Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.

server/middleware/01.csrf.js

@@ -0,0 +1,46 @@
+import crypto from 'crypto'
+
+const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
+
+// Routes exempt from CSRF (external webhooks, magic link verify)
+const EXEMPT_PREFIXES = [
+  '/api/helcim/webhook',
+  '/api/slack/webhook',
+  '/api/auth/verify',
+]
+
+function isExempt(path) {
+  return EXEMPT_PREFIXES.some(prefix => path.startsWith(prefix))
+}
+
+export default defineEventHandler((event) => {
+  const method = getMethod(event)
+  const path = getRequestURL(event).pathname
+
+  // Always set a CSRF token cookie if one doesn't exist
+  let csrfToken = getCookie(event, 'csrf-token')
+  if (!csrfToken) {
+    csrfToken = crypto.randomBytes(32).toString('hex')
+    setCookie(event, 'csrf-token', csrfToken, {
+      httpOnly: false, // Must be readable by JS to include in requests
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      path: '/'
+    })
+  }
+
+  // Only check state-changing methods
+  if (SAFE_METHODS.has(method)) return
+  if (!path.startsWith('/api/')) return
+  if (isExempt(path)) return
+
+  // Double-submit cookie check: header must match cookie
+  const headerToken = getHeader(event, 'x-csrf-token')
+
+  if (!headerToken || headerToken !== csrfToken) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'CSRF token missing or invalid'
+    })
+  }
+})

server/middleware/02.security-headers.js

@@ -0,0 +1,30 @@
+export default defineEventHandler((event) => {
+  const headers = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'X-XSS-Protection': '0',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
+  }
+
+  if (process.env.NODE_ENV === 'production') {
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
+
+    // CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
+    headers['Content-Security-Policy'] = [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
+      "style-src 'self' 'unsafe-inline'",
+      "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
+      "font-src 'self'",
+      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
+      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
+      "base-uri 'self'",
+      "form-action 'self'",
+    ].join('; ')
+  }
+
+  for (const [key, value] of Object.entries(headers)) {
+    setHeader(event, key, value)
+  }
+})

server/middleware/03.rate-limit.js

@@ -0,0 +1,65 @@
+import { RateLimiterMemory } from 'rate-limiter-flexible'
+
+// Strict rate limit for auth endpoints
+const authLimiter = new RateLimiterMemory({
+  points: 5,     // 5 requests
+  duration: 300, // per 5 minutes
+  keyPrefix: 'rl_auth'
+})
+
+// Moderate rate limit for payment endpoints
+const paymentLimiter = new RateLimiterMemory({
+  points: 10,
+  duration: 60,
+  keyPrefix: 'rl_payment'
+})
+
+// Light rate limit for upload endpoints
+const uploadLimiter = new RateLimiterMemory({
+  points: 10,
+  duration: 60,
+  keyPrefix: 'rl_upload'
+})
+
+// General API rate limit
+const generalLimiter = new RateLimiterMemory({
+  points: 100,
+  duration: 60,
+  keyPrefix: 'rl_general'
+})
+
+function getClientIp(event) {
+  return getHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
+    || getHeader(event, 'x-real-ip')
+    || event.node.req.socket.remoteAddress
+    || 'unknown'
+}
+
+const AUTH_PATHS = new Set(['/api/auth/login'])
+const PAYMENT_PREFIXES = ['/api/helcim/']
+const UPLOAD_PATHS = new Set(['/api/upload/image'])
+
+export default defineEventHandler(async (event) => {
+  const path = getRequestURL(event).pathname
+  if (!path.startsWith('/api/')) return
+
+  const ip = getClientIp(event)
+
+  try {
+    if (AUTH_PATHS.has(path)) {
+      await authLimiter.consume(ip)
+    } else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
+      await paymentLimiter.consume(ip)
+    } else if (UPLOAD_PATHS.has(path)) {
+      await uploadLimiter.consume(ip)
+    } else {
+      await generalLimiter.consume(ip)
+    }
+  } catch (rateLimiterRes) {
+    setHeader(event, 'Retry-After', Math.ceil(rateLimiterRes.msBeforeNext / 1000))
+    throw createError({
+      statusCode: 429,
+      statusMessage: 'Too many requests. Please try again later.'
+    })
+  }
+})