Implement OWASP ASVS L1 security remediation (Phases 0-2)
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
This commit is contained in:
parent
29c96a207e
commit
26c300c357
41 changed files with 566 additions and 380 deletions
|
|
@ -1,18 +1,17 @@
|
|||
export default defineNuxtRouteMiddleware((to) => {
|
||||
// Skip middleware in server-side rendering to avoid errors
|
||||
if (process.server) return
|
||||
|
||||
// TODO: Temporarily disabled for testing - enable when authentication is set up
|
||||
// Check if user is authenticated (you'll need to implement proper auth state)
|
||||
// const isAuthenticated = useCookie('auth-token').value
|
||||
|
||||
// if (!isAuthenticated) {
|
||||
// throw createError({
|
||||
// statusCode: 401,
|
||||
// statusMessage: 'Authentication required'
|
||||
// })
|
||||
// }
|
||||
|
||||
// TODO: Add proper role-based authorization
|
||||
// For now, we assume anyone with a valid token is an admin
|
||||
})
|
||||
export default defineNuxtRouteMiddleware(async (to) => {
|
||||
if (import.meta.server) return
|
||||
|
||||
const { isAuthenticated, memberData, checkMemberStatus } = useAuth()
|
||||
|
||||
if (!isAuthenticated.value) {
|
||||
await checkMemberStatus()
|
||||
}
|
||||
|
||||
if (!isAuthenticated.value) {
|
||||
return navigateTo('/')
|
||||
}
|
||||
|
||||
if (memberData.value?.role !== 'admin') {
|
||||
return navigateTo('/members')
|
||||
}
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue