Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00 · 2026-03-01 12:53:18 +00:00 · 26c300c357
commit 26c300c357
parent 29c96a207e
41 changed files with 566 additions and 380 deletions
--- a/app/components/AppNavigation.vue
+++ b/app/components/AppNavigation.vue
@ -211,9 +211,7 @@ const handleLogin = async () => {
  } catch (err) {
    console.error("Login error:", err);

-    if (err.statusCode === 404) {
-      loginError.value = "No account found";
-    } else if (err.statusCode === 500) {
+    if (err.statusCode === 500) {
      loginError.value = "Failed to send email";
    } else {
      loginError.value = "Something went wrong";
--- a/app/components/LoginModal.vue
+++ b/app/components/LoginModal.vue
@ -167,9 +167,7 @@ const handleLogin = async () => {
  } catch (err) {
    console.error('Login error:', err)

-    if (err.statusCode === 404) {
-      loginError.value = 'No account found with that email. Please check your email or join Ghost Guild.'
-    } else if (err.statusCode === 500) {
+    if (err.statusCode === 500) {
      loginError.value = 'Failed to send login email. Please try again later.'
    } else {
      loginError.value = err.statusMessage || 'Something went wrong. Please try again.'
--- a/app/composables/useMarkdown.js
+++ b/app/composables/useMarkdown.js
@ -1,12 +1,29 @@
 import { marked } from 'marked'
+import DOMPurify from 'isomorphic-dompurify'
+
+const ALLOWED_TAGS = [
+  'a', 'strong', 'em', 'b', 'i', 'u',
+  'ul', 'ol', 'li', 'p', 'br',
+  'code', 'pre', 'blockquote',
+  'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+  'hr', 'table', 'thead', 'tbody', 'tr', 'th', 'td',
+  'del', 'sup', 'sub'
+]
+
+const ALLOWED_ATTR = ['href', 'target', 'rel', 'class']

 export const useMarkdown = () => {
  const render = (markdown) => {
    if (!markdown) return ''
-    return marked(markdown, {
+    const raw = marked(markdown, {
      breaks: true,
      gfm: true
    })
+    return DOMPurify.sanitize(raw, {
+      ALLOWED_TAGS,
+      ALLOWED_ATTR,
+      ALLOW_DATA_ATTR: false
+    })
  }

  return {
--- a/app/middleware/admin.js
+++ b/app/middleware/admin.js
@ -1,18 +1,17 @@
-export default defineNuxtRouteMiddleware((to) => {
-  // Skip middleware in server-side rendering to avoid errors
-  if (process.server) return
-  
-  // TODO: Temporarily disabled for testing - enable when authentication is set up
-  // Check if user is authenticated (you'll need to implement proper auth state)
-  // const isAuthenticated = useCookie('auth-token').value
-  
-  // if (!isAuthenticated) {
-  //   throw createError({
-  //     statusCode: 401,
-  //     statusMessage: 'Authentication required'
-  //   })
-  // }
-  
-  // TODO: Add proper role-based authorization
-  // For now, we assume anyone with a valid token is an admin
-})
+export default defineNuxtRouteMiddleware(async (to) => {
+  if (import.meta.server) return
+
+  const { isAuthenticated, memberData, checkMemberStatus } = useAuth()
+
+  if (!isAuthenticated.value) {
+    await checkMemberStatus()
+  }
+
+  if (!isAuthenticated.value) {
+    return navigateTo('/')
+  }
+
+  if (memberData.value?.role !== 'admin') {
+    return navigateTo('/members')
+  }
+})
--- a/app/plugins/csrf.client.js
+++ b/app/plugins/csrf.client.js
@ -0,0 +1,23 @@
+export default defineNuxtPlugin(() => {
+  const safeMethods = new Set(['GET', 'HEAD', 'OPTIONS'])
+
+  globalThis.$fetch = globalThis.$fetch.create({
+    onRequest({ options }) {
+      const method = (options.method || 'GET').toUpperCase()
+      if (safeMethods.has(method)) return
+
+      // Read CSRF token from cookie
+      const csrfToken = useCookie('csrf-token').value
+      if (csrfToken) {
+        options.headers = options.headers || {}
+        if (options.headers instanceof Headers) {
+          options.headers.set('x-csrf-token', csrfToken)
+        } else if (Array.isArray(options.headers)) {
+          options.headers.push(['x-csrf-token', csrfToken])
+        } else {
+          options.headers['x-csrf-token'] = csrfToken
+        }
+      }
+    }
+  })
+})