security/platform: close audit findings #19–#26

Tests, CSP nonce middleware, SSRF guard, perf-route hardening, Docker env isolation, migration runbook, RBAC E2E coverage. Tickets resolved: - #19: MfaSetup.test.ts — static source tests confirming local QR rendering - #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix - #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed - #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests); layout.tsx async + nonce prop; CSP removed from next.config.ts - #23: Active-session registry enforcement verified (already in codebase) - #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution) - #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created - #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures) Quality gates: tsc clean, api 1447/1447, web 189/189 passing. Turbo concurrency capped at 2 (package.json) to prevent OOM under parallel test runs. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:14:20 +02:00
parent 4901bc878b
commit bfdf0a82da
15 changed files with 1013 additions and 23 deletions
@@ -16,13 +16,26 @@ export async function signIn(page: Page, email: string, password: string) {
 }

 export async function signOut(page: Page) {
-  await page.goto("/auth/signout");
-  // Auth.js v5 renders a confirmation page at /auth/signout before signing out.
-  // Click the submit button if a form is present.
-  const confirmBtn = page.locator('button[type="submit"]').first();
-  if (await confirmBtn.isVisible({ timeout: 3000 }).catch(() => false)) {
-    await confirmBtn.click();
-  }
+  // next-auth/react signOut() POSTs to /auth/signout with a CSRF token.
+  // There is no GET-accessible signout page in this app (/auth/signout returns 404).
+  // Replicate what the client-side signOut() function does:
+  // 1. Fetch the CSRF token from /auth/csrf
+  // 2. POST to /auth/signout with that token
+  // 3. Follow the redirect to /auth/signin
+  await page.goto("/dashboard"); // land on any authenticated page for cookie context
+  await page.evaluate(async () => {
+    const csrfRes = await fetch("/api/auth/csrf");
+    const { csrfToken } = await csrfRes.json() as { csrfToken: string };
+    await fetch("/api/auth/signout", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ csrfToken, callbackUrl: "/auth/signin", json: "true" }),
+      redirect: "follow",
+    });
+  });
+  // After the POST clears the session cookie, navigating to a protected route
+  // should redirect to sign-in.
+  await page.goto("/dashboard");
  await page.waitForURL(/\/auth\/signin/, { timeout: 10000 });
 }

@@ -0,0 +1,239 @@
+/**
+ * RBAC data-access matrix — dev system
+ *
+ * Verifies that role-based access control is enforced at the network level
+ * (tRPC response payload) against the running dev server with real seed data.
+ *
+ * Unlike rbac-permissions.spec.ts (which checks UI visibility), these tests
+ * call tRPC procedures directly via fetch() inside the browser context and
+ * assert on HTTP status + tRPC error codes in the response body.
+ *
+ * All tests use pre-authenticated storage states — no signIn() calls, no
+ * auth rate limiter pressure. 3 logins total per suite run (from globalSetup).
+ *
+ * Tested procedures and their audience classes (docs/route-access-matrix.md):
+ *
+ *   user.list            → admin-only     (adminProcedure)
+ *   allocation.listView  → planning-read  (planningReadProcedure → VIEW_PLANNING)
+ *   resource.listSummaries → resource-overview (resourceOverviewProcedure)
+ *   user.listAssignable  → manager-write  (managerProcedure → ADMIN or MANAGER)
+ *
+ * Expected access matrix:
+ *
+ *   Procedure               ADMIN  MANAGER  VIEWER
+ *   user.list               ✓      FORBIDDEN FORBIDDEN
+ *   allocation.listView     ✓      ✓        FORBIDDEN
+ *   resource.listSummaries  ✓      ✓        FORBIDDEN
+ *   user.listAssignable     ✓      ✓        FORBIDDEN
+ */
+import { expect, test, type Page } from "@playwright/test";
+import { STORAGE_STATE } from "../../playwright.dev.config.js";
+
+// ---------------------------------------------------------------------------
+// Helper — call a tRPC query procedure directly from within the browser context
+// ---------------------------------------------------------------------------
+
+type TrpcQueryResult = {
+  httpStatus: number;
+  trpcCode: string | null;
+  hasData: boolean;
+};
+
+/**
+ * Runs a tRPC GET query inside the browser context (inherits the session cookie).
+ * Returns the HTTP status, the tRPC error code (null on success), and whether
+ * a non-null `result.data` was returned.
+ *
+ * tRPC v11 batch GET format:
+ *   /api/trpc/<proc>?batch=1&input={"0":{"json":<input>}}
+ * Success response:  [{"result":{"data":{"json": ...}}}]
+ * Error response:    [{"error":{"json":{"data":{"code":"FORBIDDEN","httpStatus":403}}}}]
+ */
+async function trpcQuery(
+  page: Page,
+  procedure: string,
+  input: unknown = null,
+): Promise<TrpcQueryResult> {
+  return page.evaluate(
+    async ({ procedure, input }) => {
+      const encodedInput = encodeURIComponent(
+        JSON.stringify({ "0": { json: input } }),
+      );
+      const url = `/api/trpc/${procedure}?batch=1&input=${encodedInput}`;
+      const res = await fetch(url, { credentials: "include" });
+      const httpStatus = res.status;
+
+      // tRPC v11 with no transformer: no extra .json wrapper around the payload.
+      // Error format: [{"error":{"message":"...","code":-32603,"data":{"code":"FORBIDDEN","httpStatus":403}}}]
+      // Success format: [{"result":{"data": <value>}}]
+      type TrpcBatchItem = {
+        result?: { data?: unknown };
+        error?: { data?: { code?: string }; message?: string };
+      };
+      const body = (await res.json()) as TrpcBatchItem[];
+      const item = body[0];
+      const trpcCode = item?.error?.data?.code ?? null;
+      const hasData =
+        item?.result?.data !== undefined && item.result.data !== null;
+
+      return { httpStatus, trpcCode, hasData } satisfies {
+        httpStatus: number;
+        trpcCode: string | null;
+        hasData: boolean;
+      };
+    },
+    { procedure, input },
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Admin — should have access to all procedures
+// ---------------------------------------------------------------------------
+
+test.describe("RBAC data-access — admin", () => {
+  test.use({ storageState: STORAGE_STATE.admin });
+
+  test("admin: user.list returns data (admin-only procedure)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "user.list");
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+    expect(result.hasData).toBe(true);
+  });
+
+  test("admin: allocation.listView returns data (planning-read)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "allocation.listView", {});
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+  });
+
+  test("admin: resource.listSummaries returns data (resource-overview)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "resource.listSummaries");
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+  });
+
+  test("admin: user.listAssignable returns data (manager-write procedure)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "user.listAssignable");
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Manager — FORBIDDEN on admin-only, allowed on planning-read/resource-overview/manager
+// ---------------------------------------------------------------------------
+
+test.describe("RBAC data-access — manager", () => {
+  test.use({ storageState: STORAGE_STATE.manager });
+
+  test("manager: user.list is FORBIDDEN (admin-only procedure)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "user.list");
+    expect(result.trpcCode).toBe("FORBIDDEN");
+  });
+
+  test("manager: allocation.listView returns data (planning-read)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "allocation.listView", {});
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+  });
+
+  test("manager: resource.listSummaries returns data (resource-overview)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "resource.listSummaries");
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+  });
+
+  test("manager: user.listAssignable returns data (manager-write procedure)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "user.listAssignable");
+    expect(result.trpcCode).toBeNull();
+    expect(result.httpStatus).toBe(200);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Viewer — FORBIDDEN on all sensitive procedures
+// ---------------------------------------------------------------------------
+
+test.describe("RBAC data-access — viewer", () => {
+  test.use({ storageState: STORAGE_STATE.viewer });
+
+  test("viewer: user.list is FORBIDDEN (admin-only procedure)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "user.list");
+    expect(result.trpcCode).toBe("FORBIDDEN");
+  });
+
+  test("viewer: allocation.listView is FORBIDDEN (planning-read — no VIEW_PLANNING)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "allocation.listView", {});
+    expect(result.trpcCode).toBe("FORBIDDEN");
+  });
+
+  test("viewer: resource.listSummaries is FORBIDDEN (resource-overview)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "resource.listSummaries");
+    expect(result.trpcCode).toBe("FORBIDDEN");
+  });
+
+  test("viewer: user.listAssignable is FORBIDDEN (manager-write procedure)", async ({
+    page,
+  }) => {
+    await page.goto("/dashboard");
+    await page.waitForLoadState("networkidle");
+
+    const result = await trpcQuery(page, "user.listAssignable");
+    expect(result.trpcCode).toBe("FORBIDDEN");
+  });
+});