Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00 · 2026-03-01 12:53:18 +00:00 · 26c300c357
commit 26c300c357
parent 29c96a207e
41 changed files with 566 additions and 380 deletions
--- a/server/api/auth/member.get.js
+++ b/server/api/auth/member.get.js
@ -1,60 +1,30 @@
-import jwt from "jsonwebtoken";
-import Member from "../../models/member.js";
-import { connectDB } from "../../utils/mongoose.js";
+import { requireAuth } from "../../utils/auth.js";

 export default defineEventHandler(async (event) => {
-  await connectDB();
+  const member = await requireAuth(event);

-  const token = getCookie(event, "auth-token");
-  console.log("Auth check - token found:", !!token);
-
-  if (!token) {
-    console.log("No auth token found in cookies");
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Not authenticated",
-    });
-  }
-
-  try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
-    const member = await Member.findById(decoded.memberId).select("-__v");
-
-    if (!member) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Member not found",
-      });
-    }
-
-    return {
-      _id: member._id,
-      id: member._id,
-      email: member.email,
-      name: member.name,
-      circle: member.circle,
-      contributionTier: member.contributionTier,
-      membershipLevel: `${member.circle}-${member.contributionTier}`,
-      // Profile fields
-      pronouns: member.pronouns,
-      timeZone: member.timeZone,
-      avatar: member.avatar,
-      studio: member.studio,
-      bio: member.bio,
-      location: member.location,
-      socialLinks: member.socialLinks,
-      offering: member.offering,
-      lookingFor: member.lookingFor,
-      showInDirectory: member.showInDirectory,
-      privacy: member.privacy,
-      // Peer support
-      peerSupport: member.peerSupport,
-    };
-  } catch (err) {
-    console.error("Token verification error:", err);
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Invalid or expired token",
-    });
-  }
+  return {
+    _id: member._id,
+    id: member._id,
+    email: member.email,
+    name: member.name,
+    role: member.role || 'member',
+    circle: member.circle,
+    contributionTier: member.contributionTier,
+    membershipLevel: `${member.circle}-${member.contributionTier}`,
+    // Profile fields
+    pronouns: member.pronouns,
+    timeZone: member.timeZone,
+    avatar: member.avatar,
+    studio: member.studio,
+    bio: member.bio,
+    location: member.location,
+    socialLinks: member.socialLinks,
+    offering: member.offering,
+    lookingFor: member.lookingFor,
+    showInDirectory: member.showInDirectory,
+    privacy: member.privacy,
+    // Peer support
+    peerSupport: member.peerSupport,
+  };
 });