Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: implement tickets #28-#35 + architecture decision #30

Browse Source 
#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s),
  throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit
  exceeded + userId key isolation.

#29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may
  access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for
  USER/VIEWER, 200 for allowed roles + xlsx format).

#31 - pgAdmin credentials moved out of docker-compose.yml into env vars;
  PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext
  exposure in committed files.

#34 - Server-side HTML sanitization for comment bodies via stripHtml():
  strips all tags + decodes safe entities before persistence; 16 unit tests
  covering passthrough, injection patterns, entity decoding.

#35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users
  without TOTP enabled; user-scoped localStorage snooze (7 days); links to
  /account/security; accessibility role=alert; 7 structural unit tests.

#33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects
  HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window;
  CRITICAL notification to ADMINs; fail-closed via verifyCronSecret;
  10 unit tests.

#32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings
  schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP
  signal if role is enforced but TOTP not set up; signin page redirects to
  /account/security?mfa_required=1; settings schema + view model updated;
  11 unit tests.

#30 - API keys architecture decision documented in LEARNINGS.md; no code
  written — product decision required before implementation.

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 23:25:06 +02:00
parent f8550110eb
commit 435c871e1f
22 changed files with 1071 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/lib/strip-html.ts
+34
View File
@@ -0,0 +1,34 @@
/**
* Minimal server-side HTML stripping for plain-text inputs.
*
* Comment bodies are plain text + mention tokens (@[Name](id)).
* Any HTML tags injected by a malicious actor are removed here before
* persistence so that even consumers that skip the client-side DOMPurify
* step (email notifications, PDF reports, AI assistant responses) are safe.
*
* Algorithm:
* 1. Strip all HTML tags.
* 2. Decode a small allow-list of HTML entities to their UTF-8 equivalents.
*
* This is intentionally minimal — do not extend it to allow any tags.
*/
const HTML_ENTITIES: Record<string, string> = {
"&amp;": "&",
"&lt;": "<",
"&gt;": ">",
"&quot;": '"',
"&#39;": "'",
"&apos;": "'",
"&nbsp;": " ",
};
export function stripHtml(input: string): string {
// Remove all HTML/XML tags (including self-closing and multi-line)
const tagStripped = input.replace(/<[^>]*>/g, "");
// Decode common HTML entities
return tagStripped.replace(
/&(?:amp|lt|gt|quot|#39|apos|nbsp);/g,
(entity) => HTML_ENTITIES[entity] ?? entity,
);
}