Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00 · 2026-03-01 12:53:18 +00:00 · 26c300c357
commit 26c300c357
parent 29c96a207e
41 changed files with 566 additions and 380 deletions
--- a/server/api/helcim/customer.post.js
+++ b/server/api/helcim/customer.post.js
@ -38,8 +38,6 @@ export default defineEventHandler(async (event) => {
      })
    }

-    // Debug: Log token (first few chars only)
-    console.log('Using Helcim token:', helcimToken.substring(0, 10) + '...')
    
    // Test the connection first with native fetch
    try {
@ -55,8 +53,7 @@ export default defineEventHandler(async (event) => {
        throw new Error(`HTTP ${testResponse.status}: ${testResponse.statusText}`)
      }
      
-      const testData = await testResponse.json()
-      console.log('Connection test passed:', testData)
+      await testResponse.json()
    } catch (testError) {
      console.error('Connection test failed:', testError)
      throw createError({
@ -113,18 +110,14 @@ export default defineEventHandler(async (event) => {
    )

    // Set the session cookie server-side
-    console.log('Setting auth-token cookie for member:', member.email)
-    console.log('NODE_ENV:', process.env.NODE_ENV)
    setCookie(event, 'auth-token', token, {
-      httpOnly: true, // Server-only for security
-      secure: false, // Don't require HTTPS in development
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      maxAge: 60 * 60 * 24, // 24 hours
      path: '/',
      domain: undefined // Let browser set domain automatically
    })
-    console.log('Cookie set successfully')
-
    return {
      success: true,
      customerId: customerData.id,