Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: ACN Application Security Standard V7.30 compliance (19/23 items)

Browse Source 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-03-27 14:16:39 +01:00
parent 70ae830623
commit 9d43e4b113
31 changed files with 1337 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/(app)/account/security/page.tsx
+16
View File
@@ -0,0 +1,16 @@
import { MfaSetup } from "~/components/security/MfaSetup.js";
export default function SecurityPage() {
return (
<div className="p-6 max-w-2xl mx-auto">
<div className="mb-6">
<h1 className="text-2xl font-bold text-gray-900 dark:text-gray-50">Account Security</h1>
<p className="text-sm text-gray-500 dark:text-gray-400 mt-1">
Manage two-factor authentication and other security settings.
</p>
</div>
<MfaSetup />
</div>
);
}
apps/web/src/app/auth/signin/page.tsx
+113 -34
View File
@@ -2,14 +2,17 @@
import { signIn } from "next-auth/react";
import { useRouter } from "next/navigation";
import { useState } from "react";
import { useRef, useState } from "react";
export default function SignInPage() {
const router = useRouter();
const [email, setEmail] = useState("");
const [password, setPassword] = useState("");
const [totp, setTotp] = useState("");
const [error, setError] = useState("");
const [loading, setLoading] = useState(false);
const [mfaRequired, setMfaRequired] = useState(false);
const totpInputRef = useRef<HTMLInputElement>(null);
async function handleSubmit(e: React.FormEvent) {
e.preventDefault();
@@ -19,11 +22,35 @@ export default function SignInPage() {
const result = await signIn("credentials", {
email,
password,
...(mfaRequired ? { totp } : {}),
redirect: false,
});
if (result?.error) {
setError("Invalid email or password");
// Auth.js wraps authorize() errors in the error field
if (result.error.includes("MFA_REQUIRED")) {
setMfaRequired(true);
setLoading(false);
// Focus the TOTP input after render
setTimeout(() => totpInputRef.current?.focus(), 100);
return;
}
if (result.error.includes("INVALID_TOTP")) {
setError("Invalid verification code. Please try again.");
setTotp("");
setLoading(false);
return;
}
if (result.error.includes("Too many login attempts")) {
setError("Too many login attempts. Please try again later.");
} else {
setError("Invalid email or password");
}
// Reset MFA state on credential error
if (mfaRequired) {
setMfaRequired(false);
setTotp("");
}
} else {
router.push("/dashboard");
}
@@ -31,6 +58,12 @@ export default function SignInPage() {
setLoading(false);
}
function handleBackToLogin() {
setMfaRequired(false);
setTotp("");
setError("");
}
return (
<div className="min-h-screen bg-[radial-gradient(circle_at_top_left,rgba(255,255,255,0.9),transparent_26rem),linear-gradient(135deg,rgba(240,249,255,1),rgba(232,245,255,0.85)_40%,rgba(255,255,255,1))] px-4 py-12 dark:bg-[radial-gradient(circle_at_top_left,rgba(14,165,233,0.14),transparent_24rem),linear-gradient(180deg,rgba(12,17,29,1),rgba(10,15,25,1))]">
<div className="mx-auto grid w-full max-w-6xl gap-8 lg:grid-cols-[1.05fr,0.95fr]">
@@ -66,8 +99,14 @@ export default function SignInPage() {
<div className="app-surface-strong p-8">
<div className="mb-8">
<p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-600">Welcome Back</p>
<h2 className="mt-3 font-display text-4xl font-semibold text-gray-900 dark:text-gray-50">Sign in to CapaKraken</h2>
<p className="mt-2 text-sm text-gray-500">Resource Planning, staffing, and forecasting.</p>
<h2 className="mt-3 font-display text-4xl font-semibold text-gray-900 dark:text-gray-50">
{mfaRequired ? "Two-Factor Authentication" : "Sign in to CapaKraken"}
</h2>
<p className="mt-2 text-sm text-gray-500">
{mfaRequired
? "Enter the 6-digit code from your authenticator app."
: "Resource Planning, staffing, and forecasting."}
</p>
</div>
<form onSubmit={handleSubmit} className="space-y-4">
@@ -77,43 +116,83 @@ export default function SignInPage() {
</div>
)}
<div>
<label htmlFor="email" className="app-label">
Email
</label>
<input
id="email"
type="email"
value={email}
onChange={(e) => setEmail(e.target.value)}
className="app-input"
placeholder="you@company.com"
required
/>
</div>
{!mfaRequired && (
<>
<div>
<label htmlFor="email" className="app-label">
Email
</label>
<input
id="email"
type="email"
value={email}
onChange={(e) => setEmail(e.target.value)}
className="app-input"
placeholder="you@company.com"
required
/>
</div>
<div>
<label htmlFor="password" className="app-label">
Password
</label>
<input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
className="app-input"
placeholder="••••••••"
required
/>
</div>
<div>
<label htmlFor="password" className="app-label">
Password
</label>
<input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
className="app-input"
placeholder="--------"
required
autoComplete="current-password"
/>
</div>
</>
)}
{mfaRequired && (
<div>
<label htmlFor="totp" className="app-label">
Verification Code
</label>
<input
ref={totpInputRef}
id="totp"
type="text"
inputMode="numeric"
autoComplete="one-time-code"
maxLength={6}
pattern="[0-9]{6}"
value={totp}
onChange={(e) => setTotp(e.target.value.replace(/\D/g, "").slice(0, 6))}
className="app-input text-center text-2xl font-mono tracking-[0.4em]"
placeholder="000000"
required
/>
<p className="mt-2 text-xs text-gray-500 dark:text-gray-400">
Open your authenticator app (e.g. Google Authenticator, Authy) and enter the current code.
</p>
</div>
)}
<button
type="submit"
disabled={loading}
disabled={loading || (mfaRequired && totp.length !== 6)}
className="w-full rounded-2xl bg-brand-600 px-4 py-3 text-sm font-semibold text-white shadow-lg shadow-brand-600/25 transition-colors hover:bg-brand-700 disabled:opacity-50"
>
{loading ? "Signing in..." : "Sign in"}
{loading ? "Signing in..." : mfaRequired ? "Verify" : "Sign in"}
</button>
{mfaRequired && (
<button
type="button"
onClick={handleBackToLogin}
className="w-full text-center text-sm text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200"
>
Back to login
</button>
)}
</form>
</div>