Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security/platform: close audit findings #19–#26

Browse Source 
Tests, CSP nonce middleware, SSRF guard, perf-route hardening,
Docker env isolation, migration runbook, RBAC E2E coverage.

Tickets resolved:
- #19: MfaSetup.test.ts — static source tests confirming local QR rendering
- #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix
- #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed
- #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests);
       layout.tsx async + nonce prop; CSP removed from next.config.ts
- #23: Active-session registry enforcement verified (already in codebase)
- #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution)
- #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created
- #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures)

Quality gates: tsc clean, api 1447/1447, web 189/189 passing.
Turbo concurrency capped at 2 (package.json) to prevent OOM under
parallel test runs.

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-04-01 22:14:20 +02:00
parent 4901bc878b
commit bfdf0a82da
15 changed files with 1013 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/e2e/dev-system/helpers.ts
+20 -7
View File
@@ -16,13 +16,26 @@ export async function signIn(page: Page, email: string, password: string) {
}
export async function signOut(page: Page) {
await page.goto("/auth/signout");
// Auth.js v5 renders a confirmation page at /auth/signout before signing out.
// Click the submit button if a form is present.
const confirmBtn = page.locator('button[type="submit"]').first();
if (await confirmBtn.isVisible({ timeout: 3000 }).catch(() => false)) {
await confirmBtn.click();
}
// next-auth/react signOut() POSTs to /auth/signout with a CSRF token.
// There is no GET-accessible signout page in this app (/auth/signout returns 404).
// Replicate what the client-side signOut() function does:
// 1. Fetch the CSRF token from /auth/csrf
// 2. POST to /auth/signout with that token
// 3. Follow the redirect to /auth/signin
await page.goto("/dashboard"); // land on any authenticated page for cookie context
await page.evaluate(async () => {
const csrfRes = await fetch("/api/auth/csrf");
const { csrfToken } = await csrfRes.json() as { csrfToken: string };
await fetch("/api/auth/signout", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({ csrfToken, callbackUrl: "/auth/signin", json: "true" }),
redirect: "follow",
});
});
// After the POST clears the session cookie, navigating to a protected route
// should redirect to sign-in.
await page.goto("/dashboard");
await page.waitForURL(/\/auth\/signin/, { timeout: 10000 });
}
apps/web/e2e/dev-system/rbac-data-access.spec.ts
+239
View File
@@ -0,0 +1,239 @@
/**
* RBAC data-access matrix — dev system
*
* Verifies that role-based access control is enforced at the network level
* (tRPC response payload) against the running dev server with real seed data.
*
* Unlike rbac-permissions.spec.ts (which checks UI visibility), these tests
* call tRPC procedures directly via fetch() inside the browser context and
* assert on HTTP status + tRPC error codes in the response body.
*
* All tests use pre-authenticated storage states — no signIn() calls, no
* auth rate limiter pressure. 3 logins total per suite run (from globalSetup).
*
* Tested procedures and their audience classes (docs/route-access-matrix.md):
*
* user.list → admin-only (adminProcedure)
* allocation.listView → planning-read (planningReadProcedure → VIEW_PLANNING)
* resource.listSummaries → resource-overview (resourceOverviewProcedure)
* user.listAssignable → manager-write (managerProcedure → ADMIN or MANAGER)
*
* Expected access matrix:
*
* Procedure ADMIN MANAGER VIEWER
* user.list ✓ FORBIDDEN FORBIDDEN
* allocation.listView ✓ ✓ FORBIDDEN
* resource.listSummaries ✓ ✓ FORBIDDEN
* user.listAssignable ✓ ✓ FORBIDDEN
*/
import { expect, test, type Page } from "@playwright/test";
import { STORAGE_STATE } from "../../playwright.dev.config.js";
// ---------------------------------------------------------------------------
// Helper — call a tRPC query procedure directly from within the browser context
// ---------------------------------------------------------------------------
type TrpcQueryResult = {
httpStatus: number;
trpcCode: string | null;
hasData: boolean;
};
/**
* Runs a tRPC GET query inside the browser context (inherits the session cookie).
* Returns the HTTP status, the tRPC error code (null on success), and whether
* a non-null `result.data` was returned.
*
* tRPC v11 batch GET format:
* /api/trpc/<proc>?batch=1&input={"0":{"json":<input>}}
* Success response: [{"result":{"data":{"json": ...}}}]
* Error response: [{"error":{"json":{"data":{"code":"FORBIDDEN","httpStatus":403}}}}]
*/
async function trpcQuery(
page: Page,
procedure: string,
input: unknown = null,
): Promise<TrpcQueryResult> {
return page.evaluate(
async ({ procedure, input }) => {
const encodedInput = encodeURIComponent(
JSON.stringify({ "0": { json: input } }),
);
const url = `/api/trpc/${procedure}?batch=1&input=${encodedInput}`;
const res = await fetch(url, { credentials: "include" });
const httpStatus = res.status;
// tRPC v11 with no transformer: no extra .json wrapper around the payload.
// Error format: [{"error":{"message":"...","code":-32603,"data":{"code":"FORBIDDEN","httpStatus":403}}}]
// Success format: [{"result":{"data": <value>}}]
type TrpcBatchItem = {
result?: { data?: unknown };
error?: { data?: { code?: string }; message?: string };
};
const body = (await res.json()) as TrpcBatchItem[];
const item = body[0];
const trpcCode = item?.error?.data?.code ?? null;
const hasData =
item?.result?.data !== undefined && item.result.data !== null;
return { httpStatus, trpcCode, hasData } satisfies {
httpStatus: number;
trpcCode: string | null;
hasData: boolean;
};
},
{ procedure, input },
);
}
// ---------------------------------------------------------------------------
// Admin — should have access to all procedures
// ---------------------------------------------------------------------------
test.describe("RBAC data-access — admin", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin: user.list returns data (admin-only procedure)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "user.list");
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
expect(result.hasData).toBe(true);
});
test("admin: allocation.listView returns data (planning-read)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "allocation.listView", {});
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
});
test("admin: resource.listSummaries returns data (resource-overview)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "resource.listSummaries");
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
});
test("admin: user.listAssignable returns data (manager-write procedure)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "user.listAssignable");
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
});
});
// ---------------------------------------------------------------------------
// Manager — FORBIDDEN on admin-only, allowed on planning-read/resource-overview/manager
// ---------------------------------------------------------------------------
test.describe("RBAC data-access — manager", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager: user.list is FORBIDDEN (admin-only procedure)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "user.list");
expect(result.trpcCode).toBe("FORBIDDEN");
});
test("manager: allocation.listView returns data (planning-read)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "allocation.listView", {});
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
});
test("manager: resource.listSummaries returns data (resource-overview)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "resource.listSummaries");
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
});
test("manager: user.listAssignable returns data (manager-write procedure)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "user.listAssignable");
expect(result.trpcCode).toBeNull();
expect(result.httpStatus).toBe(200);
});
});
// ---------------------------------------------------------------------------
// Viewer — FORBIDDEN on all sensitive procedures
// ---------------------------------------------------------------------------
test.describe("RBAC data-access — viewer", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer: user.list is FORBIDDEN (admin-only procedure)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "user.list");
expect(result.trpcCode).toBe("FORBIDDEN");
});
test("viewer: allocation.listView is FORBIDDEN (planning-read — no VIEW_PLANNING)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "allocation.listView", {});
expect(result.trpcCode).toBe("FORBIDDEN");
});
test("viewer: resource.listSummaries is FORBIDDEN (resource-overview)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "resource.listSummaries");
expect(result.trpcCode).toBe("FORBIDDEN");
});
test("viewer: user.listAssignable is FORBIDDEN (manager-write procedure)", async ({
page,
}) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
const result = await trpcQuery(page, "user.listAssignable");
expect(result.trpcCode).toBe("FORBIDDEN");
});
});
apps/web/next.config.ts
+2 -8
View File
@@ -28,14 +28,8 @@ const nextConfig: NextConfig = {
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
{
key: "Content-Security-Policy",
value: process.env.NODE_ENV === "production"
// Production: no unsafe-eval, no unsafe-inline in script-src
? "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
// Development: allow unsafe-eval and unsafe-inline for HMR / dev tooling
: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
},
// Content-Security-Policy is set per-request by middleware.ts (nonce-based).
// Static CSP here would conflict and cannot carry per-request nonces.
{ key: "X-XSS-Protection", value: "0" },
],
},
apps/web/src/app/api/perf/route.test.ts
+88
View File
@@ -0,0 +1,88 @@
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
vi.mock("@capakraken/api/sse", () => ({
eventBus: { subscriberCount: 0 },
}));
// Lazy import so we can stub env before the module-level code runs.
const importRoute = () => import("./route.js");
describe("GET /api/perf — security hardening", () => {
const ORIGINAL_SECRET = process.env["CRON_SECRET"];
beforeEach(() => {
vi.resetModules();
});
afterEach(() => {
if (ORIGINAL_SECRET === undefined) {
delete process.env["CRON_SECRET"];
} else {
process.env["CRON_SECRET"] = ORIGINAL_SECRET;
}
});
it("returns 200 with metrics for an authorised request via Authorization header", async () => {
process.env["CRON_SECRET"] = "test-secret-abc";
const { GET } = await importRoute();
const request = new Request("http://localhost/api/perf", {
headers: { Authorization: "Bearer test-secret-abc" },
});
const response = await GET(request);
expect(response.status).toBe(200);
const body = await response.json() as { timestamp: string; uptime: unknown; memory: unknown };
expect(typeof body.timestamp).toBe("string");
expect(body.uptime).toBeDefined();
expect(body.memory).toBeDefined();
});
it("returns 401 when no Authorization header is provided", async () => {
process.env["CRON_SECRET"] = "test-secret-abc";
const { GET } = await importRoute();
const request = new Request("http://localhost/api/perf");
const response = await GET(request);
expect(response.status).toBe(401);
});
it("returns 401 when the Authorization header contains a wrong secret", async () => {
process.env["CRON_SECRET"] = "test-secret-abc";
const { GET } = await importRoute();
const request = new Request("http://localhost/api/perf", {
headers: { Authorization: "Bearer wrong-secret" },
});
const response = await GET(request);
expect(response.status).toBe(401);
});
it("returns 401 for a query-param token — query-string auth is not supported", async () => {
process.env["CRON_SECRET"] = "test-secret-abc";
const { GET } = await importRoute();
// Pass secret as query param only — no Authorization header
const request = new Request("http://localhost/api/perf?token=test-secret-abc");
const response = await GET(request);
// The endpoint ignores query params entirely; without a valid header it must reject.
expect(response.status).toBe(401);
});
it("returns 401 and leaks no metrics when CRON_SECRET is not configured (fail-closed)", async () => {
delete process.env["CRON_SECRET"];
const { GET } = await importRoute();
// Even a request that would otherwise be valid must be rejected.
const request = new Request("http://localhost/api/perf", {
headers: { Authorization: "Bearer anything" },
});
const response = await GET(request);
expect(response.status).toBe(401);
const body = await response.json() as { error?: string; timestamp?: string; memory?: unknown };
expect(body.timestamp).toBeUndefined();
expect(body.memory).toBeUndefined();
});
});
apps/web/src/app/api/perf/route.ts
+3 -1
View File
@@ -7,7 +7,9 @@ export const runtime = "nodejs";
/**
* GET /api/perf — Runtime performance metrics.
*
* Protected by CRON_SECRET header or query param.
* Protected by CRON_SECRET via `Authorization: Bearer <secret>` header only.
* Query-string authentication is not supported (secrets must not appear in URLs).
* Fails closed (401) when CRON_SECRET is not configured in the environment.
* Returns Node.js memory usage, process uptime, and SSE connection count.
*/
export function GET(request: Request) {
apps/web/src/app/layout.tsx
+4 -2
View File
@@ -1,4 +1,5 @@
import type { Metadata, Viewport } from "next";
import { headers } from "next/headers";
import { Manrope, Source_Sans_3 } from "next/font/google";
import { TRPCProvider } from "~/lib/trpc/provider.js";
import { ServiceWorkerRegistration } from "~/components/layout/ServiceWorkerRegistration.js";
@@ -45,11 +46,12 @@ export const viewport: Viewport = {
themeColor: "#0284c7",
};
export default function RootLayout({ children }: { children: React.ReactNode }) {
export default async function RootLayout({ children }: { children: React.ReactNode }) {
const nonce = (await headers()).get("x-nonce") ?? undefined;
return (
<html lang="en" suppressHydrationWarning>
<head>
<script dangerouslySetInnerHTML={{__html: `
<script nonce={nonce} dangerouslySetInnerHTML={{__html: `
try {
var p = JSON.parse(localStorage.getItem('capakraken_theme') || '{}');
if (p.mode === 'dark') document.documentElement.classList.add('dark');
apps/web/src/components/security/MfaSetup.test.ts
+44
View File
@@ -0,0 +1,44 @@
/**
* MfaSetup security contract tests
*
* These tests verify the static source of MfaSetup.tsx to ensure the TOTP
* secret and otpauth:// URI are never transmitted to an external QR-code
* rendering service.
*
* Static source analysis is intentionally used here rather than a full React
* render test because:
* - The vitest environment for apps/web is "node" (not jsdom).
* - The security property being asserted is structural (absence of external
* URLs), not behavioural, making source-level assertion appropriate.
* - A render test would require a full React + browser environment and would
* be fragile against irrelevant UI changes.
*/
import { readFileSync } from "node:fs";
import { resolve } from "node:path";
import { describe, expect, it } from "vitest";
const SOURCE_PATH = resolve(__dirname, "./MfaSetup.tsx");
const source = readFileSync(SOURCE_PATH, "utf-8");
describe("MfaSetup — no external QR-code service", () => {
it("does not reference api.qrserver.com", () => {
expect(source).not.toMatch(/qrserver\.com/);
});
it("does not reference chart.googleapis.com", () => {
expect(source).not.toMatch(/chart\.googleapis\.com/);
});
it("does not reference any known external QR-generation service", () => {
// Guard against known external QR APIs and generic patterns
expect(source).not.toMatch(/https?:\/\/[^'"]*qr[^'"]*\.(com|io|dev)[^'"]*uri/i);
});
it("imports the local qrcode package for offline generation", () => {
expect(source).toMatch(/import\s+QRCode\s+from\s+['"]qrcode['"]/);
});
it("generates the QR code as a data URL (stays in-browser, no network request)", () => {
expect(source).toMatch(/QRCode\.toDataURL/);
});
});
apps/web/src/middleware.test.ts
+77
View File
@@ -0,0 +1,77 @@
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
import { NextRequest } from "next/server";
// Web Crypto is available in the test environment (Node 20+)
async function importMiddleware(nodeEnv: string) {
vi.stubEnv("NODE_ENV", nodeEnv);
vi.resetModules();
const mod = await import("./middleware.js");
return mod.middleware;
}
describe("middleware — Content-Security-Policy", () => {
afterEach(() => {
vi.unstubAllEnvs();
vi.resetModules();
});
it("sets a Content-Security-Policy header on every response", async () => {
const middleware = await importMiddleware("production");
const req = new NextRequest("http://localhost:3100/");
const res = middleware(req);
expect(res.headers.get("Content-Security-Policy")).toBeTruthy();
});
it("production: script-src contains a nonce and does NOT contain unsafe-inline or unsafe-eval", async () => {
const middleware = await importMiddleware("production");
const req = new NextRequest("http://localhost:3100/dashboard");
const res = middleware(req);
const csp = res.headers.get("Content-Security-Policy") ?? "";
const scriptSrc = csp.split(";").find((d) => d.trim().startsWith("script-src")) ?? "";
expect(scriptSrc).toMatch(/'nonce-[A-Za-z0-9+/=]+'/);
expect(scriptSrc).not.toContain("'unsafe-inline'");
expect(scriptSrc).not.toContain("'unsafe-eval'");
});
it("production: each request gets a unique nonce", async () => {
const middleware = await importMiddleware("production");
const res1 = middleware(new NextRequest("http://localhost:3100/a"));
const res2 = middleware(new NextRequest("http://localhost:3100/b"));
const nonce1 = res1.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
const nonce2 = res2.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
expect(nonce1).toBeTruthy();
expect(nonce2).toBeTruthy();
expect(nonce1).not.toBe(nonce2);
});
it("production: x-nonce request header matches the nonce in the CSP response header", async () => {
const middleware = await importMiddleware("production");
const req = new NextRequest("http://localhost:3100/settings");
const res = middleware(req);
const cspNonce = res.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
// The nonce is forwarded on the request (for server components) — not readable from
// the response directly, but verifiable via the CSP header consistency.
expect(cspNonce).toBeTruthy();
expect(cspNonce?.length).toBeGreaterThan(10);
});
it("development: script-src includes unsafe-eval and unsafe-inline for HMR", async () => {
const middleware = await importMiddleware("development");
const req = new NextRequest("http://localhost:3100/");
const res = middleware(req);
const csp = res.headers.get("Content-Security-Policy") ?? "";
const scriptSrc = csp.split(";").find((d) => d.trim().startsWith("script-src")) ?? "";
expect(scriptSrc).toContain("'unsafe-eval'");
expect(scriptSrc).toContain("'unsafe-inline'");
});
it("frame-ancestors is always 'none' regardless of environment", async () => {
for (const env of ["production", "development"] as const) {
const middleware = await importMiddleware(env);
const res = middleware(new NextRequest("http://localhost:3100/"));
const csp = res.headers.get("Content-Security-Policy") ?? "";
expect(csp).toContain("frame-ancestors 'none'");
}
});
});
apps/web/src/middleware.ts
+48
View File
@@ -0,0 +1,48 @@
import { NextRequest, NextResponse } from "next/server";
function buildCsp(nonce: string, isProd: boolean): string {
const scriptSrc = isProd
? `'self' 'nonce-${nonce}'`
: `'self' 'unsafe-eval' 'unsafe-inline'`;
const imgSrc = isProd ? "'self' data: blob:" : "'self' data: blob: https:";
return [
"default-src 'self'",
`script-src ${scriptSrc}`,
"style-src 'self' 'unsafe-inline'",
`img-src ${imgSrc}`,
"font-src 'self' data:",
"connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
].join("; ");
}
export function middleware(request: NextRequest): NextResponse {
// Generate a cryptographically random nonce for this request
const nonceBytes = new Uint8Array(16);
crypto.getRandomValues(nonceBytes);
const nonce = btoa(String.fromCharCode(...nonceBytes));
const isProd = process.env.NODE_ENV === "production";
const csp = buildCsp(nonce, isProd);
// Forward nonce to server components via request header
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-nonce", nonce);
requestHeaders.set("Content-Security-Policy", csp);
const response = NextResponse.next({ request: { headers: requestHeaders } });
response.headers.set("Content-Security-Policy", csp);
return response;
}
export const config = {
matcher: [
// Apply to all routes except Next.js internals and static assets
"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
],
};