fix(security): raise password minimum to 12 chars, hide raw error messages, add audit script
- Password validation: min(8) → min(12) across auth.ts, user-procedure-support.ts, and invite.ts (aligns with NIST SP 800-63B modern recommendations) - Error boundary: stop rendering raw error.message which could leak internal details; always show the generic fallback text - Add `pnpm audit` script (--audit-level=high) for dependency vulnerability scanning Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -10,12 +10,12 @@ export const CreateUserInputSchema = z.object({
|
||||
email: z.string().email(),
|
||||
name: z.string().min(1),
|
||||
systemRole: z.nativeEnum(SystemRole).default(SystemRole.USER),
|
||||
password: z.string().min(8),
|
||||
password: z.string().min(12),
|
||||
});
|
||||
|
||||
export const SetUserPasswordInputSchema = z.object({
|
||||
userId: z.string(),
|
||||
password: z.string().min(8, "Password must be at least 8 characters"),
|
||||
password: z.string().min(12, "Password must be at least 12 characters"),
|
||||
});
|
||||
|
||||
export const UpdateUserRoleInputSchema = z.object({
|
||||
|
||||
Reference in New Issue
Block a user