security: implement tickets #28-#35 + architecture decision #30

#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s), throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit exceeded + userId key isolation. #29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for USER/VIEWER, 200 for allowed roles + xlsx format). #31 - pgAdmin credentials moved out of docker-compose.yml into env vars; PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext exposure in committed files. #34 - Server-side HTML sanitization for comment bodies via stripHtml(): strips all tags + decodes safe entities before persistence; 16 unit tests covering passthrough, injection patterns, entity decoding. #35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users without TOTP enabled; user-scoped localStorage snooze (7 days); links to /account/security; accessibility role=alert; 7 structural unit tests. #33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window; CRITICAL notification to ADMINs; fail-closed via verifyCronSecret; 10 unit tests. #32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP signal if role is enforced but TOTP not set up; signin page redirects to /account/security?mfa_required=1; settings schema + view model updated; 11 unit tests. #30 - API keys architecture decision documented in LEARNINGS.md; no code written — product decision required before implementation. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 23:25:06 +02:00
parent f8550110eb
commit 435c871e1f
22 changed files with 1071 additions and 11 deletions
@@ -0,0 +1,205 @@
+/**
+ * Unit tests for GET /api/cron/auth-anomaly-check.
+ *
+ * Tests cover:
+ *   - CRON_SECRET enforcement (fail-closed, timing-safe)
+ *   - No anomalies below threshold
+ *   - HIGH_GLOBAL_FAILURE_RATE signal when global threshold breached
+ *   - CONCENTRATED_FAILURES signal when per-entity threshold breached
+ *   - Notifications sent to admins only when anomalies exist
+ *   - No admin notification when no anomalies
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { THRESHOLDS } from "./route.js";
+
+// ─── Prisma mock ─────────────────────────────────────────────────────────────
+const auditLogFindManyMock = vi.hoisted(() => vi.fn());
+const userFindManyMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@capakraken/db", () => ({
+  prisma: {
+    auditLog: { findMany: auditLogFindManyMock },
+    user: { findMany: userFindManyMock },
+  },
+}));
+
+// ─── createNotificationsForUsers mock ─────────────────────────────────────────
+const createNotificationsMock = vi.hoisted(() => vi.fn().mockResolvedValue(undefined));
+
+vi.mock("@capakraken/api", () => ({
+  createNotificationsForUsers: createNotificationsMock,
+}));
+
+vi.mock("@capakraken/api/lib/logger", () => ({
+  logger: { warn: vi.fn(), error: vi.fn(), info: vi.fn() },
+}));
+
+// ─── cron-auth mock ───────────────────────────────────────────────────────────
+const verifyCronSecretMock = vi.hoisted(() => vi.fn());
+
+vi.mock("~/lib/cron-auth.js", () => ({
+  verifyCronSecret: verifyCronSecretMock,
+}));
+
+// ─── helpers ──────────────────────────────────────────────────────────────────
+
+function makeFailureEvent(entityId = "user_1") {
+  return { entityId, summary: "Login failed — invalid password" };
+}
+
+function makeRequest() {
+  return new Request("http://localhost/api/cron/auth-anomaly-check", {
+    headers: { Authorization: "Bearer test-secret" },
+  });
+}
+
+// ─── import after mocks ───────────────────────────────────────────────────────
+// Route is imported lazily via dynamic import inside tests so that
+// vi.mock() hoisting is guaranteed to complete first.
+async function importRoute() {
+  const mod = await import("./route.js");
+  return mod;
+}
+
+// ─── tests ────────────────────────────────────────────────────────────────────
+
+describe("GET /api/cron/auth-anomaly-check — cron secret enforcement", () => {
+  beforeEach(() => { vi.clearAllMocks(); });
+
+  it("returns 401 when verifyCronSecret denies the request", async () => {
+    const { NextResponse } = await import("next/server");
+    verifyCronSecretMock.mockReturnValue(
+      NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
+    );
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(401);
+  });
+
+  it("proceeds when verifyCronSecret returns null (allowed)", async () => {
+    verifyCronSecretMock.mockReturnValue(null);
+    auditLogFindManyMock.mockResolvedValue([]);
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(200);
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — no anomalies", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("returns ok:true with zero anomalies when failures are below thresholds", async () => {
+    // Spread failures across different entities so neither the global nor the
+    // per-entity threshold is breached.
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures - 1 }, (_, i) =>
+        makeFailureEvent(`user_${i}`),
+      ),
+    );
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { ok: boolean; anomalies: unknown[] };
+    expect(res.status).toBe(200);
+    expect(body.ok).toBe(true);
+    expect(body.anomalies).toHaveLength(0);
+  });
+
+  it("does not notify admins when no anomalies are found", async () => {
+    auditLogFindManyMock.mockResolvedValue([]);
+    const { GET } = await importRoute();
+    await GET(makeRequest());
+    expect(createNotificationsMock).not.toHaveBeenCalled();
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — HIGH_GLOBAL_FAILURE_RATE", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("detects HIGH_GLOBAL_FAILURE_RATE when total failures reach the threshold", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.globalFailures }, () => makeFailureEvent("user_x")),
+    );
+    userFindManyMock.mockResolvedValue([{ id: "admin_1" }]);
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { anomalies: Array<{ type: string }> };
+    expect(body.anomalies.some((a) => a.type === "HIGH_GLOBAL_FAILURE_RATE")).toBe(true);
+  });
+
+  it("notifies admins when HIGH_GLOBAL_FAILURE_RATE is detected", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.globalFailures }, () => makeFailureEvent("user_x")),
+    );
+    userFindManyMock.mockResolvedValue([{ id: "admin_1" }]);
+    const { GET } = await importRoute();
+    await GET(makeRequest());
+    expect(createNotificationsMock).toHaveBeenCalledOnce();
+    const call = createNotificationsMock.mock.calls[0]![0] as { userIds: string[]; priority: string };
+    expect(call.userIds).toContain("admin_1");
+    expect(call.priority).toBe("CRITICAL");
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — CONCENTRATED_FAILURES", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("detects CONCENTRATED_FAILURES when per-entity failures reach the threshold", async () => {
+    // One entity hits the per-entity threshold (but total stays below global)
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures }, () => makeFailureEvent("target_user")),
+    );
+    userFindManyMock.mockResolvedValue([{ id: "admin_1" }]);
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { anomalies: Array<{ type: string; entityId: string }> };
+    const concentrated = body.anomalies.find((a) => a.type === "CONCENTRATED_FAILURES");
+    expect(concentrated).toBeDefined();
+    expect(concentrated!.entityId).toBe("target_user");
+  });
+
+  it("does not flag an entity that is below the per-entity threshold", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures - 1 }, () => makeFailureEvent("target_user")),
+    );
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { anomalies: Array<{ type: string }> };
+    expect(body.anomalies.some((a) => a.type === "CONCENTRATED_FAILURES")).toBe(false);
+  });
+
+  it("does not notify when no admins exist", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures }, () => makeFailureEvent("target_user")),
+    );
+    userFindManyMock.mockResolvedValue([]); // no admins
+    const { GET } = await importRoute();
+    await GET(makeRequest());
+    expect(createNotificationsMock).not.toHaveBeenCalled();
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — error handling", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("returns 500 when the DB query throws", async () => {
+    auditLogFindManyMock.mockRejectedValue(new Error("DB connection lost"));
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(500);
+    const body = await res.json() as { ok: boolean };
+    expect(body.ok).toBe(false);
+  });
+});
@@ -0,0 +1,148 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@capakraken/db";
+import { createNotificationsForUsers } from "@capakraken/api";
+import { logger } from "@capakraken/api/lib/logger";
+import { verifyCronSecret } from "~/lib/cron-auth.js";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+/** Window over which auth events are analysed. */
+const WINDOW_MS = 30 * 60 * 1000; // 30 minutes
+
+/**
+ * Alert thresholds — tune per deployment if needed.
+ * Exported so tests can reference them without re-declaring magic numbers.
+ */
+export const THRESHOLDS = {
+  /** Total failed login attempts in the window before alerting. */
+  globalFailures: 20,
+  /** Failed attempts attributed to a single entityId (userId / IP placeholder) before alerting. */
+  perEntityFailures: 10,
+};
+
+export interface AnomalyReport {
+  windowStartedAt: string;
+  windowEndedAt: string;
+  totalFailures: number;
+  anomalies: Array<{ type: string; count: number; entityId: string | null }>;
+}
+
+/**
+ * Analyses recent auth audit events and returns detected anomalies.
+ * Exported for unit testing without an HTTP layer.
+ */
+export async function detectAuthAnomalies(windowMs = WINDOW_MS): Promise<AnomalyReport> {
+  const windowEnd = new Date();
+  const windowStart = new Date(windowEnd.getTime() - windowMs);
+
+  const failureEvents = await prisma.auditLog.findMany({
+    where: {
+      entityType: "Auth",
+      action: "CREATE",
+      summary: { startsWith: "Login failed" },
+      createdAt: { gte: windowStart, lte: windowEnd },
+    },
+    select: {
+      entityId: true,
+      summary: true,
+    },
+  });
+
+  const anomalies: AnomalyReport["anomalies"] = [];
+
+  // Global threshold: too many failures overall
+  if (failureEvents.length >= THRESHOLDS.globalFailures) {
+    anomalies.push({
+      type: "HIGH_GLOBAL_FAILURE_RATE",
+      count: failureEvents.length,
+      entityId: null,
+    });
+  }
+
+  // Per-entity threshold: one entity accumulating failures (brute-force pattern)
+  const countByEntity = new Map<string, number>();
+  for (const event of failureEvents) {
+    if (event.entityId) {
+      countByEntity.set(event.entityId, (countByEntity.get(event.entityId) ?? 0) + 1);
+    }
+  }
+  for (const [entityId, count] of countByEntity.entries()) {
+    if (count >= THRESHOLDS.perEntityFailures) {
+      anomalies.push({
+        type: "CONCENTRATED_FAILURES",
+        count,
+        entityId,
+      });
+    }
+  }
+
+  return {
+    windowStartedAt: windowStart.toISOString(),
+    windowEndedAt: windowEnd.toISOString(),
+    totalFailures: failureEvents.length,
+    anomalies,
+  };
+}
+
+/**
+ * GET /api/cron/auth-anomaly-check
+ *
+ * Scans recent auth audit events for brute-force / anomaly patterns and
+ * alerts ADMIN users when thresholds are exceeded.
+ *
+ * Protected by CRON_SECRET. Run every 30 minutes via cron or Vercel Cron.
+ */
+export async function GET(request: Request) {
+  const deny = verifyCronSecret(request);
+  if (deny) return deny;
+
+  try {
+    const report = await detectAuthAnomalies();
+
+    if (report.anomalies.length > 0) {
+      const adminUsers = await prisma.user.findMany({
+        where: { systemRole: "ADMIN" },
+        select: { id: true },
+      });
+
+      if (adminUsers.length > 0) {
+        const summary = report.anomalies
+          .map((a) =>
+            a.entityId
+              ? `${a.type}: ${a.count} failures for entity ${a.entityId}`
+              : `${a.type}: ${a.count} total failures`,
+          )
+          .join("; ");
+
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await createNotificationsForUsers({
+          db: prisma as any,
+          userIds: adminUsers.map((u) => u.id),
+          type: "SYSTEM_ALERT",
+          title: `Auth Anomaly Detected (${report.anomalies.length} signal${report.anomalies.length > 1 ? "s" : ""})`,
+          body: `${summary}. Window: ${report.windowStartedAt} – ${report.windowEndedAt}. Review audit logs at /admin/settings.`,
+          category: "system",
+          priority: "CRITICAL",
+          link: "/admin/settings",
+        });
+
+        logger.warn(
+          { anomalies: report.anomalies, window: { start: report.windowStartedAt, end: report.windowEndedAt } },
+          "Auth anomaly cron: anomalies detected and admins notified",
+        );
+      }
+    }
+
+    return NextResponse.json({
+      ok: true,
+      ...report,
+    });
+  } catch (error) {
+    logger.error({ error, route: "/api/cron/auth-anomaly-check" }, "Auth anomaly cron failed");
+    return NextResponse.json(
+      { ok: false, error: "Internal error" },
+      { status: 500 },
+    );
+  }
+}
@@ -0,0 +1,117 @@
+/**
+ * Unit tests for GET /api/reports/allocations — A01 role-check enforcement.
+ *
+ * Heavy dependencies (Prisma, PDF renderer, XLSX builder) are mocked so the
+ * test focuses purely on authentication and authorisation behaviour.
+ */
+
+import { describe, expect, it, vi } from "vitest";
+
+// ─── auth mock ────────────────────────────────────────────────────────────────
+const authMock = vi.hoisted(() => vi.fn());
+
+vi.mock("~/server/auth.js", () => ({ auth: authMock }));
+
+// ─── heavy dep stubs ─────────────────────────────────────────────────────────
+vi.mock("@capakraken/db", () => ({
+  prisma: {
+    demandRequirement: { findMany: vi.fn().mockResolvedValue([]) },
+    assignment: { findMany: vi.fn().mockResolvedValue([]) },
+    user: { findMany: vi.fn().mockResolvedValue([]) },
+  },
+}));
+
+vi.mock("@capakraken/application", () => ({
+  buildSplitAllocationReadModel: vi.fn().mockReturnValue({ assignments: [] }),
+}));
+
+vi.mock("@capakraken/api", () => ({
+  anonymizeResource: vi.fn((r: unknown) => r),
+  getAnonymizationDirectory: vi.fn().mockResolvedValue({}),
+}));
+
+vi.mock("@react-pdf/renderer", () => ({
+  renderToBuffer: vi.fn().mockResolvedValue(Buffer.from("PDF")),
+}));
+
+vi.mock("react", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("react")>();
+  return { ...actual, createElement: vi.fn().mockReturnValue(null) };
+});
+
+vi.mock("~/lib/workbook-export.js", () => ({
+  createWorkbookArrayBuffer: vi.fn().mockResolvedValue(new ArrayBuffer(8)),
+}));
+
+vi.mock("~/components/reports/AllocationReport.js", () => ({
+  AllocationReport: () => null,
+}));
+
+// ─── import route after mocks ─────────────────────────────────────────────────
+import { GET } from "./route.js";
+
+function makeRequest(url = "http://localhost/api/reports/allocations") {
+  return new Request(url);
+}
+
+// ─── tests ───────────────────────────────────────────────────────────────────
+
+describe("GET /api/reports/allocations — authentication", () => {
+  it("returns 401 when no session exists", async () => {
+    authMock.mockResolvedValue(null);
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(401);
+  });
+
+  it("returns 401 when session has no user", async () => {
+    authMock.mockResolvedValue({ user: null });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(401);
+  });
+});
+
+describe("GET /api/reports/allocations — authorisation (A01)", () => {
+  it("returns 403 for USER role", async () => {
+    authMock.mockResolvedValue({ user: { email: "user@example.com", role: "USER" } });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(403);
+  });
+
+  it("returns 403 for VIEWER role", async () => {
+    authMock.mockResolvedValue({ user: { email: "viewer@example.com", role: "VIEWER" } });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(403);
+  });
+
+  it("returns 403 when role is absent from session", async () => {
+    authMock.mockResolvedValue({ user: { email: "noRole@example.com" } });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(403);
+  });
+
+  it("returns 200 for ADMIN role (PDF)", async () => {
+    authMock.mockResolvedValue({ user: { email: "admin@example.com", role: "ADMIN" } });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("pdf");
+  });
+
+  it("returns 200 for MANAGER role (PDF)", async () => {
+    authMock.mockResolvedValue({ user: { email: "mgr@example.com", role: "MANAGER" } });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(200);
+  });
+
+  it("returns 200 for CONTROLLER role (PDF)", async () => {
+    authMock.mockResolvedValue({ user: { email: "ctrl@example.com", role: "CONTROLLER" } });
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(200);
+  });
+
+  it("returns 200 for ADMIN role with xlsx format", async () => {
+    authMock.mockResolvedValue({ user: { email: "admin@example.com", role: "ADMIN" } });
+    const res = await GET(makeRequest("http://localhost/api/reports/allocations?format=xlsx"));
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("spreadsheetml");
+  });
+});
@@ -9,12 +9,19 @@ import { auth } from "~/server/auth.js";
 import { AllocationReport } from "~/components/reports/AllocationReport.js";
 import { createWorkbookArrayBuffer } from "~/lib/workbook-export.js";

+const ALLOWED_ROLES = new Set(["ADMIN", "MANAGER", "CONTROLLER"]);
+
 export async function GET(request: Request) {
  const session = await auth();
  if (!session?.user) {
    return new NextResponse("Unauthorized", { status: 401 });
  }

+  const userRole = (session.user as { role?: string }).role;
+  if (!userRole || !ALLOWED_ROLES.has(userRole)) {
+    return new NextResponse("Forbidden", { status: 403 });
+  }
+
  const { searchParams } = new URL(request.url);
  const startDate = searchParams.get("startDate") ? new Date(searchParams.get("startDate")!) : new Date();
  const endDate = searchParams.get("endDate") ? new Date(searchParams.get("endDate")!) : new Date(Date.now() + 90 * 24 * 60 * 60 * 1000);