jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement OWASP ASVS L1 security remediation (Phases 0-2)

Browse source 
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.
This commit is contained in:
Jennie Robinson Faber 2026-03-01 12:53:18 +00:00
parent 29c96a207e
commit 26c300c357
41 changed files with 566 additions and 380 deletions
Download patch file Download diff file Expand all files Collapse all files

32
server/api/admin/dashboard.get.js
View file

@ -1,26 +1,13 @@
import Member from '../../models/member.js'
import Event from '../../models/event.js'
import { connectDB } from '../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// Basic auth check
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
await connectDB()
// Get stats
const totalMembers = await Member.countDocuments()
const now = new Date()
@ -28,21 +15,21 @@ export default defineEventHandler(async (event) => {
startDate: { $lte: now },
endDate: { $gte: now }
})
// Calculate monthly revenue from member contributions
const members = await Member.find({}, 'contributionTier').lean()
const monthlyRevenue = members.reduce((total, member) => {
return total + parseInt(member.contributionTier || '0')
}, 0)
const pendingSlackInvites = await Member.countDocuments({ slackInvited: false })
// Get recent members (last 5)
const recentMembers = await Member.find()
.sort({ createdAt: -1 })
.limit(5)
.lean()
// Get upcoming events (next 5)
const upcomingEvents = await Event.find({
startDate: { $gte: now }
@ -50,7 +37,7 @@ export default defineEventHandler(async (event) => {
.sort({ startDate: 1 })
.limit(5)
.lean()
return {
stats: {
totalMembers,
@ -62,9 +49,10 @@ export default defineEventHandler(async (event) => {
upcomingEvents
}
} catch (error) {
if (error.statusCode) throw error
throw createError({
statusCode: 500,
statusMessage: 'Failed to fetch dashboard data'
})
}
})
})

22
server/api/admin/events.get.js
View file

@ -1,34 +1,22 @@
import Event from '../../models/event.js'
import { connectDB } from '../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// Basic auth check - you may want to implement proper admin role checking
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
await connectDB()
const events = await Event.find()
.sort({ startDate: 1 })
.lean()
return events
} catch (error) {
if (error.statusCode) throw error
throw createError({
statusCode: 500,
statusMessage: 'Failed to fetch events'
})
}
})
})

18
server/api/admin/events.post.js
View file

@ -1,21 +1,10 @@
import Event from "../../models/event.js";
import { connectDB } from "../../utils/mongoose.js";
import jwt from "jsonwebtoken";
import { requireAdmin } from "../../utils/auth.js";
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// const decoded = jwt.verify(token, config.jwtSecret)
const admin = await requireAdmin(event);
const body = await readBody(event);
@ -31,7 +20,7 @@ export default defineEventHandler(async (event) => {
const eventData = {
...body,
createdBy: "admin@ghostguild.org", // TODO: Use actual authenticated user
createdBy: admin.email,
startDate: new Date(body.startDate),
endDate: new Date(body.endDate),
registrationDeadline: body.registrationDeadline
@ -67,6 +56,7 @@ export default defineEventHandler(async (event) => {
return savedEvent;
} catch (error) {
if (error.statusCode) throw error;
console.error("Error creating event:", error);
throw createError({
statusCode: 500,

22
server/api/admin/events/[id].delete.js
View file

@ -1,26 +1,15 @@
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// const decoded = jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
const eventId = getRouterParam(event, 'id')
await connectDB()
const deletedEvent = await Event.findByIdAndDelete(eventId)
if (!deletedEvent) {
@ -29,13 +18,14 @@ export default defineEventHandler(async (event) => {
statusMessage: 'Event not found'
})
}
return { success: true, message: 'Event deleted successfully' }
} catch (error) {
if (error.statusCode) throw error
console.error('Error deleting event:', error)
throw createError({
statusCode: 500,
statusMessage: error.message || 'Failed to delete event'
})
}
})
})

30
server/api/admin/events/[id].get.js
View file

@ -1,47 +1,31 @@
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// const decoded = jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
const eventId = getRouterParam(event, 'id')
console.log('🔍 API: Get event by ID called')
console.log('🔍 API: Event ID param:', eventId)
await connectDB()
const eventData = await Event.findById(eventId)
console.log('🔍 API: Event data found:', eventData ? 'YES' : 'NO')
console.log('🔍 API: Event data preview:', eventData ? { id: eventData._id, title: eventData.title } : null)
if (!eventData) {
console.log('❌ API: Event not found in database')
throw createError({
statusCode: 404,
statusMessage: 'Event not found'
})
}
console.log('✅ API: Returning event data')
return { data: eventData }
} catch (error) {
console.error('❌ API: Error fetching event:', error)
if (error.statusCode) throw error
console.error('Error fetching event:', error)
throw createError({
statusCode: 500,
statusMessage: error.message || 'Failed to fetch event'
})
}
})
})

26
server/api/admin/events/[id].put.js
View file

@ -1,25 +1,14 @@
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// const decoded = jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
const eventId = getRouterParam(event, 'id')
const body = await readBody(event)
// Validate required fields
if (!body.title || !body.description || !body.startDate || !body.endDate) {
throw createError({
@ -29,7 +18,7 @@ export default defineEventHandler(async (event) => {
}
await connectDB()
const updateData = {
...body,
startDate: new Date(body.startDate),
@ -37,7 +26,7 @@ export default defineEventHandler(async (event) => {
registrationDeadline: body.registrationDeadline ? new Date(body.registrationDeadline) : null,
updatedAt: new Date()
}
// Handle ticket data
if (body.tickets) {
updateData.tickets = {
@ -67,13 +56,14 @@ export default defineEventHandler(async (event) => {
statusMessage: 'Event not found'
})
}
return updatedEvent
} catch (error) {
if (error.statusCode) throw error
console.error('Error updating event:', error)
throw createError({
statusCode: 500,
statusMessage: error.message || 'Failed to update event'
})
}
})
})

22
server/api/admin/members.get.js
View file

@ -1,34 +1,22 @@
import Member from '../../models/member.js'
import { connectDB } from '../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// Basic auth check - you may want to implement proper admin role checking
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
await connectDB()
const members = await Member.find()
.sort({ createdAt: -1 })
.lean()
return members
} catch (error) {
if (error.statusCode) throw error
throw createError({
statusCode: 500,
statusMessage: 'Failed to fetch members'
})
}
})
})

25
server/api/admin/members.post.js
View file

@ -1,24 +1,13 @@
import Member from '../../models/member.js'
import { connectDB } from '../../utils/mongoose.js'
import jwt from 'jsonwebtoken'
import { requireAdmin } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
// if (!token) {
// throw createError({
// statusCode: 401,
// statusMessage: 'Authentication required'
// })
// }
// const config = useRuntimeConfig()
// jwt.verify(token, config.jwtSecret)
await requireAdmin(event)
const body = await readBody(event)
// Validate required fields
if (!body.name || !body.email || !body.circle || !body.contributionTier) {
throw createError({
@ -28,7 +17,7 @@ export default defineEventHandler(async (event) => {
}
await connectDB()
// Check if member already exists
const existingMember = await Member.findOne({ email: body.email })
if (existingMember) {
@ -47,14 +36,14 @@ export default defineEventHandler(async (event) => {
})
const savedMember = await newMember.save()
return savedMember
} catch (error) {
if (error.statusCode) throw error
throw createError({
statusCode: 500,
statusMessage: 'Failed to create member'
})
}
})
})

2
server/api/admin/series.get.js
View file

@ -1,9 +1,11 @@
import Series from "../../models/series.js";
import Event from "../../models/event.js";
import { connectDB } from "../../utils/mongoose.js";
import { requireAdmin } from "../../utils/auth.js";
export default defineEventHandler(async (event) => {
try {
await requireAdmin(event);
await connectDB();
// Fetch all series

10
server/api/admin/series.post.js
View file

@ -1,12 +1,14 @@
import Series from '../../models/series.js'
import { connectDB } from '../../utils/mongoose.js'
import { requireAdmin } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
const admin = await requireAdmin(event)
await connectDB()
const body = await readBody(event)
// Validate required fields
if (!body.id || !body.title || !body.description) {
throw createError({
@ -14,7 +16,7 @@ export default defineEventHandler(async (event) => {
statusMessage: 'Series ID, title, and description are required'
})
}
// Create new series
const newSeries = new Series({
id: body.id,
@ -22,7 +24,7 @@ export default defineEventHandler(async (event) => {
description: body.description,
type: body.type || 'workshop_series',
totalEvents: body.totalEvents || null,
createdBy: 'admin' // TODO: Get from authentication
createdBy: admin.email
})
await newSeries.save()

2
server/api/admin/series.put.js
View file

@ -1,9 +1,11 @@
import Series from '../../models/series.js'
import Event from '../../models/event.js'
import { connectDB } from '../../utils/mongoose.js'
import { requireAdmin } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
await requireAdmin(event)
await connectDB()
const body = await readBody(event)

2
server/api/admin/series/[id].delete.js
View file

@ -1,9 +1,11 @@
import Series from '../../../models/series.js'
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
await requireAdmin(event)
await connectDB()
const id = getRouterParam(event, 'id')

2
server/api/admin/series/[id].put.js
View file

@ -1,9 +1,11 @@
import Series from '../../../models/series.js'
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
await requireAdmin(event)
await connectDB()
const id = getRouterParam(event, 'id')

2
server/api/admin/series/tickets.put.js
View file

@ -1,9 +1,11 @@
import Series from '../../../models/series.js'
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
await requireAdmin(event)
await connectDB()
const body = await readBody(event)