security: fix 4 OWASP quick-wins from audit round 2

A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false" via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in non-test deployments. runtime-env.ts throws at startup if E2E_TEST_MODE=true in production. A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET is unset. Extracted shared verifyCronSecret() helper to apps/web/src/lib/cron-auth.ts. A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for constant-time Bearer token comparison. A10-1 (Medium): Slack webhook routing uses strict hostname check (parsedUrl.hostname === "hooks.slack.com") instead of .includes() to prevent bypass via subdomain confusion. Tickets created for remaining findings: #28 (TOTP rate limit), #29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin creds), #32 (MFA enforcement), #33 (auth anomaly alerting), #34 (comment server-side sanitization). Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:57:51 +02:00
parent 745be7ee8b
commit f8550110eb
8 changed files with 63 additions and 33 deletions
@@ -4,6 +4,7 @@ import { createNotificationsForUsers } from "@capakraken/api";
 import { logger } from "@capakraken/api/lib/logger";
 import { readFileSync } from "fs";
 import { join } from "path";
+import { verifyCronSecret } from "~/lib/cron-auth.js";

 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -104,13 +105,8 @@ function scanPackageJson(): Finding[] {
 * When set, requests must include `Authorization: Bearer <secret>`.
 */
 export async function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
-  if (cronSecret) {
-    const auth = request.headers.get("authorization");
-    if (auth !== `Bearer ${cronSecret}`) {
-      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-    }
-  }
+  const deny = verifyCronSecret(request);
+  if (deny) return deny;

  try {
    const findings = scanPackageJson();