ghostguild-org

jennie/ghostguild-org

Fork 0

Commit graph

Author	SHA1	Message	Date
Jennie Robinson Faber	7a626b0a82	fix(csrf): exempt /api/internal/ from double-submit check Some checks failed Test / Notify on failure (push) Blocked by required conditions Details Test / visual (push) Blocked by required conditions Details Test / vitest (push) Successful in 11m1s Details Test / playwright (push) Has been cancelled Details The reconcile-payments cron POSTs to /api/internal/reconcile-payments with an X-Reconcile-Token header but no csrf-token cookie/header. The CSRF middleware was 403ing the request before the route handler could check the shared secret — breaking Fix #6 (daily reconciliation cron). Found while wiring the Dokploy scheduled task. The Netlify scheduled function would have hit the same 403; nobody noticed because the site hasn't been deployed yet. Removing CSRF protection from /api/internal/ is safe: every route under that prefix is machine-to-machine and gates on its own shared-secret header. CSRF protects against browser-driven cross-origin POSTs, which isn't the threat model for these endpoints. Tests: 758 passing (CSRF middleware unit tests still cover the exempt list shape).	2026-04-26 13:16:11 +01:00
Jennie Robinson Faber	8a529a8e7c	Add OIDC provider for Outline wiki SSO Add oidc-provider with MongoDB adapter so ghostguild.org can act as the identity provider for the self-hosted Outline wiki. Members authenticate via the existing magic-link flow, with automatic SSO when an active session exists. Includes interaction routes, well-known discovery endpoint, and login page.	2026-03-01 15:46:01 +00:00
Jennie Robinson Faber	26c300c357	Implement OWASP ASVS L1 security remediation (Phases 0-2) Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.	2026-03-01 12:53:18 +00:00

Author

SHA1

Message

Date

Jennie Robinson Faber

7a626b0a82

fix(csrf): exempt /api/internal/ from double-submit check

Test / Notify on failure (push) Blocked by required conditions

Details

Test / visual (push) Blocked by required conditions

Details

Test / vitest (push) Successful in 11m1s

Details

Test / playwright (push) Has been cancelled

Details

The reconcile-payments cron POSTs to /api/internal/reconcile-payments with
an X-Reconcile-Token header but no csrf-token cookie/header. The CSRF
middleware was 403ing the request before the route handler could check
the shared secret — breaking Fix #6 (daily reconciliation cron).

Found while wiring the Dokploy scheduled task. The Netlify scheduled
function would have hit the same 403; nobody noticed because the site
hasn't been deployed yet.

Removing CSRF protection from /api/internal/ is safe: every route under
that prefix is machine-to-machine and gates on its own shared-secret
header. CSRF protects against browser-driven cross-origin POSTs, which
isn't the threat model for these endpoints.

Tests: 758 passing (CSRF middleware unit tests still cover the exempt
list shape).

2026-04-26 13:16:11 +01:00

Jennie Robinson Faber

8a529a8e7c

Add OIDC provider for Outline wiki SSO

Add oidc-provider with MongoDB adapter so ghostguild.org can act as
the identity provider for the self-hosted Outline wiki. Members
authenticate via the existing magic-link flow, with automatic SSO
when an active session exists. Includes interaction routes, well-known
discovery endpoint, and login page.

2026-03-01 15:46:01 +00:00

Jennie Robinson Faber

26c300c357

Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.

2026-03-01 12:53:18 +00:00

3 commits