Implement OWASP ASVS L1 security remediation (Phases 0-2)
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
This commit is contained in:
parent
29c96a207e
commit
26c300c357
41 changed files with 566 additions and 380 deletions
46
server/middleware/01.csrf.js
Normal file
46
server/middleware/01.csrf.js
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
import crypto from 'crypto'
|
||||
|
||||
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
|
||||
|
||||
// Routes exempt from CSRF (external webhooks, magic link verify)
|
||||
const EXEMPT_PREFIXES = [
|
||||
'/api/helcim/webhook',
|
||||
'/api/slack/webhook',
|
||||
'/api/auth/verify',
|
||||
]
|
||||
|
||||
function isExempt(path) {
|
||||
return EXEMPT_PREFIXES.some(prefix => path.startsWith(prefix))
|
||||
}
|
||||
|
||||
export default defineEventHandler((event) => {
|
||||
const method = getMethod(event)
|
||||
const path = getRequestURL(event).pathname
|
||||
|
||||
// Always set a CSRF token cookie if one doesn't exist
|
||||
let csrfToken = getCookie(event, 'csrf-token')
|
||||
if (!csrfToken) {
|
||||
csrfToken = crypto.randomBytes(32).toString('hex')
|
||||
setCookie(event, 'csrf-token', csrfToken, {
|
||||
httpOnly: false, // Must be readable by JS to include in requests
|
||||
secure: process.env.NODE_ENV === 'production',
|
||||
sameSite: 'lax',
|
||||
path: '/'
|
||||
})
|
||||
}
|
||||
|
||||
// Only check state-changing methods
|
||||
if (SAFE_METHODS.has(method)) return
|
||||
if (!path.startsWith('/api/')) return
|
||||
if (isExempt(path)) return
|
||||
|
||||
// Double-submit cookie check: header must match cookie
|
||||
const headerToken = getHeader(event, 'x-csrf-token')
|
||||
|
||||
if (!headerToken || headerToken !== csrfToken) {
|
||||
throw createError({
|
||||
statusCode: 403,
|
||||
statusMessage: 'CSRF token missing or invalid'
|
||||
})
|
||||
}
|
||||
})
|
||||
Loading…
Add table
Add a link
Reference in a new issue