. Tests - tests/integration/oidc.test.ts now mocks verifyIdToken and passes an id_token in the exchangeCodeForToken stub for the three flows that exercise a successful callback. The three remaining failures tests pointed out were all pre-existing (file-upload flakes + notificationPreferences event_types count drift), none introduced by this PR.
2026-06-21 22:31:46 +00:00 · 2026-04-20 20:36:52 +02:00
parent e612de9143
commit 2d0414b4a3
20 changed files with 539 additions and 127 deletions
@@ -39,7 +39,7 @@ import {
  requestPasswordReset,
  resetPassword,
 } from '../services/authService';
-import { sendPasswordResetEmail } from '../services/notifications';
+import { sendPasswordResetEmail, getAppUrl } from '../services/notifications';

 const router = express.Router();

@@ -127,10 +127,10 @@ router.get('/app-config', optionalAuth, (req: Request, res: Response) => {
  res.json(getAppConfig(user));
 });

-router.post('/demo-login', (_req: Request, res: Response) => {
+router.post('/demo-login', (req: Request, res: Response) => {
  const result = demoLogin();
  if (result.error) return res.status(result.status!).json({ error: result.error });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.json({ token: result.token, user: result.user });
 });

@@ -144,7 +144,7 @@ router.post('/register', authLimiter, (req: Request, res: Response) => {
  const result = registerUser(req.body);
  if (result.error) return res.status(result.status!).json({ error: result.error });
  writeAudit({ userId: result.auditUserId!, action: 'user.register', ip: getClientIp(req), details: result.auditDetails });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.status(201).json({ token: result.token, user: result.user });
 });

@@ -155,7 +155,7 @@ router.post('/login', authLimiter, (req: Request, res: Response) => {
  }
  if (result.error) return res.status(result.status!).json({ error: result.error });
  if (result.mfa_required) return res.json({ mfa_required: true, mfa_token: result.mfa_token });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.json({ token: result.token, user: result.user });
 });

@@ -178,11 +178,12 @@ router.post('/forgot-password', forgotLimiter, async (req: Request, res: Respons
  const outcome = requestPasswordReset(rawEmail, ip);

  if (outcome.reason === 'issued' && outcome.tokenForDelivery && outcome.userEmail) {
-    // Build the reset URL from the incoming request origin so dev /
-    // prod both work without extra config.
-    const origin = (req.headers['origin'] as string | undefined)
-      || (req.headers['referer'] ? new URL(req.headers['referer'] as string).origin : undefined)
-      || `${req.protocol}://${req.get('host')}`;
+    // Build the reset URL from the server-side canonical APP_URL (or
+    // first ALLOWED_ORIGINS entry) — never from request headers. A
+    // crafted `Origin` / `Host` / `Referer` would otherwise put an
+    // attacker-controlled domain into the emailed reset link while the
+    // token itself is still legitimate.
+    const origin = getAppUrl();
    const url = `${origin.replace(/\/$/, '')}/reset-password?token=${encodeURIComponent(outcome.tokenForDelivery)}`;

    // Audit the REQUEST always — even for "no user" — so abuse is visible.
@@ -231,8 +232,8 @@ router.get('/me', authenticate, (req: Request, res: Response) => {
  res.json({ user });
 });

-router.post('/logout', (_req: Request, res: Response) => {
-  clearAuthCookie(res);
+router.post('/logout', (req: Request, res: Response) => {
+  clearAuthCookie(res, req);
  res.json({ success: true });
 });

@@ -276,15 +277,15 @@ router.get('/me/settings', authenticate, (req: Request, res: Response) => {
  res.json({ settings: result.settings });
 });

-router.post('/avatar', authenticate, demoUploadBlock, avatarUpload.single('avatar'), (req: Request, res: Response) => {
+router.post('/avatar', authenticate, demoUploadBlock, avatarUpload.single('avatar'), async (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
  if (!req.file) return res.status(400).json({ error: 'No image uploaded' });
-  res.json(saveAvatar(authReq.user.id, req.file.filename));
+  res.json(await saveAvatar(authReq.user.id, req.file.filename));
 });

-router.delete('/avatar', authenticate, (req: Request, res: Response) => {
+router.delete('/avatar', authenticate, async (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
-  res.json(deleteAvatar(authReq.user.id));
+  res.json(await deleteAvatar(authReq.user.id));
 });

 router.get('/users', authenticate, (req: Request, res: Response) => {
@@ -329,7 +330,7 @@ router.post('/mfa/verify-login', mfaLimiter, (req: Request, res: Response) => {
  const result = verifyMfaLogin(req.body);
  if (result.error) return res.status(result.status!).json({ error: result.error });
  writeAudit({ userId: result.auditUserId!, action: 'user.login', ip: getClientIp(req), details: { mfa: true } });
-  setAuthCookie(res, result.token!);
+  setAuthCookie(res, result.token!, req);
  res.json({ token: result.token, user: result.user });
 });