security: implement tickets #28-#35 + architecture decision #30

#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s), throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit exceeded + userId key isolation. #29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for USER/VIEWER, 200 for allowed roles + xlsx format). #31 - pgAdmin credentials moved out of docker-compose.yml into env vars; PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext exposure in committed files. #34 - Server-side HTML sanitization for comment bodies via stripHtml(): strips all tags + decodes safe entities before persistence; 16 unit tests covering passthrough, injection patterns, entity decoding. #35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users without TOTP enabled; user-scoped localStorage snooze (7 days); links to /account/security; accessibility role=alert; 7 structural unit tests. #33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window; CRITICAL notification to ADMINs; fail-closed via verifyCronSecret; 10 unit tests. #32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP signal if role is enforced but TOTP not set up; signin page redirects to /account/security?mfa_required=1; settings schema + view model updated; 11 unit tests. #30 - API keys architecture decision documented in LEARNINGS.md; no code written — product decision required before implementation. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 23:25:06 +02:00
parent f8550110eb
commit 435c871e1f
22 changed files with 1071 additions and 11 deletions
@@ -2,6 +2,7 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { createAuditEntry } from "../lib/audit.js";
 import { assertCommentEntityAccess, CommentEntityTypeSchema } from "../lib/comment-entity-registry.js";
+import { stripHtml } from "../lib/strip-html.js";
 import { createNotification } from "../lib/create-notification.js";
 import type { TRPCContext } from "../trpc.js";
 import {
@@ -90,7 +91,8 @@ export async function createComment(
    throw new TRPCError({ code: "UNAUTHORIZED" });
  }

-  const mentions = parseCommentMentions(input.body);
+  const sanitizedBody = stripHtml(input.body);
+  const mentions = parseCommentMentions(sanitizedBody);

  if (input.parentId) {
    const parent = await ctx.db.comment.findUnique({
@@ -118,7 +120,7 @@ export async function createComment(
      entityId: input.entityId,
      parentId: input.parentId,
      authorId,
-      body: input.body,
+      body: sanitizedBody,
      mentions,
    }),
    include: commentWithAuthorInclude,
@@ -130,7 +132,7 @@ export async function createComment(
    const notifications = buildCommentMentionNotifications({
      mentionedUserIds,
      authorName,
-      body: input.body,
+      body: sanitizedBody,
      entityId: input.entityId,
      entityType: input.entityType,
      senderId: authorId,
@@ -150,7 +152,7 @@ export async function createComment(
    db: ctx.db,
    entityType: "Comment",
    entityId: comment.id,
-    entityName: input.body.slice(0, 50),
+    entityName: sanitizedBody.slice(0, 50),
    action: "CREATE",
    ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
    after: comment as unknown as Record<string, unknown>,
@@ -65,6 +65,7 @@ export const settingsUpdateInputSchema = z.object({
  imageProvider: z.enum(["dalle", "gemini"]).optional(),
  vacationDefaultDays: z.number().int().min(0).max(365).optional(),
  timelineUndoMaxSteps: z.number().int().min(1).max(200).optional(),
+  requireMfaForRoles: z.array(z.enum(["ADMIN", "MANAGER", "CONTROLLER", "USER", "VIEWER"])).nullable().optional(),
 });

 export type SettingsUpdateInput = z.infer<typeof settingsUpdateInputSchema>;
@@ -104,6 +105,7 @@ export function buildSystemSettingsViewModel(input: {
    imageProvider?: string | null;
    vacationDefaultDays?: number | null;
    timelineUndoMaxSteps?: number | null;
+    requireMfaForRoles?: unknown;
  } | null | undefined;
  runtimeSettings: {
    azureOpenAiApiKey?: string | null;
@@ -150,6 +152,7 @@ export function buildSystemSettingsViewModel(input: {
    imageProvider: settings?.imageProvider ?? "dalle",
    vacationDefaultDays: settings?.vacationDefaultDays ?? 28,
    timelineUndoMaxSteps: settings?.timelineUndoMaxSteps ?? 50,
+    requireMfaForRoles: (settings?.requireMfaForRoles as string[] | null | undefined) ?? null,
  };
 }

@@ -196,6 +199,7 @@ export function buildSettingsUpdatePayload(input: SettingsUpdateInput): {
  if (input.imageProvider !== undefined) data.imageProvider = input.imageProvider;
  if (input.vacationDefaultDays !== undefined) data.vacationDefaultDays = input.vacationDefaultDays;
  if (input.timelineUndoMaxSteps !== undefined) data.timelineUndoMaxSteps = input.timelineUndoMaxSteps;
+  if (input.requireMfaForRoles !== undefined) data.requireMfaForRoles = input.requireMfaForRoles ?? null;

  return { data, ignoredSecretFields };
 }
@@ -8,6 +8,7 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
 import { createAuditEntry } from "../lib/audit.js";
+import { totpRateLimiter } from "../middleware/rate-limit.js";
 import type { TRPCContext } from "../trpc.js";

 export const SaveDashboardLayoutInputSchema = z.object({
@@ -229,6 +230,12 @@ export async function verifyTotp(
  ctx: UserPublicContext,
  input: z.infer<typeof VerifyTotpInputSchema>,
 ) {
+  // Rate limit: max 10 attempts per 30 seconds per userId to prevent brute-force (A01-1)
+  const rl = await totpRateLimiter(input.userId);
+  if (!rl.allowed) {
+    throw new TRPCError({ code: "TOO_MANY_REQUESTS", message: "Too many TOTP attempts. Please wait before trying again." });
+  }
+
  const user = await findUniqueOrThrow(
    ctx.db.user.findUnique({
      where: { id: input.userId },