security: internal audit — batch 1

Fixes the critical + high + medium findings from our internal security review. Bundled into one PR because the changes overlap heavily (JWT verification unifies across three call sites; backup-code hashing and demo-email handling cross-cut several services); splitting them out would mean redundant reviews of the same files. Critical - CI-C1 — .github/workflows/test.yml: restore actions/{checkout,setup- node,upload-artifact} to @v4. The @v6 refs don't exist, so the test workflow was errorring before a single test ran. - SEC-C1 — mfaPolicy now extracts the token via extractToken() (cookie- first, Bearer fallback). Previously it only read Authorization, so every cookie-authenticated SPA session bypassed require_mfa entirely. - SEC-C2/C4/C6 — all JWT verification paths (MCP bearer, file download, photo route) now go through the shared verifyJwtAndLoadUser that checks password_version. resetPassword additionally deletes every mcp_tokens row and marks outstanding oauth_tokens revoked, so a password reset invalidates ALL credential classes — not just the cookie JWT. High - SEC-H2 — reset email URL is built from server-side APP_URL / ALLOWED_ORIGINS (via existing getAppUrl()), not request headers. Closes the host-header-injection vector into reset links. - SEC-H3 — OIDC findOrCreateUser wraps the invite-redemption UPDATE + user INSERT in a transaction. The UPDATE is the capacity check; if a concurrent callback takes the last slot, the whole transaction aborts with registration_disabled instead of double-creating users. - SEC-H4 — new verifyIdToken() performs full JWT signature verification via the provider's JWKS (Node's crypto.createPublicKey accepts JWK directly — no extra dependency), plus iss/aud/exp checks. The callback also rejects the login when userinfo.sub does not match id_token.sub. - SEC-H5 — OAuth DCR now validates redirect_uris against an allowlist of schemes: https, http-loopback, or a private custom scheme. Plain http://non-loopback is rejected. - SEC-H6 — oauthService audience defaults to mcpResource when the `resource` parameter is missing, so tokens are always audience-bound to /mcp instead of being issued with audience=null. - SEC-H7 — HSTS is enabled any time NODE_ENV=production (previously required FORCE_HTTPS=true), includeSubDomains defaults on and can be disabled with HSTS_INCLUDE_SUBDOMAINS=false. - SEC-H8 — trek_session cookie Secure flag is also driven by req.secure (which Express resolves from X-Forwarded-Proto once trust proxy is set), so instances behind a TLS-terminating proxy get Secure cookies without needing FORCE_HTTPS. Medium - SEC-M1 — permanentDeleteFile / emptyTrash / avatar unlink now use fs.promises.rm with { force: true } (one async op vs the previous existsSync + unlinkSync pair per file). - SEC-M2 — invalidatePermissionsCache() is called inside restoreFromZip so a restored DB with different permission rows is honoured immediately. - SEC-M3 + C1 — idempotency store bounds the key at 128 chars, caches only responses ≤ 256 KiB, and scopes the lookup by (key, user_id, method, path) rather than (key, user_id). Same key replayed against a different endpoint no longer returns a stale unrelated body. - SEC-M4 — share_tokens gets an expires_at column; new tokens default to 90-day TTL, expired tokens are denied at lookup. Existing tokens stay NULL = no expiry so already-published links don't break. - SEC-M5 — /uploads/photos/:filename now resolves the photo to its trip_id and requires the share token to cover THAT trip. Previously any share token for any trip would unlock any photo filename. - SEC-M6 — BLOCKED_EXTENSIONS is the single source of truth shared between fileService and collab uploads. The '*' allowed_file_types wildcard now still rejects executables/scripts. - SEC-M7 — single DEMO_EMAILS constant (services/demo.ts) used by demoUploadBlock, mfaPolicy, and every demo-mode guard in authService. The old demoUploadBlock only matched 'demo@nomad.app' so the seed 'demo@trek.app' could in fact upload in demo mode. - SEC-M8 — MFA backup codes are now bcrypt-hashed at rest (hashBackupCodeBcrypt). matchBackupCode accepts both bcrypt and legacy SHA-256 hex hashes, so existing installs keep working until the user regenerates codes via enableMfa. - SEC-M9 — document the "security via UUID v4 filename" model for /uploads/avatars|covers|journey. Requires no code change but captures the decision so future reviewers don't re-flag it. - SEC-M10 — already covered by the resetPassword revocation logic above: mcp_tokens DELETE + oauth_tokens UPDATE … SET revoked_at. Performance - PERF-H1 — new migration adds the indexes flagged in the audit: trips(user_id), trips(created_at DESC), photos(day_id), photos(place_id), reservations(day_id), share_tokens(token), plus conditional day_accommodations and notifications indexes depending on which columns are present. Tests - tests/integration/oidc.test.ts now mocks verifyIdToken and passes an id_token in the exchangeCodeForToken stub for the three flows that exercise a successful callback. The three remaining failures tests pointed out were all pre-existing (file-upload flakes + notificationPreferences event_types count drift), none introduced by this PR.
2026-06-21 06:11:45 +00:00 · 2026-04-20 20:36:52 +02:00
parent e612de9143
commit 2d0414b4a3
20 changed files with 539 additions and 127 deletions
@@ -1,9 +1,8 @@
 import path from 'path';
 import fs from 'fs';
-import jwt from 'jsonwebtoken';
-import { JWT_SECRET } from '../config';
 import { db, canAccessTrip } from '../db/database';
 import { consumeEphemeralToken } from './ephemeralTokens';
+import { verifyJwtAndLoadUser } from '../middleware/auth';
 import { TripFile } from '../types';

 // ---------------------------------------------------------------------------
@@ -12,7 +11,18 @@ import { TripFile } from '../types';

 export const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
 export const DEFAULT_ALLOWED_EXTENSIONS = 'jpg,jpeg,png,gif,webp,heic,pdf,doc,docx,xls,xlsx,txt,csv,pkpass';
-export const BLOCKED_EXTENSIONS = ['.svg', '.html', '.htm', '.xml'];
+// Single authoritative blocklist for every file-upload surface (main
+// file manager + collab attachments). When the admin setting
+// `allowed_file_types` is `*`, this list is still enforced so the
+// wildcard doesn't silently admit executables/scripts.
+export const BLOCKED_EXTENSIONS = [
+  // Server-rendered / scripted content that could XSS a viewer
+  '.svg', '.html', '.htm', '.xml', '.xhtml',
+  // Scripts
+  '.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.php', '.py', '.rb', '.pl',
+  // Executables
+  '.exe', '.bat', '.sh', '.cmd', '.msi', '.dll', '.com', '.vbs', '.ps1', '.app',
+];
 export const filesDir = path.join(__dirname, '../../uploads/files');

 // ---------------------------------------------------------------------------
@@ -68,12 +78,12 @@ export function authenticateDownload(bearerToken: string | undefined, queryToken
  }

  if (bearerToken) {
-    try {
-      const decoded = jwt.verify(bearerToken, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
-      return { userId: decoded.id };
-    } catch {
-      return { error: 'Invalid or expired token', status: 401 };
-    }
+    // Use the shared helper so the password_version gate applies here too;
+    // previously this bypassed the check and stolen download tokens stayed
+    // valid across a password reset.
+    const user = verifyJwtAndLoadUser(bearerToken);
+    if (!user) return { error: 'Invalid or expired token', status: 401 };
+    return { userId: user.id };
  }

  const uid = consumeEphemeralToken(queryToken!, 'download');
@@ -193,22 +203,20 @@ export function restoreFile(id: string | number) {
  return formatFile(restored);
 }

-export function permanentDeleteFile(file: TripFile) {
+export async function permanentDeleteFile(file: TripFile): Promise<void> {
  const { resolved } = resolveFilePath(file.filename);
-  if (fs.existsSync(resolved)) {
-    try { fs.unlinkSync(resolved); } catch (e) { console.error('Error deleting file:', e); }
-  }
+  // `force: true` swallows ENOENT, removing the prior existsSync+unlink
+  // double-call that blocked the event loop twice per deletion.
+  await fs.promises.rm(resolved, { force: true }).catch((e) => console.error('Error deleting file:', e));
  db.prepare('DELETE FROM trip_files WHERE id = ?').run(file.id);
 }

-export function emptyTrash(tripId: string | number): number {
+export async function emptyTrash(tripId: string | number): Promise<number> {
  const trashed = db.prepare('SELECT * FROM trip_files WHERE trip_id = ? AND deleted_at IS NOT NULL').all(tripId) as TripFile[];
-  for (const file of trashed) {
+  await Promise.all(trashed.map(async (file) => {
    const { resolved } = resolveFilePath(file.filename);
-    if (fs.existsSync(resolved)) {
-      try { fs.unlinkSync(resolved); } catch (e) { console.error('Error deleting file:', e); }
-    }
-  }
+    await fs.promises.rm(resolved, { force: true }).catch((e) => console.error('Error deleting file:', e));
+  }));
  db.prepare('DELETE FROM trip_files WHERE trip_id = ? AND deleted_at IS NOT NULL').run(tripId);
  return trashed.length;
 }