CapaKraken

Hartmut/CapaKraken

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	97cfd0ed90	fix(security): raise password minimum to 12 chars, hide raw error messages, add audit script - Password validation: min(8) → min(12) across auth.ts, user-procedure-support.ts, and invite.ts (aligns with NIST SP 800-63B modern recommendations) - Error boundary: stop rendering raw error.message which could leak internal details; always show the generic fallback text - Add `pnpm audit` script (--audit-level=high) for dependency vulnerability scanning Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-09 21:48:51 +02:00
Hartmut	df191d1e03	fix(security): rate-limit public invite and password-reset endpoints - requestPasswordReset: rate-limited by email (authRateLimiter, 5/15 min) to prevent email bombing - resetPassword: rate-limited by token to add explicit brute-force defence - getInvite + acceptInvite: rate-limited by invite token (authRateLimiter) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-09 21:38:08 +02:00
Hartmut	dc5bbdc47d	feat: centralize app base URL — no localhost fallback in production Introduce getAppBaseUrl() in packages/api/src/lib/app-base-url.ts: - Reads NEXTAUTH_URL (trimmed, trailing slash stripped) - production: throws if NEXTAUTH_URL is missing/empty so broken localhost links in emails are caught at runtime, not silently sent - development/test: falls back to http://localhost:3100 with a one-time console.warn Replace the duplicated inline fallback in: - packages/api/src/router/invite.ts (invite email link) - packages/api/src/router/auth.ts (password reset email link) Extend GET /api/health to report: "baseUrl": { "configured": bool, "isLocalhost": bool } so deployment checks can detect a misconfigured NEXTAUTH_URL. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-02 14:19:19 +02:00

Author

SHA1

Message

Date

Hartmut

97cfd0ed90

fix(security): raise password minimum to 12 chars, hide raw error messages, add audit script

- Password validation: min(8) → min(12) across auth.ts, user-procedure-support.ts,
  and invite.ts (aligns with NIST SP 800-63B modern recommendations)
- Error boundary: stop rendering raw error.message which could leak internal
  details; always show the generic fallback text
- Add `pnpm audit` script (--audit-level=high) for dependency vulnerability scanning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 21:48:51 +02:00

Hartmut

df191d1e03

fix(security): rate-limit public invite and password-reset endpoints

- requestPasswordReset: rate-limited by email (authRateLimiter, 5/15 min)
  to prevent email bombing
- resetPassword: rate-limited by token to add explicit brute-force defence
- getInvite + acceptInvite: rate-limited by invite token (authRateLimiter)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 21:38:08 +02:00

Hartmut

dc5bbdc47d

feat: centralize app base URL — no localhost fallback in production

Introduce getAppBaseUrl() in packages/api/src/lib/app-base-url.ts:
- Reads NEXTAUTH_URL (trimmed, trailing slash stripped)
- production: throws if NEXTAUTH_URL is missing/empty so broken
  localhost links in emails are caught at runtime, not silently sent
- development/test: falls back to http://localhost:3100 with a
  one-time console.warn

Replace the duplicated inline fallback in:
- packages/api/src/router/invite.ts (invite email link)
- packages/api/src/router/auth.ts (password reset email link)

Extend GET /api/health to report:
  "baseUrl": { "configured": bool, "isLocalhost": bool }
so deployment checks can detect a misconfigured NEXTAUTH_URL.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-04-02 14:19:19 +02:00

3 Commits