No description
Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback. |
||
|---|---|---|
| app | ||
| assets/css | ||
| docs | ||
| plugins | ||
| public | ||
| scripts | ||
| server | ||
| tests | ||
| .env.example | ||
| .gitignore | ||
| CLAUDE.md | ||
| debug-token.js | ||
| Dockerfile | ||
| eslint.config.mjs | ||
| nuxt.config.ts | ||
| package-lock.json | ||
| package.json | ||
| slack-app-manifest.yaml | ||
| test-helcim-direct.js | ||
| tsconfig.json | ||
| vitest.config.js | ||