security: fix 4 OWASP quick-wins from audit round 2

A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false" via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in non-test deployments. runtime-env.ts throws at startup if E2E_TEST_MODE=true in production. A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET is unset. Extracted shared verifyCronSecret() helper to apps/web/src/lib/cron-auth.ts. A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for constant-time Bearer token comparison. A10-1 (Medium): Slack webhook routing uses strict hostname check (parsedUrl.hostname === "hooks.slack.com") instead of .includes() to prevent bypass via subdomain confusion. Tickets created for remaining findings: #28 (TOTP rate limit), #29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin creds), #32 (MFA enforcement), #33 (auth anomaly alerting), #34 (comment server-side sanitization). Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:57:51 +02:00
parent 745be7ee8b
commit f8550110eb
8 changed files with 63 additions and 33 deletions
@@ -42,6 +42,10 @@ export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[]
    violations.push("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
  }

+  if ((env.E2E_TEST_MODE ?? "").trim() === "true") {
+    violations.push("E2E_TEST_MODE must not be 'true' in production — it disables all rate limiting and session controls.");
+  }
+
  if (!authUrl) {
    violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
  } else {