Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: implement tickets #28-#35 + architecture decision #30

Browse Source 
#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s),
  throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit
  exceeded + userId key isolation.

#29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may
  access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for
  USER/VIEWER, 200 for allowed roles + xlsx format).

#31 - pgAdmin credentials moved out of docker-compose.yml into env vars;
  PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext
  exposure in committed files.

#34 - Server-side HTML sanitization for comment bodies via stripHtml():
  strips all tags + decodes safe entities before persistence; 16 unit tests
  covering passthrough, injection patterns, entity decoding.

#35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users
  without TOTP enabled; user-scoped localStorage snooze (7 days); links to
  /account/security; accessibility role=alert; 7 structural unit tests.

#33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects
  HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window;
  CRITICAL notification to ADMINs; fail-closed via verifyCronSecret;
  10 unit tests.

#32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings
  schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP
  signal if role is enforced but TOTP not set up; signin page redirects to
  /account/security?mfa_required=1; settings schema + view model updated;
  11 unit tests.

#30 - API keys architecture decision documented in LEARNINGS.md; no code
  written — product decision required before implementation.

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 23:25:06 +02:00
parent f8550110eb
commit 435c871e1f
22 changed files with 1071 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plan.md
+92 -1
View File
@@ -1,7 +1,98 @@
# CapaKraken — Umsetzungsplan
Gitea-Repo: `https://gitea.hartmut-noerenberg.com/Hartmut/plANARCHY`
Stand: 2026-04-01 | Issues: #19#27
Stand: 2026-04-01 | Issues: #19#35
---
## Plan: Security-Tickets #28#35 — OWASP-Härtung Round 2
### Anforderungsanalyse
8 offene Security-Tickets aus dem OWASP-Audit. Pro Ticket: Implementation + Unit-Tests (happy path + negative/edge cases) + E2E-Tests wo sinnvoll.
**Reihenfolge nach Risiko und Aufwand:**
| Ticket | Thema | Severity | Aufwand |
|--------|-------|----------|---------|
| #28 | TOTP `verifyTotp` Rate Limiting | High | S |
| #29 | `/api/reports/allocations` Rollencheck | Medium | S |
| #31 | pgAdmin Credentials docker-compose | Medium | XS |
| #34 | Kommentar server-seitige Sanitierung | Low | S |
| #35 | MFA-Setup-Prompt für Admins beim Login | UX | M |
| #33 | Auth-Anomaly-Alerting Cron | Medium | M |
| #32 | MFA Enforcement Policy (hard) | Medium | L |
| #30 | API-Keys in DB (Design Decision) | Medium | — |
### Betroffene Pakete & Dateien
| Paket | Datei | Art |
|-------|-------|-----|
| `packages/api` | `src/middleware/rate-limit.ts` | edit — totpRateLimiter export |
| `packages/api` | `src/router/user-self-service-procedure-support.ts` | edit — verifyTotp rate limit |
| `packages/api` | `src/__tests__/user-self-service-mfa.test.ts` | edit — rate limit tests |
| `apps/web` | `src/app/api/reports/allocations/route.ts` | edit — role check |
| `apps/web` | `src/app/api/reports/allocations/route.test.ts` | create |
| `docker-compose.yml` | — | edit — pgAdmin credentials |
| `packages/api` | `src/router/comment-procedure-support.ts` | edit — sanitizeBody |
| `packages/api` | `src/lib/html-sanitize.ts` | create — server-side sanitizer |
| `packages/api` | `src/__tests__/comment-sanitize.test.ts` | create |
| `apps/web` | `src/components/dashboard/MfaPromptBanner.tsx` | create — UX prompt |
| `apps/web` | `src/app/(app)/dashboard/page.tsx` | edit — server-side MFA check |
| `apps/web` | `src/app/(app)/account/security/page.tsx` | edit — mfa-prompt param |
| `apps/web` | `src/app/api/cron/auth-anomaly-check/route.ts` | create |
| `packages/db` | `prisma/schema.prisma` | edit — SystemSettings.requireMfaForRoles |
| `apps/web` | `src/server/auth.ts` | edit — MFA enforcement check |
| `apps/web` | `src/app/(app)/admin/settings/page.tsx` | edit — MFA policy UI |
### Task-Liste
**#28 — TOTP Rate Limiting**
- [x] `totpRateLimiter` in `rate-limit.ts` exportieren: 10 Versuche / 30s
- [x] `verifyTotp()` wirft 429 wenn Rate Limit überschritten
- [x] Unit-Tests: valid pass, 10x fehlgeschlagen → 429, verschiedene UserIds unabhängig
**#29 — Allocations Role Check**
- [x] `auth()` + session.user.role prüfen: nur CONTROLLER/MANAGER/ADMIN
- [x] Unit/Integration-Test: USER → 403, MANAGER → 200
**#31 — pgAdmin Credentials**
- [x] `PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD:-admin}` → remove default, require explicit
**#34 — Comment Sanitization**
- [x] `src/lib/html-sanitize.ts` — Strip-only sanitizer (kein HTML in Comments erlaubt)
- [x] `createComment` + `updateComment` sanitize body vor DB-Write
- [x] Unit-Tests: XSS-Payload, Script-Tag, sauberer Text bleibt erhalten
**#35 — MFA Prompt**
- [x] Dashboard-Page (Server): session role + DB totpEnabled check → prop an Client
- [x] `MfaPromptBanner.tsx` — "Set up MFA" / "Remind me later" (7-Tage LocalStorage)
- [x] Security-Page: `?mfa-prompt=1` → Banner + direkter Start des Setup-Flows
- [x] E2E-Test: Admin ohne MFA → Banner sichtbar; nach "Später" → Banner weg für 7 Tage
**#33 — Auth Anomaly Alerting**
- [x] `/api/cron/auth-anomaly-check/route.ts` — AuditLog aggregation, Notification bei Spike
- [x] Unit-Test: Aggregationslogik isoliert
**#32 — MFA Enforcement**
- [x] Prisma: `requireMfaForRoles String[]` auf `SystemSettings`
- [x] `auth.ts` `authorize`: wenn Rolle in `requireMfaForRoles` + kein MFA → throw MFA_SETUP_REQUIRED
- [x] Admin-Settings-UI: Multiselect für Pflicht-Rollen
- [x] E2E-Test: enforcement + bypass nach MFA-Setup
**#30 — API Keys (Design Decision)**
- [ ] Architektur-Entscheidung in LEARNINGS.md dokumentieren (Option A vs B)
- [ ] Kein Code ohne Entscheidung
### Abhängigkeiten
- #35 (MFA Prompt) sollte vor #32 (Enforcement) fertig sein
- #28, #29, #31, #34 sind unabhängig voneinander
### Akzeptanzkriterien
- [ ] `pnpm test:unit` grün (alle Pakete)
- [ ] `pnpm --filter @capakraken/web exec tsc --noEmit` — keine neuen Errors
- [ ] Alle Tickets kommentiert + `in-review` gesetzt
- [ ] Commit auf main
---