Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)

Browse Source 
Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-17 14:56:43 +02:00
parent 805bb0464f
commit 01c45d0344
12 changed files with 163 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/auth/reset-password/[token]/page.tsx
+8 -13
View File
@@ -2,6 +2,7 @@
import { use, useState } from "react";
import { useRouter } from "next/navigation";
import { PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE } from "@capakraken/shared";
import { trpc } from "~/lib/trpc/client.js";
export default function ResetPasswordPage({ params }: { params: Promise<{ token: string }> }) {
@@ -21,8 +22,8 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
function handleSubmit(e: React.FormEvent) {
e.preventDefault();
setFormError(null);
if (password.length < 8) {
setFormError("Password must be at least 8 characters.");
if (password.length < PASSWORD_MIN_LENGTH) {
setFormError(PASSWORD_POLICY_MESSAGE);
return;
}
if (password !== confirm) {
@@ -40,9 +41,7 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
<h1 className="text-lg font-semibold text-gray-900 dark:text-gray-100 mb-2">
Password updated
</h1>
<p className="text-sm text-gray-500 mb-6">
Your password has been changed successfully.
</p>
<p className="text-sm text-gray-500 mb-6">Your password has been changed successfully.</p>
<button
type="button"
onClick={() => router.push("/auth/signin")}
@@ -59,12 +58,8 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
<div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950 p-4">
<div className="w-full max-w-md rounded-2xl bg-white dark:bg-gray-900 shadow-lg p-8">
<div className="mb-6">
<h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">
Set a new password
</h1>
<p className="mt-1 text-sm text-gray-500">
Choose a new password for your account.
</p>
<h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">Set a new password</h1>
<p className="mt-1 text-sm text-gray-500">Choose a new password for your account.</p>
</div>
<form onSubmit={handleSubmit} className="space-y-4">
@@ -87,8 +82,8 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
value={password}
onChange={(e) => setPassword(e.target.value)}
required
minLength={8}
placeholder="At least 8 characters"
minLength={PASSWORD_MIN_LENGTH}
placeholder={`At least ${PASSWORD_MIN_LENGTH} characters`}
className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
/>
</div>
apps/web/src/app/invite/[token]/page.tsx
+20 -11
View File
@@ -2,6 +2,7 @@
import { useState, use } from "react";
import { useRouter } from "next/navigation";
import { PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE } from "@capakraken/shared";
import { trpc } from "~/lib/trpc/client.js";
export default function AcceptInvitePage({ params }: { params: Promise<{ token: string }> }) {
@@ -13,10 +14,11 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
const [formError, setFormError] = useState<string | null>(null);
const [done, setDone] = useState(false);
const { data: invite, isLoading, error: inviteError } = trpc.invite.getInvite.useQuery(
{ token },
{ retry: false },
);
const {
data: invite,
isLoading,
error: inviteError,
} = trpc.invite.getInvite.useQuery({ token }, { retry: false });
const acceptMutation = trpc.invite.acceptInvite.useMutation({
onSuccess: () => setDone(true),
@@ -26,8 +28,14 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
async function handleSubmit(e: React.FormEvent) {
e.preventDefault();
setFormError(null);
if (password.length < 8) { setFormError("Password must be at least 8 characters."); return; }
if (password !== confirm) { setFormError("Passwords do not match."); return; }
if (password.length < PASSWORD_MIN_LENGTH) {
setFormError(PASSWORD_POLICY_MESSAGE);
return;
}
if (password !== confirm) {
setFormError("Passwords do not match.");
return;
}
await acceptMutation.mutateAsync({ token, password });
}
@@ -48,7 +56,8 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
Invite link invalid or expired
</h1>
<p className="text-sm text-gray-500">
{inviteError?.message ?? "This invite link is no longer valid. Please request a new invitation from your administrator."}
{inviteError?.message ??
"This invite link is no longer valid. Please request a new invitation from your administrator."}
</p>
</div>
</div>
@@ -82,8 +91,8 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
<div className="mb-6">
<h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">Accept invitation</h1>
<p className="mt-1 text-sm text-gray-500">
You have been invited as <strong>{invite.role}</strong> to CapaKraken.
Set a password to activate your account (<span className="font-medium">{invite.email}</span>).
You have been invited as <strong>{invite.role}</strong> to CapaKraken. Set a password to
activate your account (<span className="font-medium">{invite.email}</span>).
</p>
</div>
@@ -103,8 +112,8 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
value={password}
onChange={(e) => setPassword(e.target.value)}
required
minLength={8}
placeholder="At least 8 characters"
minLength={PASSWORD_MIN_LENGTH}
placeholder={`At least ${PASSWORD_MIN_LENGTH} characters`}
className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
/>
</div>
apps/web/src/app/setup/SetupClient.tsx
+6 -7
View File
@@ -2,6 +2,7 @@
import { useState, useTransition } from "react";
import { useRouter } from "next/navigation";
import { PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE } from "@capakraken/shared";
import { createFirstAdmin } from "./actions.js";
export function SetupClient() {
@@ -20,8 +21,8 @@ export function SetupClient() {
e.preventDefault();
setFormError(null);
if (password.length < 8) {
setFormError("Password must be at least 8 characters.");
if (password.length < PASSWORD_MIN_LENGTH) {
setFormError(PASSWORD_POLICY_MESSAGE);
return;
}
if (password !== confirmPassword) {
@@ -73,9 +74,7 @@ export function SetupClient() {
<div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950 p-4">
<div className="w-full max-w-md rounded-2xl bg-white dark:bg-gray-900 shadow-lg p-8">
<div className="mb-6">
<h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">
First-run setup
</h1>
<h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">First-run setup</h1>
<p className="mt-1 text-sm text-gray-500">
Create the initial administrator account for CapaKraken.
</p>
@@ -125,8 +124,8 @@ export function SetupClient() {
value={password}
onChange={(e) => setPassword(e.target.value)}
required
minLength={8}
placeholder="At least 8 characters"
minLength={PASSWORD_MIN_LENGTH}
placeholder={`At least ${PASSWORD_MIN_LENGTH} characters`}
className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
/>
</div>
apps/web/src/app/setup/actions.ts
+13 -2
View File
@@ -1,6 +1,11 @@
"use server";
import { prisma } from "@capakraken/db";
import { SystemRole } from "@capakraken/db";
import {
PASSWORD_MAX_LENGTH,
PASSWORD_MIN_LENGTH,
PASSWORD_POLICY_MESSAGE,
} from "@capakraken/shared";
export type SetupResult =
| { success: true }
@@ -13,8 +18,14 @@ export async function createFirstAdmin(formData: {
}): Promise<SetupResult> {
// Validate
if (!formData.name.trim()) return { error: "validation", message: "Name is required." };
if (!formData.email.includes("@")) return { error: "validation", message: "Valid email required." };
if (formData.password.length < 8) return { error: "validation", message: "Password must be at least 8 characters." };
if (!formData.email.includes("@"))
return { error: "validation", message: "Valid email required." };
if (
formData.password.length < PASSWORD_MIN_LENGTH ||
formData.password.length > PASSWORD_MAX_LENGTH
) {
return { error: "validation", message: PASSWORD_POLICY_MESSAGE };
}
// TOCTOU guard — check again inside the action
const count = await prisma.user.count();