feat: close 4 more security compliance gaps (46/63 OK, 73%)

Error-Page Headers (3.3.1.3.03 → OK): - Cache-Control no-store on ALL routes (API, auth, catch-all) Proactive Monitoring (3.2.1.04 → OK): - /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure Security Scanning (3.2.2.7 → improved): - /api/cron/security-audit: package version check against minimum safe versions Server Hardening (3.3.1.4 → OK): - docs/nginx-hardening.conf: complete template (rate limits, SSL, headers) Database Security (3.3.3 → OK): - docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4) Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 15:43:44 +01:00
parent 187c28e01e
commit cd0c2fe3e2
6 changed files with 484 additions and 11 deletions
@@ -0,0 +1,132 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@capakraken/db";
+import { createNotificationsForUsers } from "@capakraken/api";
+import { createConnection } from "net";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+const REDIS_URL = process.env["REDIS_URL"] ?? "redis://localhost:6380";
+
+async function checkPostgres(): Promise<{ status: "ok" | "error"; latencyMs: number }> {
+  const start = Date.now();
+  try {
+    await prisma.$queryRaw`SELECT 1`;
+    return { status: "ok", latencyMs: Date.now() - start };
+  } catch {
+    return { status: "error", latencyMs: Date.now() - start };
+  }
+}
+
+async function checkRedis(): Promise<{ status: "ok" | "error"; latencyMs: number }> {
+  const start = Date.now();
+  return new Promise((resolve) => {
+    try {
+      const url = new URL(REDIS_URL);
+      const host = url.hostname || "localhost";
+      const port = parseInt(url.port || "6379", 10);
+      const timeout = 3000;
+
+      const socket = createConnection({ host, port }, () => {
+        socket.write("*1\r\n$4\r\nPING\r\n");
+      });
+
+      socket.setTimeout(timeout);
+
+      socket.on("data", (data) => {
+        const response = data.toString();
+        socket.destroy();
+        resolve({
+          status: response.includes("PONG") ? "ok" : "error",
+          latencyMs: Date.now() - start,
+        });
+      });
+
+      socket.on("timeout", () => {
+        socket.destroy();
+        resolve({ status: "error", latencyMs: Date.now() - start });
+      });
+
+      socket.on("error", () => {
+        socket.destroy();
+        resolve({ status: "error", latencyMs: Date.now() - start });
+      });
+    } catch {
+      resolve({ status: "error", latencyMs: Date.now() - start });
+    }
+  });
+}
+
+/**
+ * GET /api/cron/health-check
+ *
+ * Self-health-check endpoint that verifies PostgreSQL and Redis connectivity.
+ * If any check fails, creates a CRITICAL notification for all ADMIN users.
+ *
+ * Protected by CRON_SECRET environment variable.
+ * When set, requests must include `Authorization: Bearer <secret>`.
+ */
+export async function GET(request: Request) {
+  const cronSecret = process.env["CRON_SECRET"];
+  if (cronSecret) {
+    const auth = request.headers.get("authorization");
+    if (auth !== `Bearer ${cronSecret}`) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+  }
+
+  try {
+    const [postgres, redis] = await Promise.all([
+      checkPostgres(),
+      checkRedis(),
+    ]);
+
+    const allHealthy = postgres.status === "ok" && redis.status === "ok";
+
+    // If any check fails, alert all ADMIN users
+    if (!allHealthy) {
+      const failedChecks: string[] = [];
+      if (postgres.status !== "ok") failedChecks.push("PostgreSQL");
+      if (redis.status !== "ok") failedChecks.push("Redis");
+
+      const adminUsers = await prisma.user.findMany({
+        where: { systemRole: "ADMIN" },
+        select: { id: true },
+      });
+
+      if (adminUsers.length > 0) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await createNotificationsForUsers({
+          db: prisma as any,
+          userIds: adminUsers.map((u) => u.id),
+          type: "SYSTEM_ALERT",
+          title: "CRITICAL: Health Check Failed",
+          body: `The following services are unreachable: ${failedChecks.join(", ")}. Immediate attention required.`,
+          category: "system",
+          priority: "CRITICAL",
+          link: "/admin/settings",
+        });
+      }
+    }
+
+    return NextResponse.json(
+      {
+        ok: allHealthy,
+        checks: {
+          postgres: postgres.status,
+          postgresLatencyMs: postgres.latencyMs,
+          redis: redis.status,
+          redisLatencyMs: redis.latencyMs,
+        },
+        timestamp: new Date().toISOString(),
+      },
+      { status: allHealthy ? 200 : 503 },
+    );
+  } catch (error) {
+    console.error("[cron/health-check] Error:", error);
+    return NextResponse.json(
+      { ok: false, error: "Internal error" },
+      { status: 500 },
+    );
+  }
+}
@@ -0,0 +1,158 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@capakraken/db";
+import { createNotificationsForUsers } from "@capakraken/api";
+import { readFileSync } from "fs";
+import { join } from "path";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+/**
+ * Known CVEs / minimum safe versions for critical dependencies.
+ * Update this map when new advisories are published.
+ */
+const MINIMUM_SAFE_VERSIONS: Record<string, { minVersion: string; advisory?: string }> = {
+  next: { minVersion: "15.0.0", advisory: "Keep Next.js on latest 15.x" },
+  prisma: { minVersion: "6.0.0", advisory: "Prisma 6.x for latest security patches" },
+  "@sentry/nextjs": { minVersion: "8.0.0", advisory: "Sentry v8 for latest fixes" },
+  "ioredis": { minVersion: "5.4.0", advisory: "ioredis 5.4+ for connection security" },
+  "next-auth": { minVersion: "5.0.0", advisory: "Auth.js v5 for security hardening" },
+};
+
+interface Finding {
+  package: string;
+  currentVersion: string;
+  minimumVersion: string;
+  severity: "high" | "medium" | "low";
+  advisory: string;
+}
+
+/**
+ * Simple semver comparison: returns true if `current` >= `minimum`.
+ * Handles standard x.y.z versions and beta/rc suffixes.
+ */
+function isVersionSafe(current: string, minimum: string): boolean {
+  const normalize = (v: string) =>
+    v
+      .replace(/^[~^>=<]*/, "")
+      .split("-")[0]!
+      .split(".")
+      .map((n) => parseInt(n, 10) || 0);
+
+  const cur = normalize(current);
+  const min = normalize(minimum);
+
+  for (let i = 0; i < 3; i++) {
+    const c = cur[i] ?? 0;
+    const m = min[i] ?? 0;
+    if (c > m) return true;
+    if (c < m) return false;
+  }
+  return true; // equal
+}
+
+function scanPackageJson(): Finding[] {
+  const findings: Finding[] = [];
+
+  try {
+    // Read root package.json and web app package.json
+    const paths = [
+      join(process.cwd(), "package.json"),
+      join(process.cwd(), "../../package.json"), // monorepo root from apps/web
+    ];
+
+    const allDeps: Record<string, string> = {};
+
+    for (const p of paths) {
+      try {
+        const content = JSON.parse(readFileSync(p, "utf-8"));
+        Object.assign(allDeps, content.dependencies ?? {}, content.devDependencies ?? {});
+      } catch {
+        // File not found — skip
+      }
+    }
+
+    for (const [pkg, rule] of Object.entries(MINIMUM_SAFE_VERSIONS)) {
+      const installed = allDeps[pkg];
+      if (!installed) continue;
+
+      if (!isVersionSafe(installed, rule.minVersion)) {
+        findings.push({
+          package: pkg,
+          currentVersion: installed,
+          minimumVersion: rule.minVersion,
+          severity: "high",
+          advisory: rule.advisory ?? "Update recommended",
+        });
+      }
+    }
+  } catch (error) {
+    console.error("[security-audit] Error scanning package.json:", error);
+  }
+
+  return findings;
+}
+
+/**
+ * GET /api/cron/security-audit
+ *
+ * Checks installed dependency versions against known minimum safe versions.
+ * Creates a CRITICAL notification for ADMIN users if high-severity issues found.
+ *
+ * Protected by CRON_SECRET environment variable.
+ * When set, requests must include `Authorization: Bearer <secret>`.
+ */
+export async function GET(request: Request) {
+  const cronSecret = process.env["CRON_SECRET"];
+  if (cronSecret) {
+    const auth = request.headers.get("authorization");
+    if (auth !== `Bearer ${cronSecret}`) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+  }
+
+  try {
+    const findings = scanPackageJson();
+    const highSeverity = findings.filter((f) => f.severity === "high");
+
+    // Alert admins if high-severity findings exist
+    if (highSeverity.length > 0) {
+      const adminUsers = await prisma.user.findMany({
+        where: { systemRole: "ADMIN" },
+        select: { id: true },
+      });
+
+      if (adminUsers.length > 0) {
+        const details = highSeverity
+          .map((f) => `${f.package}@${f.currentVersion} (need >=${f.minimumVersion})`)
+          .join(", ");
+
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await createNotificationsForUsers({
+          db: prisma as any,
+          userIds: adminUsers.map((u) => u.id),
+          type: "SYSTEM_ALERT",
+          title: `Security Audit: ${highSeverity.length} high-severity finding(s)`,
+          body: `Outdated packages detected: ${details}. Run \`pnpm update\` and review advisories.`,
+          category: "system",
+          priority: "CRITICAL",
+          link: "/admin/settings",
+        });
+      }
+    }
+
+    return NextResponse.json({
+      ok: highSeverity.length === 0,
+      totalFindings: findings.length,
+      highSeverity: highSeverity.length,
+      findings,
+      scannedAt: new Date().toISOString(),
+    });
+  } catch (error) {
+    console.error("[cron/security-audit] Error:", error);
+    return NextResponse.json(
+      { ok: false, error: "Internal error" },
+      { status: 500 },
+    );
+  }
+}