(null);
async function handleSubmit(e: React.FormEvent) {
e.preventDefault();
@@ -19,11 +22,35 @@ export default function SignInPage() {
const result = await signIn("credentials", {
email,
password,
+ ...(mfaRequired ? { totp } : {}),
redirect: false,
});
if (result?.error) {
- setError("Invalid email or password");
+ // Auth.js wraps authorize() errors in the error field
+ if (result.error.includes("MFA_REQUIRED")) {
+ setMfaRequired(true);
+ setLoading(false);
+ // Focus the TOTP input after render
+ setTimeout(() => totpInputRef.current?.focus(), 100);
+ return;
+ }
+ if (result.error.includes("INVALID_TOTP")) {
+ setError("Invalid verification code. Please try again.");
+ setTotp("");
+ setLoading(false);
+ return;
+ }
+ if (result.error.includes("Too many login attempts")) {
+ setError("Too many login attempts. Please try again later.");
+ } else {
+ setError("Invalid email or password");
+ }
+ // Reset MFA state on credential error
+ if (mfaRequired) {
+ setMfaRequired(false);
+ setTotp("");
+ }
} else {
router.push("/dashboard");
}
@@ -31,6 +58,12 @@ export default function SignInPage() {
setLoading(false);
}
+ function handleBackToLogin() {
+ setMfaRequired(false);
+ setTotp("");
+ setError("");
+ }
+
return (
@@ -66,8 +99,14 @@ export default function SignInPage() {
Welcome Back
-
Sign in to CapaKraken
-
Resource Planning, staffing, and forecasting.
+
+ {mfaRequired ? "Two-Factor Authentication" : "Sign in to CapaKraken"}
+
+
+ {mfaRequired
+ ? "Enter the 6-digit code from your authenticator app."
+ : "Resource Planning, staffing, and forecasting."}
+
)}
-
-
- Email
-
-
+ {!mfaRequired && (
+ <>
+
+
+ Email
+
+
-
-
- Password
-
-
+
+
+ Password
+
+
+
+ )}
+
+ {mfaRequired && (
+
+
+ Verification Code
+
+
setTotp(e.target.value.replace(/\D/g, "").slice(0, 6))}
+ className="app-input text-center text-2xl font-mono tracking-[0.4em]"
+ placeholder="000000"
+ required
+ />
+
+ Open your authenticator app (e.g. Google Authenticator, Authy) and enter the current code.
+
+
+ )}
- {loading ? "Signing in..." : "Sign in"}
+ {loading ? "Signing in..." : mfaRequired ? "Verify" : "Sign in"}
+
+ {mfaRequired && (
+
+ Back to login
+
+ )}
diff --git a/apps/web/src/components/admin/SystemSettingsClient.tsx b/apps/web/src/components/admin/SystemSettingsClient.tsx
index 20e91cc..0b5774d 100644
--- a/apps/web/src/components/admin/SystemSettingsClient.tsx
+++ b/apps/web/src/components/admin/SystemSettingsClient.tsx
@@ -1142,6 +1142,7 @@ export function SystemSettingsClient() {
value={dalleApiKey}
onChange={(e) => setDalleApiKey(e.target.value)}
placeholder="Leave empty to use same API key as chat"
+ autoComplete="new-password"
/>
@@ -1170,6 +1171,7 @@ export function SystemSettingsClient() {
value={geminiApiKey}
onChange={(e) => setGeminiApiKey(e.target.value)}
placeholder={settings?.hasGeminiApiKey ? "•••••••• (key is stored)" : "Enter Gemini API key"}
+ autoComplete="new-password"
/>
{settings?.hasGeminiApiKey && !geminiApiKey && (
API key is stored.
diff --git a/apps/web/src/components/admin/UsersClient.tsx b/apps/web/src/components/admin/UsersClient.tsx
index 4e0aec9..042a19d 100644
--- a/apps/web/src/components/admin/UsersClient.tsx
+++ b/apps/web/src/components/admin/UsersClient.tsx
@@ -61,6 +61,7 @@ type UserRow = {
lastLoginAt: Date | null;
lastActiveAt: Date | null;
permissionOverrides: PermissionOverrides | null;
+ totpEnabled: boolean;
};
type EditState = {
@@ -196,6 +197,14 @@ export function UsersClient() {
onError: (err) => setActionError(err.message),
});
+ const disableTotpMutation = trpc.user.disableTotp.useMutation({
+ onSuccess: async () => {
+ await utils.user.list.invalidate();
+ setActionError(null);
+ },
+ onError: (err) => setActionError(err.message),
+ });
+
function openSetPassword(user: UserRow) {
setPasswordTarget({ userId: user.id, userName: user.name ?? user.email });
setNewPassword("");
@@ -519,17 +528,24 @@ export function UsersClient() {
- {isOnline(user) ? (
-
-
- ) : (
-
-
- )}
+
+ {isOnline(user) ? (
+
+
+ ) : (
+
+
+ )}
+ {user.totpEnabled && (
+
+ MFA
+
+ )}
+
{formatRelativeTime(user.lastLoginAt)}
@@ -550,6 +566,24 @@ export function UsersClient() {
Password
+ {user.totpEnabled && (
+ {
+ if (confirm(`Disable MFA for ${user.name ?? user.email}?`)) {
+ void disableTotpMutation.mutateAsync({ userId: user.id });
+ }
+ }}
+ disabled={disableTotpMutation.isPending}
+ className="inline-flex items-center gap-1 text-xs text-amber-600 hover:text-amber-800 dark:text-amber-400 dark:hover:text-amber-300 font-medium"
+ title="Disable TOTP MFA for this user"
+ >
+
+
+ Disable MFA
+
+ )}
openEdit(user)}
@@ -700,6 +734,7 @@ export function UsersClient() {
onChange={(e) => setCreateState({ ...createState, password: e.target.value })}
placeholder="Min. 8 characters"
className="border border-gray-300 dark:border-gray-600 rounded-lg px-3 py-2 text-sm w-full bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
+ autoComplete="new-password"
/>
diff --git a/apps/web/src/components/admin/WebhooksClient.tsx b/apps/web/src/components/admin/WebhooksClient.tsx
index 48c2f01..469ebdb 100644
--- a/apps/web/src/components/admin/WebhooksClient.tsx
+++ b/apps/web/src/components/admin/WebhooksClient.tsx
@@ -344,6 +344,7 @@ export function WebhooksClient() {
value={form.secret}
onChange={(e) => setForm((prev) => ({ ...prev, secret: e.target.value }))}
placeholder="HMAC signing secret"
+ autoComplete="new-password"
/>
If set, requests include an X-Webhook-Signature header (HMAC-SHA256).
diff --git a/apps/web/src/components/comments/CommentThread.tsx b/apps/web/src/components/comments/CommentThread.tsx
index 06ed9cc..f03bb0d 100644
--- a/apps/web/src/components/comments/CommentThread.tsx
+++ b/apps/web/src/components/comments/CommentThread.tsx
@@ -5,6 +5,7 @@ import { clsx } from "clsx";
import { trpc } from "~/lib/trpc/client.js";
import { ConfirmDialog } from "~/components/ui/ConfirmDialog.js";
import { CommentInput } from "./CommentInput.js";
+import { sanitizeHtml } from "~/lib/sanitize.js";
interface CommentAuthor {
id: string;
@@ -72,21 +73,22 @@ function AuthorAvatar({ author }: { author: CommentAuthor }) {
* Transforms @[Name](userId) into styled spans.
*/
function CommentBody({ body }: { body: string }) {
+ const cleanBody = sanitizeHtml(body);
const parts: Array<{ type: "text" | "mention"; value: string }> = [];
const regex = /@\[([^\]]+)\]\([^)]+\)/g;
let lastIndex = 0;
let match: RegExpExecArray | null;
- while ((match = regex.exec(body)) !== null) {
+ while ((match = regex.exec(cleanBody)) !== null) {
if (match.index > lastIndex) {
- parts.push({ type: "text", value: body.slice(lastIndex, match.index) });
+ parts.push({ type: "text", value: cleanBody.slice(lastIndex, match.index) });
}
parts.push({ type: "mention", value: `@${match[1]}` });
lastIndex = match.index + match[0].length;
}
- if (lastIndex < body.length) {
- parts.push({ type: "text", value: body.slice(lastIndex) });
+ if (lastIndex < cleanBody.length) {
+ parts.push({ type: "text", value: cleanBody.slice(lastIndex) });
}
return (
diff --git a/apps/web/src/components/layout/AppShell.tsx b/apps/web/src/components/layout/AppShell.tsx
index 9db18a3..b59989d 100644
--- a/apps/web/src/components/layout/AppShell.tsx
+++ b/apps/web/src/components/layout/AppShell.tsx
@@ -112,6 +112,9 @@ function UsersIcon() {
function SystemRolesIcon() {
return ("idle");
+ const [secret, setSecret] = useState("");
+ const [uri, setUri] = useState("");
+ const [token, setToken] = useState("");
+ const [error, setError] = useState(null);
+ const [success, setSuccess] = useState(null);
+
+ const { data: mfaStatus, refetch } = trpc.user.getMfaStatus.useQuery();
+ const generateMutation = trpc.user.generateTotpSecret.useMutation();
+ const verifyMutation = trpc.user.verifyAndEnableTotp.useMutation();
+
+ async function handleGenerate() {
+ setError(null);
+ try {
+ const result = await generateMutation.mutateAsync();
+ setSecret(result.secret);
+ setUri(result.uri);
+ setStep("show-secret");
+ } catch (err) {
+ setError(err instanceof Error ? err.message : "Failed to generate TOTP secret");
+ }
+ }
+
+ async function handleVerify() {
+ setError(null);
+ try {
+ await verifyMutation.mutateAsync({ token });
+ setStep("done");
+ setSuccess("MFA has been enabled successfully.");
+ setSecret("");
+ setUri("");
+ setToken("");
+ await refetch();
+ } catch (err) {
+ setError(err instanceof Error ? err.message : "Verification failed");
+ }
+ }
+
+ if (mfaStatus?.totpEnabled && step !== "done") {
+ return (
+
+
+
+
+
MFA Enabled
+
+ Two-factor authentication is active on your account.
+
+
+
+
+ {error && (
+
+ {error}
+
+ )}
+ {success && (
+
+ {success}
+
+ )}
+
+ {step === "idle" && (
+
+
+
+
+
Two-Factor Authentication (TOTP)
+
+ Add an extra layer of security by requiring a code from your authenticator app when signing in.
+
+
+ {generateMutation.isPending ? "Generating..." : "Set up MFA"}
+
+
+
+
+ )}
+
+ {step === "show-secret" && (
+
+
Step 1: Scan the QR code
+
+ Scan this QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
+
+
+ {/* QR Code via public Google Charts API (otpauth URI) */}
+
+
+ {/* eslint-disable-next-line @next/next/no-img-element */}
+
+
+
+
+
+
+ Or enter this key manually:
+
+
+ {secret}
+
+
+
+
{ setStep("verify"); setError(null); }}
+ className="inline-flex items-center gap-2 rounded-lg bg-brand-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-brand-700 transition-colors"
+ >
+ Continue
+
+
+ )}
+
+ {step === "verify" && (
+
+
Step 2: Verify your code
+
+ Enter the 6-digit code from your authenticator app to confirm setup.
+
+
+
+
+ Verification Code
+
+
+
+
+
+ {verifyMutation.isPending ? "Verifying..." : "Enable MFA"}
+
+ { setStep("show-secret"); setToken(""); setError(null); }}
+ className="text-sm text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200"
+ >
+ Back
+
+
+
+ )}
+
(
+ provider: string,
+ model: string,
+ promptLength: number,
+ fn: () => Promise,
+): Promise {
+ const start = performance.now();
+ try {
+ const result = await fn();
+ const responseTimeMs = Math.round(performance.now() - start);
+ logger.info({ provider, model, promptLength, responseTimeMs }, "External API call");
+ return result;
+ } catch (err) {
+ const responseTimeMs = Math.round(performance.now() - start);
+ const errorMessage = err instanceof Error ? err.message : String(err);
+ logger.warn({ provider, model, promptLength, responseTimeMs, errorMessage }, "External API call failed");
+ throw err;
+ }
+}
+
/** Turns raw API errors into actionable human-readable messages. */
export function parseAiError(err: unknown): string {
const msg = err instanceof Error ? err.message : String(err);
diff --git a/packages/api/src/gemini-client.ts b/packages/api/src/gemini-client.ts
index d84757a..25a550e 100644
--- a/packages/api/src/gemini-client.ts
+++ b/packages/api/src/gemini-client.ts
@@ -1,3 +1,5 @@
+import { logger } from "./lib/logger.js";
+
type GeminiSettings = {
geminiApiKey?: string | null;
geminiModel?: string | null;
@@ -18,6 +20,7 @@ export async function generateGeminiImage(
model = "gemini-2.5-flash-image",
): Promise {
const fullPrompt = `Generate a professional, cinematic cover image for a 3D production project. ${prompt}`;
+ const start = performance.now();
const response = await fetch(
`https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent?key=${apiKey}`,
@@ -32,6 +35,7 @@ export async function generateGeminiImage(
);
if (!response.ok) {
+ const responseTimeMs = Math.round(performance.now() - start);
const body = await response.text();
let msg = body;
try {
@@ -40,6 +44,7 @@ export async function generateGeminiImage(
} catch {
/* keep raw */
}
+ logger.warn({ provider: "gemini", model, promptLength: fullPrompt.length, responseTimeMs, status: response.status }, "External API call failed");
throw new Error(`HTTP ${response.status}: ${msg}`);
}
@@ -62,6 +67,9 @@ export async function generateGeminiImage(
throw new Error("No image data returned from Gemini");
}
+ const responseTimeMs = Math.round(performance.now() - start);
+ logger.info({ provider: "gemini", model, promptLength: fullPrompt.length, responseTimeMs }, "External API call");
+
const base64 = imagePart.inlineData.data;
const mimeType = imagePart.inlineData.mimeType ?? "image/png";
return `data:${mimeType};base64,${base64}`;
diff --git a/packages/api/src/index.ts b/packages/api/src/index.ts
index 16fdccb..8f85e4b 100644
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -11,3 +11,4 @@ export { checkVacationConflicts, checkBatchVacationConflicts } from "./lib/vacat
export { lookupRate, type RateCardLookupParams, type RateCardLookupResult } from "./lib/rate-card-lookup.js";
export { autoImportPublicHolidays, type AutoImportResult } from "./lib/holiday-auto-import.js";
export { createAuditEntry, computeDiff, generateSummary } from "./lib/audit.js";
+export { loggedAiCall } from "./ai-client.js";
diff --git a/packages/api/src/lib/image-validation.ts b/packages/api/src/lib/image-validation.ts
new file mode 100644
index 0000000..ac675f3
--- /dev/null
+++ b/packages/api/src/lib/image-validation.ts
@@ -0,0 +1,78 @@
+/**
+ * Validates that the actual bytes of a base64-encoded image match its declared MIME type.
+ * This prevents attackers from uploading malicious files with a spoofed extension/MIME.
+ */
+
+interface MagicSignature {
+ mimeType: string;
+ bytes: number[];
+}
+
+const SIGNATURES: MagicSignature[] = [
+ { mimeType: "image/png", bytes: [0x89, 0x50, 0x4e, 0x47] }, // .PNG
+ { mimeType: "image/jpeg", bytes: [0xff, 0xd8, 0xff] },
+ { mimeType: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46] }, // RIFF (WebP starts with RIFF....WEBP)
+ { mimeType: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38] }, // GIF8
+ { mimeType: "image/bmp", bytes: [0x42, 0x4d] }, // BM
+ { mimeType: "image/tiff", bytes: [0x49, 0x49, 0x2a, 0x00] }, // Little-endian TIFF
+ { mimeType: "image/tiff", bytes: [0x4d, 0x4d, 0x00, 0x2a] }, // Big-endian TIFF
+];
+
+/**
+ * Detects the actual MIME type of a binary buffer by checking magic bytes.
+ * Returns null if no known image signature matches.
+ */
+export function detectImageMime(buffer: Uint8Array): string | null {
+ for (const sig of SIGNATURES) {
+ if (buffer.length >= sig.bytes.length && sig.bytes.every((b, i) => buffer[i] === b)) {
+ // Extra check for WebP: bytes 8-11 must be "WEBP"
+ if (sig.mimeType === "image/webp") {
+ if (buffer.length < 12) continue;
+ const webpTag = String.fromCharCode(buffer[8]!, buffer[9]!, buffer[10]!, buffer[11]!);
+ if (webpTag !== "WEBP") continue;
+ }
+ return sig.mimeType;
+ }
+ }
+ return null;
+}
+
+/**
+ * Validates a data URL by comparing its declared MIME type against the actual magic bytes.
+ * Returns { valid: true } or { valid: false, reason: string }.
+ */
+export function validateImageDataUrl(dataUrl: string): { valid: true } | { valid: false; reason: string } {
+ // Parse the data URL
+ const match = dataUrl.match(/^data:(image\/[a-z+]+);base64,(.+)$/i);
+ if (!match) {
+ return { valid: false, reason: "Not a valid base64 image data URL." };
+ }
+
+ const declaredMime = match[1]!.toLowerCase();
+ const base64 = match[2]!;
+
+ // Decode at least the first 16 bytes for signature checking
+ let buffer: Uint8Array;
+ try {
+ const chunk = base64.slice(0, 24); // 24 base64 chars = 18 bytes, more than enough
+ buffer = Uint8Array.from(atob(chunk), (c) => c.charCodeAt(0));
+ } catch {
+ return { valid: false, reason: "Invalid base64 encoding." };
+ }
+
+ const actualMime = detectImageMime(buffer);
+ if (!actualMime) {
+ return { valid: false, reason: "File content does not match any known image format." };
+ }
+
+ // Allow JPEG variants (image/jpeg matches image/jpg header)
+ const normalize = (m: string) => m.replace("image/jpg", "image/jpeg");
+ if (normalize(declaredMime) !== normalize(actualMime)) {
+ return {
+ valid: false,
+ reason: `MIME type mismatch: declared "${declaredMime}" but actual content is "${actualMime}".`,
+ };
+ }
+
+ return { valid: true };
+}
diff --git a/packages/api/src/middleware/logging.ts b/packages/api/src/middleware/logging.ts
index 2568c48..e03222c 100644
--- a/packages/api/src/middleware/logging.ts
+++ b/packages/api/src/middleware/logging.ts
@@ -54,10 +54,18 @@ export async function loggingMiddleware(opts: {
const errorMessage =
error instanceof Error ? error.message : "Unknown error";
- logger.error(
- { ...logBase, durationMs, status: "error" as const, errorCode, errorMessage },
- "tRPC call failed",
- );
+ // Log input validation failures at warn level (not error)
+ if (errorCode === "BAD_REQUEST") {
+ logger.warn(
+ { ...logBase, durationMs, status: "error" as const, errorCode, errorMessage },
+ "Input validation failure",
+ );
+ } else {
+ logger.error(
+ { ...logBase, durationMs, status: "error" as const, errorCode, errorMessage },
+ "tRPC call failed",
+ );
+ }
throw error;
}
diff --git a/packages/api/src/middleware/rate-limit.ts b/packages/api/src/middleware/rate-limit.ts
new file mode 100644
index 0000000..5b2c61d
--- /dev/null
+++ b/packages/api/src/middleware/rate-limit.ts
@@ -0,0 +1,71 @@
+/**
+ * Simple in-memory rate limiter (Map-based).
+ * Good enough for single-instance deployments.
+ * For multi-instance, swap to Redis-backed implementation.
+ */
+
+interface RateLimitEntry {
+ count: number;
+ resetAt: number;
+}
+
+interface RateLimitResult {
+ allowed: boolean;
+ remaining: number;
+ resetAt: Date;
+}
+
+/**
+ * Creates a sliding-window rate limiter.
+ * @param windowMs - Time window in milliseconds
+ * @param maxRequests - Maximum requests allowed within the window
+ */
+export function createRateLimiter(windowMs: number, maxRequests: number) {
+ const store = new Map();
+
+ // Periodically clean up expired entries to prevent memory leaks
+ const cleanupInterval = setInterval(() => {
+ const now = Date.now();
+ for (const [key, entry] of store) {
+ if (entry.resetAt <= now) {
+ store.delete(key);
+ }
+ }
+ }, windowMs);
+
+ // Allow garbage collection if the process holds no other references
+ if (cleanupInterval.unref) {
+ cleanupInterval.unref();
+ }
+
+ return function check(key: string): RateLimitResult {
+ const now = Date.now();
+ const existing = store.get(key);
+
+ // Window expired or first request — start fresh
+ if (!existing || existing.resetAt <= now) {
+ const resetAt = now + windowMs;
+ store.set(key, { count: 1, resetAt });
+ return {
+ allowed: true,
+ remaining: maxRequests - 1,
+ resetAt: new Date(resetAt),
+ };
+ }
+
+ // Within the current window
+ existing.count += 1;
+ const allowed = existing.count <= maxRequests;
+ return {
+ allowed,
+ remaining: Math.max(0, maxRequests - existing.count),
+ resetAt: new Date(existing.resetAt),
+ };
+ };
+}
+
+/** General API rate limiter: 100 requests per 15 minutes per key */
+export const apiRateLimiter = createRateLimiter(15 * 60 * 1000, 100);
+
+/** Auth rate limiter: 5 attempts per 15 minutes per key */
+export const authRateLimiter = createRateLimiter(15 * 60 * 1000, 5);
diff --git a/packages/api/src/router/assistant-tools.ts b/packages/api/src/router/assistant-tools.ts
index e73495e..38b0c12 100644
--- a/packages/api/src/router/assistant-tools.ts
+++ b/packages/api/src/router/assistant-tools.ts
@@ -8,7 +8,7 @@ import { calculateAllocation, checkDuplicateAssignment, countWorkingDays } from
import { computeBudgetStatus } from "@capakraken/engine";
import type { PermissionKey } from "@capakraken/shared";
import { parseTaskAction } from "@capakraken/shared";
-import { createAiClient, createDalleClient, isAiConfigured, isDalleConfigured, parseAiError } from "../ai-client.js";
+import { createAiClient, createDalleClient, isAiConfigured, isDalleConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
import { getTaskAction } from "../lib/task-actions.js";
import { fmtEur } from "../lib/format-utils.js";
import { resolveRecipients } from "../lib/notification-targeting.js";
@@ -5327,15 +5327,18 @@ const executors = {
const maxTokens = settings!.aiMaxCompletionTokens ?? 300;
const temperature = settings!.aiTemperature ?? 1;
- const completion = await client.chat.completions.create({
- messages: [
- { role: "system", content: "You are a project management analyst providing brief executive summaries. Be factual and action-oriented." },
- { role: "user", content: prompt },
- ],
- max_completion_tokens: maxTokens,
- model,
- ...(temperature !== 1 ? { temperature } : {}),
- });
+ const provider = settings!.aiProvider ?? "openai";
+ const completion = await loggedAiCall(provider, model, prompt.length, () =>
+ client.chat.completions.create({
+ messages: [
+ { role: "system", content: "You are a project management analyst providing brief executive summaries. Be factual and action-oriented." },
+ { role: "user", content: prompt },
+ ],
+ max_completion_tokens: maxTokens,
+ model,
+ ...(temperature !== 1 ? { temperature } : {}),
+ }),
+ );
const narrative = completion.choices[0]?.message?.content?.trim() ?? "";
if (!narrative) return { error: "AI returned an empty response." };
diff --git a/packages/api/src/router/assistant.ts b/packages/api/src/router/assistant.ts
index f197c64..83ff821 100644
--- a/packages/api/src/router/assistant.ts
+++ b/packages/api/src/router/assistant.ts
@@ -7,7 +7,7 @@ import { z } from "zod";
import { TRPCError } from "@trpc/server";
import { resolvePermissions, type PermissionOverrides, type SystemRole } from "@capakraken/shared";
import { createTRPCRouter, protectedProcedure } from "../trpc.js";
-import { createAiClient, isAiConfigured, parseAiError } from "../ai-client.js";
+import { createAiClient, isAiConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
import { TOOL_DEFINITIONS, executeTool, type ToolContext, type ToolAction } from "./assistant-tools.js";
const MAX_TOOL_ITERATIONS = 8;
@@ -167,15 +167,19 @@ export const assistantRouter = createTRPCRouter({
for (let i = 0; i < MAX_TOOL_ITERATIONS; i++) {
// eslint-disable-next-line @typescript-eslint/no-explicit-any
let response: any;
+ const provider = settings!.aiProvider ?? "openai";
+ const msgLen = openaiMessages.reduce((n, m) => n + (typeof m.content === "string" ? m.content.length : 0), 0);
try {
- response = await client.chat.completions.create({
- model,
- messages: openaiMessages,
- // eslint-disable-next-line @typescript-eslint/no-explicit-any
- tools: availableTools as any,
- max_completion_tokens: maxTokens,
- temperature,
- });
+ response = await loggedAiCall(provider, model, msgLen, () =>
+ client.chat.completions.create({
+ model,
+ messages: openaiMessages,
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
+ tools: availableTools as any,
+ max_completion_tokens: maxTokens,
+ temperature,
+ }),
+ );
} catch (err) {
throw new TRPCError({
code: "INTERNAL_SERVER_ERROR",
diff --git a/packages/api/src/router/insights.ts b/packages/api/src/router/insights.ts
index 2116fe1..160978a 100644
--- a/packages/api/src/router/insights.ts
+++ b/packages/api/src/router/insights.ts
@@ -1,4 +1,4 @@
-import { createAiClient, isAiConfigured, parseAiError } from "../ai-client.js";
+import { createAiClient, isAiConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
import { controllerProcedure, createTRPCRouter } from "../trpc.js";
import { TRPCError } from "@trpc/server";
import { z } from "zod";
@@ -133,17 +133,20 @@ ${dataContext}`;
const maxTokens = settings!.aiMaxCompletionTokens ?? 300;
const temperature = settings!.aiTemperature ?? 1;
+ const provider = settings!.aiProvider ?? "openai";
let narrative = "";
try {
- const completion = await client.chat.completions.create({
- messages: [
- { role: "system", content: "You are a project management analyst providing brief executive summaries. Be factual and action-oriented." },
- { role: "user", content: prompt },
- ],
- max_completion_tokens: maxTokens,
- model,
- ...(temperature !== 1 ? { temperature } : {}),
- });
+ const completion = await loggedAiCall(provider, model, prompt.length, () =>
+ client.chat.completions.create({
+ messages: [
+ { role: "system", content: "You are a project management analyst providing brief executive summaries. Be factual and action-oriented." },
+ { role: "user", content: prompt },
+ ],
+ max_completion_tokens: maxTokens,
+ model,
+ ...(temperature !== 1 ? { temperature } : {}),
+ }),
+ );
narrative = completion.choices[0]?.message?.content?.trim() ?? "";
} catch (err) {
throw new TRPCError({
diff --git a/packages/api/src/router/project.ts b/packages/api/src/router/project.ts
index 3d4e860..1f474a1 100644
--- a/packages/api/src/router/project.ts
+++ b/packages/api/src/router/project.ts
@@ -12,10 +12,11 @@ import { assertBlueprintDynamicFields } from "./blueprint-validation.js";
import { buildDynamicFieldWhereClauses } from "./custom-field-filters.js";
import { loadProjectPlanningReadModel } from "./project-planning-read-model.js";
import { adminProcedure, controllerProcedure, createTRPCRouter, managerProcedure, protectedProcedure, requirePermission } from "../trpc.js";
-import { createDalleClient, isDalleConfigured, parseAiError } from "../ai-client.js";
+import { createDalleClient, isDalleConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
import { generateGeminiImage, isGeminiConfigured, parseGeminiError } from "../gemini-client.js";
import { invalidateDashboardCache } from "../lib/cache.js";
import { dispatchWebhooks } from "../lib/webhook-dispatcher.js";
+import { validateImageDataUrl } from "../lib/image-validation.js";
const MAX_COVER_SIZE = 4 * 1024 * 1024; // 4 MB base64 string length limit (client compresses before upload)
@@ -520,13 +521,15 @@ export const projectRouter = createTRPCRouter({
// eslint-disable-next-line @typescript-eslint/no-explicit-any
let response: any;
try {
- response = await dalleClient.images.generate({
- model,
- prompt: finalPrompt,
- size: "1024x1024",
- n: 1,
- response_format: "b64_json",
- });
+ response = await loggedAiCall("dalle", model, finalPrompt.length, () =>
+ dalleClient.images.generate({
+ model,
+ prompt: finalPrompt,
+ size: "1024x1024",
+ n: 1,
+ response_format: "b64_json",
+ }),
+ );
} catch (err) {
throw new TRPCError({
code: "INTERNAL_SERVER_ERROR",
@@ -568,6 +571,15 @@ export const projectRouter = createTRPCRouter({
});
}
+ // Validate magic bytes match declared MIME type
+ const magicCheck = validateImageDataUrl(input.imageDataUrl);
+ if (!magicCheck.valid) {
+ throw new TRPCError({
+ code: "BAD_REQUEST",
+ message: `File validation failed: ${magicCheck.reason}`,
+ });
+ }
+
if (input.imageDataUrl.length > MAX_COVER_SIZE) {
throw new TRPCError({
code: "BAD_REQUEST",
diff --git a/packages/api/src/router/resource.ts b/packages/api/src/router/resource.ts
index 0acb99a..0d75664 100644
--- a/packages/api/src/router/resource.ts
+++ b/packages/api/src/router/resource.ts
@@ -1,4 +1,4 @@
-import { createAiClient, isAiConfigured } from "../ai-client.js";
+import { createAiClient, isAiConfigured, loggedAiCall } from "../ai-client.js";
import {
isChargeabilityActualBooking,
isChargeabilityRelevantProject,
@@ -795,13 +795,16 @@ export const resourceRouter = createTRPCRouter({
const maxTokens = settings!.aiMaxCompletionTokens ?? 300;
const temperature = settings!.aiTemperature ?? 1;
+ const provider = settings!.aiProvider ?? "openai";
async function callChatCompletions(withTemperature: boolean) {
- return client.chat.completions.create({
- messages: [{ role: "user", content: prompt }],
- max_completion_tokens: maxTokens,
- model,
- ...(withTemperature && temperature !== 1 ? { temperature } : {}),
- });
+ return loggedAiCall(provider, model, prompt.length, () =>
+ client.chat.completions.create({
+ messages: [{ role: "user", content: prompt }],
+ max_completion_tokens: maxTokens,
+ model,
+ ...(withTemperature && temperature !== 1 ? { temperature } : {}),
+ }),
+ );
}
let summary = "";
diff --git a/packages/api/src/router/user.ts b/packages/api/src/router/user.ts
index 94d4349..9066e19 100644
--- a/packages/api/src/router/user.ts
+++ b/packages/api/src/router/user.ts
@@ -12,7 +12,7 @@ import { Prisma } from "@capakraken/db";
import { TRPCError } from "@trpc/server";
import { z } from "zod";
import { findUniqueOrThrow } from "../db/helpers.js";
-import { adminProcedure, createTRPCRouter, managerProcedure, protectedProcedure } from "../trpc.js";
+import { adminProcedure, createTRPCRouter, managerProcedure, protectedProcedure, publicProcedure } from "../trpc.js";
import { createAuditEntry } from "../lib/audit.js";
export const userRouter = createTRPCRouter({
@@ -39,6 +39,7 @@ export const userRouter = createTRPCRouter({
lastLoginAt: true,
lastActiveAt: true,
permissionOverrides: true,
+ totpEnabled: true,
},
orderBy: { name: "asc" },
});
@@ -466,4 +467,147 @@ export const userRouter = createTRPCRouter({
overrides: user.permissionOverrides as PermissionOverrides | null,
};
}),
+
+ // ─── TOTP / MFA ─────────────────────────────────────────────────────────────
+
+ /** Generate a new TOTP secret for the current user (not yet enabled). */
+ generateTotpSecret: protectedProcedure.mutation(async ({ ctx }) => {
+ const { TOTP, Secret } = await import("otpauth");
+ const secret = new Secret({ size: 20 });
+ const totp = new TOTP({
+ issuer: "CapaKraken",
+ label: ctx.session.user?.email ?? ctx.dbUser!.id,
+ algorithm: "SHA1",
+ digits: 6,
+ period: 30,
+ secret,
+ });
+
+ // Store the secret (not yet enabled)
+ await ctx.db.user.update({
+ where: { id: ctx.dbUser!.id },
+ data: { totpSecret: secret.base32 },
+ });
+
+ const uri = totp.toString();
+ return { secret: secret.base32, uri };
+ }),
+
+ /** Verify a TOTP token and enable MFA for the current user. */
+ verifyAndEnableTotp: protectedProcedure
+ .input(z.object({ token: z.string().length(6) }))
+ .mutation(async ({ ctx, input }) => {
+ const user = await ctx.db.user.findUniqueOrThrow({
+ where: { id: ctx.dbUser!.id },
+ select: { id: true, name: true, email: true, totpSecret: true, totpEnabled: true },
+ });
+
+ if (!user.totpSecret) {
+ throw new TRPCError({ code: "BAD_REQUEST", message: "No TOTP secret generated. Call generateTotpSecret first." });
+ }
+ if (user.totpEnabled) {
+ throw new TRPCError({ code: "BAD_REQUEST", message: "TOTP is already enabled." });
+ }
+
+ const { TOTP, Secret } = await import("otpauth");
+ const totp = new TOTP({
+ issuer: "CapaKraken",
+ label: user.email,
+ algorithm: "SHA1",
+ digits: 6,
+ period: 30,
+ secret: Secret.fromBase32(user.totpSecret),
+ });
+
+ const delta = totp.validate({ token: input.token, window: 1 });
+ if (delta === null) {
+ throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid TOTP token." });
+ }
+
+ await ctx.db.user.update({
+ where: { id: user.id },
+ data: { totpEnabled: true },
+ });
+
+ void createAuditEntry({
+ db: ctx.db,
+ entityType: "User",
+ entityId: user.id,
+ entityName: `${user.name} (${user.email})`,
+ action: "UPDATE",
+ userId: user.id,
+ source: "ui",
+ summary: "Enabled TOTP MFA",
+ });
+
+ return { enabled: true };
+ }),
+
+ /** Admin override: disable TOTP for a specific user. */
+ disableTotp: adminProcedure
+ .input(z.object({ userId: z.string() }))
+ .mutation(async ({ ctx, input }) => {
+ const user = await ctx.db.user.findUniqueOrThrow({
+ where: { id: input.userId },
+ select: { id: true, name: true, email: true, totpEnabled: true },
+ });
+
+ await ctx.db.user.update({
+ where: { id: input.userId },
+ data: { totpEnabled: false, totpSecret: null },
+ });
+
+ void createAuditEntry({
+ db: ctx.db,
+ entityType: "User",
+ entityId: user.id,
+ entityName: `${user.name} (${user.email})`,
+ action: "UPDATE",
+ ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+ source: "ui",
+ summary: "Disabled TOTP MFA (admin override)",
+ });
+
+ return { disabled: true };
+ }),
+
+ /** Verify a TOTP token (used during the login flow — public procedure). */
+ verifyTotp: publicProcedure
+ .input(z.object({ userId: z.string(), token: z.string().length(6) }))
+ .mutation(async ({ ctx, input }) => {
+ const user = await ctx.db.user.findUniqueOrThrow({
+ where: { id: input.userId },
+ select: { id: true, totpSecret: true, totpEnabled: true },
+ });
+
+ if (!user.totpEnabled || !user.totpSecret) {
+ throw new TRPCError({ code: "BAD_REQUEST", message: "TOTP is not enabled for this user." });
+ }
+
+ const { TOTP, Secret } = await import("otpauth");
+ const totp = new TOTP({
+ issuer: "CapaKraken",
+ label: user.id,
+ algorithm: "SHA1",
+ digits: 6,
+ period: 30,
+ secret: Secret.fromBase32(user.totpSecret),
+ });
+
+ const delta = totp.validate({ token: input.token, window: 1 });
+ if (delta === null) {
+ throw new TRPCError({ code: "UNAUTHORIZED", message: "Invalid TOTP token." });
+ }
+
+ return { valid: true };
+ }),
+
+ /** Get MFA status for the current user. */
+ getMfaStatus: protectedProcedure.query(async ({ ctx }) => {
+ const user = await ctx.db.user.findUniqueOrThrow({
+ where: { id: ctx.dbUser!.id },
+ select: { totpEnabled: true },
+ });
+ return { totpEnabled: user.totpEnabled };
+ }),
});
diff --git a/packages/api/src/trpc.ts b/packages/api/src/trpc.ts
index 05d2bca..32196aa 100644
--- a/packages/api/src/trpc.ts
+++ b/packages/api/src/trpc.ts
@@ -3,6 +3,7 @@ import { resolvePermissions, PermissionKey, SystemRole } from "@capakraken/share
import { initTRPC, TRPCError } from "@trpc/server";
import { ZodError } from "zod";
import { loggingMiddleware } from "./middleware/logging.js";
+import { apiRateLimiter } from "./middleware/rate-limit.js";
// Minimal Session type to avoid next-auth peer-dep in this package
interface Session {
@@ -100,6 +101,16 @@ export const protectedProcedure = t.procedure.use(withLogging).use(({ ctx, next
if (!ctx.dbUser) {
throw new TRPCError({ code: "UNAUTHORIZED", message: "User account not found" });
}
+
+ // Rate limit by user ID
+ const rateLimitResult = apiRateLimiter(ctx.dbUser.id);
+ if (!rateLimitResult.allowed) {
+ throw new TRPCError({
+ code: "TOO_MANY_REQUESTS",
+ message: `Rate limit exceeded. Try again after ${rateLimitResult.resetAt.toISOString()}`,
+ });
+ }
+
return next({
ctx: {
...ctx,
diff --git a/packages/db/prisma/schema.prisma b/packages/db/prisma/schema.prisma
index c2c8278..90e0c93 100644
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@@ -179,6 +179,8 @@ model User {
favoriteProjectIds Json? @db.JsonB // string[] of project IDs
lastLoginAt DateTime?
lastActiveAt DateTime?
+ totpSecret String? // Base32 TOTP secret
+ totpEnabled Boolean @default(false)
accounts Account[]
sessions Session[]
@@ -191,6 +193,7 @@ model User {
notificationsSent Notification[] @relation("notificationSender")
broadcasts NotificationBroadcast[] @relation("broadcastSender")
comments Comment[]
+ activeSessions ActiveSession[]
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
@@ -1453,11 +1456,33 @@ model SystemSettings {
geminiApiKey String?
geminiModel String? @default("gemini-2.5-flash-image")
imageProvider String? @default("dalle") // "dalle" | "gemini"
+ // Session timeout settings
+ sessionMaxAge Int? @default(28800) // Absolute timeout in seconds (8h)
+ sessionIdleTimeout Int? @default(1800) // Idle timeout in seconds (30min)
+ // Concurrent session limit (kick-oldest strategy)
+ maxConcurrentSessions Int? @default(3)
updatedAt DateTime @updatedAt
@@map("system_settings")
}
+// ─── Active Session Registry (JWT session tracking) ──────────────────────────
+
+model ActiveSession {
+ id String @id @default(cuid())
+ userId String
+ jti String @unique // JWT ID — unique per token
+ createdAt DateTime @default(now())
+ lastSeenAt DateTime @default(now())
+ userAgent String?
+ ipAddress String?
+
+ user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+ @@index([userId, createdAt])
+ @@map("active_sessions")
+}
+
// ─── Calculation Rules ────────────────────────────────────────────────────────
model CalculationRule {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6cb13ae..b578047 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -84,6 +84,9 @@ importers:
clsx:
specifier: ^2.1.1
version: 2.1.1
+ dompurify:
+ specifier: ^3.3.3
+ version: 3.3.3
framer-motion:
specifier: ^12.38.0
version: 12.38.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
@@ -93,6 +96,9 @@ importers:
next-auth:
specifier: ^5.0.0-beta.25
version: 5.0.0-beta.30(next@15.5.12(@babel/core@7.29.0)(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(react@19.2.4)
+ otpauth:
+ specifier: ^9.5.0
+ version: 9.5.0
react:
specifier: ^19.0.0
version: 19.2.4
@@ -130,6 +136,9 @@ importers:
'@playwright/test':
specifier: ^1.49.1
version: 1.58.2
+ '@types/dompurify':
+ specifier: ^3.2.0
+ version: 3.2.0
'@types/node':
specifier: ^22.10.2
version: 22.19.13
@@ -193,6 +202,9 @@ importers:
openai:
specifier: ^6.27.0
version: 6.27.0(zod@3.25.76)
+ otpauth:
+ specifier: ^9.5.0
+ version: 9.5.0
pino:
specifier: ^10.3.1
version: 10.3.1
@@ -1083,6 +1095,10 @@ packages:
cpu: [x64]
os: [win32]
+ '@noble/hashes@2.0.1':
+ resolution: {integrity: sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw==}
+ engines: {node: '>= 20.19.0'}
+
'@node-rs/argon2-android-arm-eabi@2.0.2':
resolution: {integrity: sha512-DV/H8p/jt40lrao5z5g6nM9dPNPGEHL+aK6Iy/og+dbL503Uj0AHLqj1Hk9aVUSCNnsDdUEKp4TVMi0YakDYKw==}
engines: {node: '>= 10'}
@@ -1858,6 +1874,10 @@ packages:
'@types/d3-timer@3.0.2':
resolution: {integrity: sha512-Ps3T8E8dZDam6fUyNiMkekK3XUsaUEik+idO9/YjPtfj2qruF8tFBXS7XhtE4iIXBLxhmLjP3SXpLhVf21I9Lw==}
+ '@types/dompurify@3.2.0':
+ resolution: {integrity: sha512-Fgg31wv9QbLDA0SpTOXO3MaxySc4DKGLi8sna4/Utjo4r3ZRPdCt4UQee8BWr+Q5z21yifghREPJGYaEOEIACg==}
+ deprecated: This is a stub types definition. dompurify provides its own type definitions, so you do not need this installed.
+
'@types/eslint-scope@3.7.7':
resolution: {integrity: sha512-MzMFlSLBqNF2gcHWO0G1vP/YQyfvrxZ0bF+u7mzUdZ1/xK4A4sru+nraZz5i3iEIk1l1uyicaDVTB4QbbEkAYg==}
@@ -1912,6 +1932,9 @@ packages:
'@types/three@0.183.1':
resolution: {integrity: sha512-f2Pu5Hrepfgavttdye3PsH5RWyY/AvdZQwIVhrc4uNtvF7nOWJacQKcoVJn0S4f0yYbmAE6AR+ve7xDcuYtMGw==}
+ '@types/trusted-types@2.0.7':
+ resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==}
+
'@types/use-sync-external-store@0.0.6':
resolution: {integrity: sha512-zFDAD+tlpf2r4asuHEj0XH6pY6i0g5NeAHPn+15wk3BV6JA69eERFXC1gyGThDkVa1zCyKr5jox1+2LbV/AMLg==}
@@ -2553,6 +2576,9 @@ packages:
resolution: {integrity: sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==}
engines: {node: '>=0.10.0'}
+ dompurify@3.3.3:
+ resolution: {integrity: sha512-Oj6pzI2+RqBfFG+qOaOLbFXLQ90ARpcGG6UePL82bJLtdsa6CYJD7nmiU8MW9nQNOtCHV3lZ/Bzq1X0QYbBZCA==}
+
dotenv@16.6.1:
resolution: {integrity: sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==}
engines: {node: '>=12'}
@@ -3515,6 +3541,9 @@ packages:
resolution: {integrity: sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==}
engines: {node: '>= 0.8.0'}
+ otpauth@9.5.0:
+ resolution: {integrity: sha512-Ldhc6UYl4baR5toGr8nfKC+L/b8/RgHKoIixAebgoNGzUUCET02g04rMEZ2ZsPfeVQhMHcuaOgb28nwMr81zCA==}
+
own-keys@1.0.1:
resolution: {integrity: sha512-qFOyK5PjiWZd+QQIh+1jhdb9LpxTF0qs7Pm8o5QHYZ0M3vKqSqzsZaEB6oWlxZ+q2sJBMI/Ktgd2N5ZwQoRHfg==}
engines: {node: '>= 0.4'}
@@ -5035,6 +5064,8 @@ snapshots:
'@next/swc-win32-x64-msvc@15.5.12':
optional: true
+ '@noble/hashes@2.0.1': {}
+
'@node-rs/argon2-android-arm-eabi@2.0.2':
optional: true
@@ -5894,6 +5925,10 @@ snapshots:
'@types/d3-timer@3.0.2': {}
+ '@types/dompurify@3.2.0':
+ dependencies:
+ dompurify: 3.3.3
+
'@types/eslint-scope@3.7.7':
dependencies:
'@types/eslint': 9.6.1
@@ -5965,6 +6000,9 @@ snapshots:
fflate: 0.8.2
meshoptimizer: 1.0.1
+ '@types/trusted-types@2.0.7':
+ optional: true
+
'@types/use-sync-external-store@0.0.6': {}
'@types/webxr@0.5.24': {}
@@ -6680,6 +6718,10 @@ snapshots:
dependencies:
esutils: 2.0.3
+ dompurify@3.3.3:
+ optionalDependencies:
+ '@types/trusted-types': 2.0.7
+
dotenv@16.6.1: {}
dunder-proto@1.0.1:
@@ -7732,6 +7774,10 @@ snapshots:
type-check: 0.4.0
word-wrap: 1.2.5
+ otpauth@9.5.0:
+ dependencies:
+ '@noble/hashes': 2.0.1
+
own-keys@1.0.1:
dependencies:
get-intrinsic: 1.3.0