Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)

Browse Source 
Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-17 14:56:43 +02:00
parent 805bb0464f
commit 01c45d0344
12 changed files with 163 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/shared/src/constants/index.ts
+15 -2
View File
@@ -25,7 +25,13 @@ export function averagePerWorkingDay(totalHours: number, workingDays: number): n
}
export const DAY_KEYS: readonly (keyof WeekdayAvailability)[] = [
"sunday", "monday", "tuesday", "wednesday", "thursday", "friday", "saturday",
"sunday",
"monday",
"tuesday",
"wednesday",
"thursday",
"friday",
"saturday",
] as const;
export function normalizeCityName(cityName?: string | null): string | null {
@@ -51,6 +57,13 @@ export const BUDGET_WARNING_THRESHOLDS = {
export const DEFAULT_WORKING_HOURS_PER_DAY = 8;
export const DEFAULT_OPENAI_MODEL = "gpt-5.4";
// Single source of truth for password policy. Server-side Zod schemas and
// client-side pre-submit validators must both import these so divergence
// (e.g. client allowing 8 chars when server requires 12) cannot recur.
export const PASSWORD_MIN_LENGTH = 12;
export const PASSWORD_MAX_LENGTH = 128;
export const PASSWORD_POLICY_MESSAGE = `Password must be at least ${PASSWORD_MIN_LENGTH} characters.`;
export const DEFAULT_AVAILABILITY = {
monday: 8,
tuesday: 8,
@@ -60,7 +73,7 @@ export const DEFAULT_AVAILABILITY = {
} as const;
export const VALUE_SCORE_WEIGHTS = {
SKILL_DEPTH: 0.30,
SKILL_DEPTH: 0.3,
SKILL_BREADTH: 0.15,
COST_EFFICIENCY: 0.25,
CHARGEABILITY: 0.15,