Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00 · 2026-03-01 12:53:18 +00:00 · 26c300c357
commit 26c300c357
parent 29c96a207e
41 changed files with 566 additions and 380 deletions
--- a/server/utils/auth.js
+++ b/server/utils/auth.js
@ -0,0 +1,65 @@
+import jwt from 'jsonwebtoken'
+import Member from '../models/member.js'
+import { connectDB } from './mongoose.js'
+
+/**
+ * Verify JWT from cookie and return the decoded member.
+ * Throws 401 if token is missing or invalid.
+ */
+export async function requireAuth(event) {
+  await connectDB()
+
+  const token = getCookie(event, 'auth-token')
+
+  if (!token) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Authentication required'
+    })
+  }
+
+  let decoded
+  try {
+    decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
+  } catch (err) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Invalid or expired token'
+    })
+  }
+
+  const member = await Member.findById(decoded.memberId)
+
+  if (!member) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Member not found'
+    })
+  }
+
+  if (member.status === 'suspended' || member.status === 'cancelled') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Account is ' + member.status
+    })
+  }
+
+  return member
+}
+
+/**
+ * Verify JWT and require admin role.
+ * Throws 401 if not authenticated, 403 if not admin.
+ */
+export async function requireAdmin(event) {
+  const member = await requireAuth(event)
+
+  if (member.role !== 'admin') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Admin access required'
+    })
+  }
+
+  return member
+}