security: close audit findings #19–#23 and harden Docker setup (#24)

#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 18:19:21 +02:00
parent fd75628e9d
commit 0e119cfe73
17 changed files with 675 additions and 44 deletions
@@ -23,6 +23,21 @@ function trackActivity(userId: string) {
 const handler = async (req: NextRequest) => {
  const session = await auth();

+  // Validate active session registry on every authenticated request.
+  // Sessions kicked by concurrent-session limits or manual logout are rejected immediately.
+  if (session?.user) {
+    const jti = (session.user as typeof session.user & { jti?: string }).jti;
+    if (jti) {
+      const activeSession = await prisma.activeSession.findUnique({ where: { jti } });
+      if (!activeSession) {
+        return new Response(JSON.stringify({ error: "Session revoked" }), {
+          status: 401,
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+    }
+  }
+
  const dbUser = session?.user?.email
    ? await prisma.user.findUnique({
        where: { email: session.user.email },