Implement OWASP ASVS L1 security remediation (Phases 0-2)
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
This commit is contained in:
parent
29c96a207e
commit
26c300c357
41 changed files with 566 additions and 380 deletions
|
|
@ -1,26 +1,13 @@
|
|||
import Member from '../../models/member.js'
|
||||
import Event from '../../models/event.js'
|
||||
import { connectDB } from '../../utils/mongoose.js'
|
||||
import jwt from 'jsonwebtoken'
|
||||
import { requireAdmin } from '../../utils/auth.js'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
try {
|
||||
// TODO: Temporarily disabled auth for testing - enable when authentication is set up
|
||||
// Basic auth check
|
||||
// const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
|
||||
|
||||
// if (!token) {
|
||||
// throw createError({
|
||||
// statusCode: 401,
|
||||
// statusMessage: 'Authentication required'
|
||||
// })
|
||||
// }
|
||||
|
||||
// const config = useRuntimeConfig()
|
||||
// jwt.verify(token, config.jwtSecret)
|
||||
|
||||
await requireAdmin(event)
|
||||
await connectDB()
|
||||
|
||||
|
||||
// Get stats
|
||||
const totalMembers = await Member.countDocuments()
|
||||
const now = new Date()
|
||||
|
|
@ -28,21 +15,21 @@ export default defineEventHandler(async (event) => {
|
|||
startDate: { $lte: now },
|
||||
endDate: { $gte: now }
|
||||
})
|
||||
|
||||
|
||||
// Calculate monthly revenue from member contributions
|
||||
const members = await Member.find({}, 'contributionTier').lean()
|
||||
const monthlyRevenue = members.reduce((total, member) => {
|
||||
return total + parseInt(member.contributionTier || '0')
|
||||
}, 0)
|
||||
|
||||
|
||||
const pendingSlackInvites = await Member.countDocuments({ slackInvited: false })
|
||||
|
||||
|
||||
// Get recent members (last 5)
|
||||
const recentMembers = await Member.find()
|
||||
.sort({ createdAt: -1 })
|
||||
.limit(5)
|
||||
.lean()
|
||||
|
||||
|
||||
// Get upcoming events (next 5)
|
||||
const upcomingEvents = await Event.find({
|
||||
startDate: { $gte: now }
|
||||
|
|
@ -50,7 +37,7 @@ export default defineEventHandler(async (event) => {
|
|||
.sort({ startDate: 1 })
|
||||
.limit(5)
|
||||
.lean()
|
||||
|
||||
|
||||
return {
|
||||
stats: {
|
||||
totalMembers,
|
||||
|
|
@ -62,9 +49,10 @@ export default defineEventHandler(async (event) => {
|
|||
upcomingEvents
|
||||
}
|
||||
} catch (error) {
|
||||
if (error.statusCode) throw error
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
statusMessage: 'Failed to fetch dashboard data'
|
||||
})
|
||||
}
|
||||
})
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue