Parallel Playwright runs (6 workers, all from 127.0.0.1) burned through the
100 req/min generalLimiter budget within the first ~30s, causing every API
call (including /api/dev/test-login and /api/dev/member-login) to return 429
for the rest of the window. Auth helper waitForURL then timed out at 45s with
no redirect ever firing — surfacing as 8 cascading test failures across
auth.spec.js, board.spec.js, and admin-members.spec.js.
The bypass mirrors the existing gate used by /api/dev/* endpoints: the env
var is opt-in and only set in development (.env) or by Playwright's
webServer config. Production never sets it, so rate limiting remains active.
The HelcimPay modal loads from secure.helcim.app, but the CSP only
listed myposjs.helcim.com (script/connect) and secure.helcim.com
(frame, likely a stale typo). Add secure.helcim.app to script-src,
connect-src, and frame-src so the join flow's payment modal can load.
The reconcile-payments cron POSTs to /api/internal/reconcile-payments with
an X-Reconcile-Token header but no csrf-token cookie/header. The CSRF
middleware was 403ing the request before the route handler could check
the shared secret — breaking Fix#6 (daily reconciliation cron).
Found while wiring the Dokploy scheduled task. The Netlify scheduled
function would have hit the same 403; nobody noticed because the site
hasn't been deployed yet.
Removing CSRF protection from /api/internal/ is safe: every route under
that prefix is machine-to-machine and gates on its own shared-secret
header. CSRF protects against browser-driven cross-origin POSTs, which
isn't the threat model for these endpoints.
Tests: 758 passing (CSRF middleware unit tests still cover the exempt
list shape).
The oidc-provider generates form actions with http:// URLs that
conflict with the CSP form-action directive. OIDC routes serve
self-contained HTML outside Nuxt, so CSP is not needed there.
The OIDC provider was falling back to config.public.appUrl for its
issuer, which could resolve to an http:// URL. This caused the logout
form action to use http://, violating the CSP form-action directive.
Hardcode the issuer fallback to https://ghostguild.org.
Add oidc-provider with MongoDB adapter so ghostguild.org can act as
the identity provider for the self-hosted Outline wiki. Members
authenticate via the existing magic-link flow, with automatic SSO
when an active session exists. Includes interaction routes, well-known
discovery endpoint, and login page.
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.
CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.
Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.
Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.
XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.
Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.
Mass assignment: Remove helcimCustomerId from profile allowedFields.
Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.
Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.
