mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-20 13:51:45 +00:00
Maurice
2d0414b4a3
Fixes the critical + high + medium findings from our internal security
review. Bundled into one PR because the changes overlap heavily (JWT
verification unifies across three call sites; backup-code hashing and
demo-email handling cross-cut several services); splitting them out
would mean redundant reviews of the same files.
Critical
- CI-C1 — .github/workflows/test.yml: restore actions/{checkout,setup-
node,upload-artifact} to @v4. The @v6 refs don't exist, so the test
workflow was errorring before a single test ran.
- SEC-C1 — mfaPolicy now extracts the token via extractToken() (cookie-
first, Bearer fallback). Previously it only read Authorization, so
every cookie-authenticated SPA session bypassed require_mfa entirely.
- SEC-C2/C4/C6 — all JWT verification paths (MCP bearer, file download,
photo route) now go through the shared verifyJwtAndLoadUser that
checks password_version. resetPassword additionally deletes every
mcp_tokens row and marks outstanding oauth_tokens revoked, so a
password reset invalidates ALL credential classes — not just the
cookie JWT.
High
- SEC-H2 — reset email URL is built from server-side APP_URL /
ALLOWED_ORIGINS (via existing getAppUrl()), not request headers.
Closes the host-header-injection vector into reset links.
- SEC-H3 — OIDC findOrCreateUser wraps the invite-redemption UPDATE +
user INSERT in a transaction. The UPDATE is the capacity check; if
a concurrent callback takes the last slot, the whole transaction
aborts with registration_disabled instead of double-creating users.
- SEC-H4 — new verifyIdToken() performs full JWT signature
verification via the provider's JWKS (Node's crypto.createPublicKey
accepts JWK directly — no extra dependency), plus iss/aud/exp
checks. The callback also rejects the login when userinfo.sub does
not match id_token.sub.
- SEC-H5 — OAuth DCR now validates redirect_uris against an allowlist
of schemes: https, http-loopback, or a private custom scheme. Plain
http://non-loopback is rejected.
- SEC-H6 — oauthService audience defaults to mcpResource when the
`resource` parameter is missing, so tokens are always audience-bound
to /mcp instead of being issued with audience=null.
- SEC-H7 — HSTS is enabled any time NODE_ENV=production (previously
required FORCE_HTTPS=true), includeSubDomains defaults on and can
be disabled with HSTS_INCLUDE_SUBDOMAINS=false.
- SEC-H8 — trek_session cookie Secure flag is also driven by
req.secure (which Express resolves from X-Forwarded-Proto once
trust proxy is set), so instances behind a TLS-terminating proxy
get Secure cookies without needing FORCE_HTTPS.
Medium
- SEC-M1 — permanentDeleteFile / emptyTrash / avatar unlink now use
fs.promises.rm with { force: true } (one async op vs the previous
existsSync + unlinkSync pair per file).
- SEC-M2 — invalidatePermissionsCache() is called inside restoreFromZip
so a restored DB with different permission rows is honoured
immediately.
- SEC-M3 + C1 — idempotency store bounds the key at 128 chars, caches
only responses ≤ 256 KiB, and scopes the lookup by (key, user_id,
method, path) rather than (key, user_id). Same key replayed against
a different endpoint no longer returns a stale unrelated body.
- SEC-M4 — share_tokens gets an expires_at column; new tokens default
to 90-day TTL, expired tokens are denied at lookup. Existing tokens
stay NULL = no expiry so already-published links don't break.
- SEC-M5 — /uploads/photos/:filename now resolves the photo to its
trip_id and requires the share token to cover THAT trip. Previously
any share token for any trip would unlock any photo filename.
- SEC-M6 — BLOCKED_EXTENSIONS is the single source of truth shared
between fileService and collab uploads. The '*' allowed_file_types
wildcard now still rejects executables/scripts.
- SEC-M7 — single DEMO_EMAILS constant (services/demo.ts) used by
demoUploadBlock, mfaPolicy, and every demo-mode guard in
authService. The old demoUploadBlock only matched 'demo@nomad.app'
so the seed 'demo@trek.app' could in fact upload in demo mode.
- SEC-M8 — MFA backup codes are now bcrypt-hashed at rest
(hashBackupCodeBcrypt). matchBackupCode accepts both bcrypt and
legacy SHA-256 hex hashes, so existing installs keep working until
the user regenerates codes via enableMfa.
- SEC-M9 — document the "security via UUID v4 filename" model for
/uploads/avatars|covers|journey. Requires no code change but
captures the decision so future reviewers don't re-flag it.
- SEC-M10 — already covered by the resetPassword revocation logic
above: mcp_tokens DELETE + oauth_tokens UPDATE … SET revoked_at.
Performance
- PERF-H1 — new migration adds the indexes flagged in the audit:
trips(user_id), trips(created_at DESC), photos(day_id),
photos(place_id), reservations(day_id), share_tokens(token), plus
conditional day_accommodations and notifications indexes depending
on which columns are present.
Tests
- tests/integration/oidc.test.ts now mocks verifyIdToken and passes
an id_token in the exchangeCodeForToken stub for the three flows
that exercise a successful callback. The three remaining failures
tests pointed out were all pre-existing (file-upload flakes +
notificationPreferences event_types count drift), none introduced
by this PR.
81 lines
3.0 KiB
TypeScript
81 lines
3.0 KiB
TypeScript
import { Request, Response, NextFunction } from 'express';
|
|
import { db } from '../db/database';
|
|
|
|
const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
|
|
// Reject pathological client-supplied keys outright instead of hashing
|
|
// everything — 128 chars is plenty for any realistic UUID / ULID / nonce.
|
|
const MAX_KEY_LENGTH = 128;
|
|
// Responses larger than this are not worth caching — a backup-restore
|
|
// endpoint could otherwise store a megabyte-sized JSON body per request
|
|
// key and, with mass key creation, blow up idempotency_keys.
|
|
const MAX_CACHED_BODY_BYTES = 256 * 1024;
|
|
|
|
interface IdempotencyRow {
|
|
status_code: number;
|
|
response_body: string;
|
|
}
|
|
|
|
/**
|
|
* Called from within `authenticate` after req.user is set.
|
|
*
|
|
* For mutating requests carrying X-Idempotency-Key:
|
|
* - If (key, userId, method, path) already stored: replays the cached response.
|
|
* - Otherwise: wraps res.json to capture and store a successful response.
|
|
*
|
|
* The lookup is scoped by method + path as well as user so the same key
|
|
* replayed against a different endpoint doesn't return the cached body
|
|
* of an unrelated request. Key length is capped and the cached body is
|
|
* skipped when it exceeds `MAX_CACHED_BODY_BYTES`.
|
|
*
|
|
* Storing happens in idempotency_keys (24h TTL, cleaned by scheduler).
|
|
*/
|
|
export function applyIdempotency(req: Request, res: Response, next: NextFunction, userId: number): void {
|
|
if (!MUTATING_METHODS.has(req.method)) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
const key = req.headers['x-idempotency-key'] as string | undefined;
|
|
if (!key) {
|
|
next();
|
|
return;
|
|
}
|
|
if (key.length > MAX_KEY_LENGTH) {
|
|
res.status(400).json({ error: 'X-Idempotency-Key exceeds maximum length of 128 characters' });
|
|
return;
|
|
}
|
|
|
|
// Return cached response only if the same key was seen for the same
|
|
// user AND the same method+path — avoids a POST's cached body leaking
|
|
// into an unrelated PATCH that reused the idempotency-key string.
|
|
const existing = db.prepare(
|
|
'SELECT status_code, response_body FROM idempotency_keys WHERE key = ? AND user_id = ? AND method = ? AND path = ?'
|
|
).get(key, userId, req.method, req.path) as IdempotencyRow | undefined;
|
|
|
|
if (existing) {
|
|
res.status(existing.status_code).json(JSON.parse(existing.response_body));
|
|
return;
|
|
}
|
|
|
|
// Wrap res.json to capture the response on first successful execution
|
|
const originalJson = res.json.bind(res);
|
|
res.json = function (body: unknown): Response {
|
|
if (res.statusCode >= 200 && res.statusCode < 300) {
|
|
try {
|
|
const serialized = JSON.stringify(body);
|
|
if (serialized.length <= MAX_CACHED_BODY_BYTES) {
|
|
db.prepare(
|
|
`INSERT OR IGNORE INTO idempotency_keys (key, user_id, method, path, status_code, response_body, created_at)
|
|
VALUES (?, ?, ?, ?, ?, ?, ?)`
|
|
).run(key, userId, req.method, req.path, res.statusCode, serialized, Math.floor(Date.now() / 1000));
|
|
}
|
|
} catch {
|
|
// Non-fatal: if storage fails, the request still succeeds
|
|
}
|
|
}
|
|
return originalJson(body);
|
|
};
|
|
|
|
next();
|
|
}
|