Implement OWASP ASVS L1 security remediation (Phases 0-2)
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
This commit is contained in:
parent
29c96a207e
commit
26c300c357
41 changed files with 566 additions and 380 deletions
65
server/middleware/03.rate-limit.js
Normal file
65
server/middleware/03.rate-limit.js
Normal file
|
|
@ -0,0 +1,65 @@
|
|||
import { RateLimiterMemory } from 'rate-limiter-flexible'
|
||||
|
||||
// Strict rate limit for auth endpoints
|
||||
const authLimiter = new RateLimiterMemory({
|
||||
points: 5, // 5 requests
|
||||
duration: 300, // per 5 minutes
|
||||
keyPrefix: 'rl_auth'
|
||||
})
|
||||
|
||||
// Moderate rate limit for payment endpoints
|
||||
const paymentLimiter = new RateLimiterMemory({
|
||||
points: 10,
|
||||
duration: 60,
|
||||
keyPrefix: 'rl_payment'
|
||||
})
|
||||
|
||||
// Light rate limit for upload endpoints
|
||||
const uploadLimiter = new RateLimiterMemory({
|
||||
points: 10,
|
||||
duration: 60,
|
||||
keyPrefix: 'rl_upload'
|
||||
})
|
||||
|
||||
// General API rate limit
|
||||
const generalLimiter = new RateLimiterMemory({
|
||||
points: 100,
|
||||
duration: 60,
|
||||
keyPrefix: 'rl_general'
|
||||
})
|
||||
|
||||
function getClientIp(event) {
|
||||
return getHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
|
||||
|| getHeader(event, 'x-real-ip')
|
||||
|| event.node.req.socket.remoteAddress
|
||||
|| 'unknown'
|
||||
}
|
||||
|
||||
const AUTH_PATHS = new Set(['/api/auth/login'])
|
||||
const PAYMENT_PREFIXES = ['/api/helcim/']
|
||||
const UPLOAD_PATHS = new Set(['/api/upload/image'])
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const path = getRequestURL(event).pathname
|
||||
if (!path.startsWith('/api/')) return
|
||||
|
||||
const ip = getClientIp(event)
|
||||
|
||||
try {
|
||||
if (AUTH_PATHS.has(path)) {
|
||||
await authLimiter.consume(ip)
|
||||
} else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
|
||||
await paymentLimiter.consume(ip)
|
||||
} else if (UPLOAD_PATHS.has(path)) {
|
||||
await uploadLimiter.consume(ip)
|
||||
} else {
|
||||
await generalLimiter.consume(ip)
|
||||
}
|
||||
} catch (rateLimiterRes) {
|
||||
setHeader(event, 'Retry-After', Math.ceil(rateLimiterRes.msBeforeNext / 1000))
|
||||
throw createError({
|
||||
statusCode: 429,
|
||||
statusMessage: 'Too many requests. Please try again later.'
|
||||
})
|
||||
}
|
||||
})
|
||||
Loading…
Add table
Add a link
Reference in a new issue