security: implement tickets #28-#35 + architecture decision #30
#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s), throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit exceeded + userId key isolation. #29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for USER/VIEWER, 200 for allowed roles + xlsx format). #31 - pgAdmin credentials moved out of docker-compose.yml into env vars; PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext exposure in committed files. #34 - Server-side HTML sanitization for comment bodies via stripHtml(): strips all tags + decodes safe entities before persistence; 16 unit tests covering passthrough, injection patterns, entity decoding. #35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users without TOTP enabled; user-scoped localStorage snooze (7 days); links to /account/security; accessibility role=alert; 7 structural unit tests. #33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window; CRITICAL notification to ADMINs; fail-closed via verifyCronSecret; 10 unit tests. #32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP signal if role is enforced but TOTP not set up; signin page redirects to /account/security?mfa_required=1; settings schema + view model updated; 11 unit tests. #30 - API keys architecture decision documented in LEARNINGS.md; no code written — product decision required before implementation. Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -1,7 +1,11 @@
|
||||
import { redirect } from "next/navigation";
|
||||
import { prisma } from "@capakraken/db";
|
||||
import { AppShell } from "~/components/layout/AppShell.js";
|
||||
import { MfaPromptBanner } from "~/components/security/MfaPromptBanner.js";
|
||||
import { auth } from "~/server/auth.js";
|
||||
|
||||
const MFA_PROMPT_ROLES = new Set(["ADMIN", "MANAGER"]);
|
||||
|
||||
export default async function AppLayout({ children }: { children: React.ReactNode }) {
|
||||
const session = await auth();
|
||||
|
||||
@@ -9,6 +13,24 @@ export default async function AppLayout({ children }: { children: React.ReactNod
|
||||
redirect("/auth/signin");
|
||||
}
|
||||
|
||||
const userRole = (session.user as { role?: string } | undefined)?.role ?? "USER";
|
||||
return <AppShell userRole={userRole}>{children}</AppShell>;
|
||||
const sessionUser = session.user as { id?: string; email?: string; role?: string } | undefined;
|
||||
const userRole = sessionUser?.role ?? "USER";
|
||||
const userId = sessionUser?.id;
|
||||
|
||||
// Show MFA prompt banner for privileged roles that haven't enabled TOTP yet
|
||||
let showMfaPrompt = false;
|
||||
if (userId && MFA_PROMPT_ROLES.has(userRole)) {
|
||||
const user = await prisma.user.findUnique({
|
||||
where: { id: userId },
|
||||
select: { totpEnabled: true },
|
||||
});
|
||||
showMfaPrompt = user != null && !user.totpEnabled;
|
||||
}
|
||||
|
||||
return (
|
||||
<AppShell userRole={userRole}>
|
||||
{showMfaPrompt && userId && <MfaPromptBanner userId={userId} />}
|
||||
{children}
|
||||
</AppShell>
|
||||
);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user