security/platform: close audit findings #19–#26

Tests, CSP nonce middleware, SSRF guard, perf-route hardening, Docker env isolation, migration runbook, RBAC E2E coverage. Tickets resolved: - #19: MfaSetup.test.ts — static source tests confirming local QR rendering - #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix - #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed - #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests); layout.tsx async + nonce prop; CSP removed from next.config.ts - #23: Active-session registry enforcement verified (already in codebase) - #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution) - #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created - #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures) Quality gates: tsc clean, api 1447/1447, web 189/189 passing. Turbo concurrency capped at 2 (package.json) to prevent OOM under parallel test runs. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:14:20 +02:00
parent 4901bc878b
commit bfdf0a82da
15 changed files with 1013 additions and 23 deletions
@@ -0,0 +1,44 @@
+/**
+ * MfaSetup security contract tests
+ *
+ * These tests verify the static source of MfaSetup.tsx to ensure the TOTP
+ * secret and otpauth:// URI are never transmitted to an external QR-code
+ * rendering service.
+ *
+ * Static source analysis is intentionally used here rather than a full React
+ * render test because:
+ * - The vitest environment for apps/web is "node" (not jsdom).
+ * - The security property being asserted is structural (absence of external
+ *   URLs), not behavioural, making source-level assertion appropriate.
+ * - A render test would require a full React + browser environment and would
+ *   be fragile against irrelevant UI changes.
+ */
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { describe, expect, it } from "vitest";
+
+const SOURCE_PATH = resolve(__dirname, "./MfaSetup.tsx");
+const source = readFileSync(SOURCE_PATH, "utf-8");
+
+describe("MfaSetup — no external QR-code service", () => {
+  it("does not reference api.qrserver.com", () => {
+    expect(source).not.toMatch(/qrserver\.com/);
+  });
+
+  it("does not reference chart.googleapis.com", () => {
+    expect(source).not.toMatch(/chart\.googleapis\.com/);
+  });
+
+  it("does not reference any known external QR-generation service", () => {
+    // Guard against known external QR APIs and generic patterns
+    expect(source).not.toMatch(/https?:\/\/[^'"]*qr[^'"]*\.(com|io|dev)[^'"]*uri/i);
+  });
+
+  it("imports the local qrcode package for offline generation", () => {
+    expect(source).toMatch(/import\s+QRCode\s+from\s+['"]qrcode['"]/);
+  });
+
+  it("generates the QR code as a data URL (stays in-browser, no network request)", () => {
+    expect(source).toMatch(/QRCode\.toDataURL/);
+  });
+});