feat: ACN Application Security Standard V7.30 compliance (19/23 items)

CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 14:16:39 +01:00
parent 70ae830623
commit 9d43e4b113
31 changed files with 1337 additions and 107 deletions
@@ -179,6 +179,8 @@ model User {
  favoriteProjectIds Json?     @db.JsonB  // string[] of project IDs
  lastLoginAt        DateTime?
  lastActiveAt       DateTime?
+  totpSecret         String?           // Base32 TOTP secret
+  totpEnabled        Boolean  @default(false)

  accounts          Account[]
  sessions          Session[]
@@ -191,6 +193,7 @@ model User {
  notificationsSent  Notification[]          @relation("notificationSender")
  broadcasts         NotificationBroadcast[] @relation("broadcastSender")
  comments           Comment[]
+  activeSessions     ActiveSession[]

  createdAt         DateTime  @default(now())
  updatedAt         DateTime  @updatedAt
@@ -1453,11 +1456,33 @@ model SystemSettings {
  geminiApiKey            String?
  geminiModel             String?  @default("gemini-2.5-flash-image")
  imageProvider           String?  @default("dalle")  // "dalle" | "gemini"
+  // Session timeout settings
+  sessionMaxAge           Int?     @default(28800)    // Absolute timeout in seconds (8h)
+  sessionIdleTimeout      Int?     @default(1800)     // Idle timeout in seconds (30min)
+  // Concurrent session limit (kick-oldest strategy)
+  maxConcurrentSessions   Int?     @default(3)
  updatedAt               DateTime @updatedAt

  @@map("system_settings")
 }

+// ─── Active Session Registry (JWT session tracking) ──────────────────────────
+
+model ActiveSession {
+  id          String   @id @default(cuid())
+  userId      String
+  jti         String   @unique  // JWT ID — unique per token
+  createdAt   DateTime @default(now())
+  lastSeenAt  DateTime @default(now())
+  userAgent   String?
+  ipAddress   String?
+
+  user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId, createdAt])
+  @@map("active_sessions")
+}
+
 // ─── Calculation Rules ────────────────────────────────────────────────────────

 model CalculationRule {