Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
9051ff73d00eefca4626b586ec4365e7fcfbb8ef
CapaKraken/apps/web/src/app/api/cron/security-audit/route.ts
T
Hartmut 9051ff73d0 fix(types): replace structural DB types with Pick<PrismaClient> and remove Prisma boundary as any casts 
Replace ~440 lines of hand-written structural DB client types across 7 lib files
with `Pick<PrismaClient, ...>` from @capakraken/db. This eliminates all `as any`
casts at Prisma boundaries (cron routes, allocation effects, vacation procedures)
and surfaces two pre-existing bugs:
- weekly-digest.ts: `db.allocation.count()` called non-existent model (fixed → demandRequirement)
- estimate-reminders.ts: `submittedAt` field doesn't exist on EstimateVersion (fixed → updatedAt)

Also adds root eslint.config.mjs so lint-staged can lint package files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 15:09:16 +02:00

155 lines
4.7 KiB
TypeScript
Raw Blame History

import { NextResponse } from "next/server";
import { prisma } from "@capakraken/db";
import { createNotificationsForUsers } from "@capakraken/api";
import { logger } from "@capakraken/api/lib/logger";
import { readFileSync } from "fs";
import { join } from "path";
import { verifyCronSecret } from "~/lib/cron-auth.js";
export const dynamic = "force-dynamic";
export const runtime = "nodejs";
/**
* Known CVEs / minimum safe versions for critical dependencies.
* Update this map when new advisories are published.
*/
const MINIMUM_SAFE_VERSIONS: Record<string, { minVersion: string; advisory?: string }> = {
next: { minVersion: "15.0.0", advisory: "Keep Next.js on latest 15.x" },
prisma: { minVersion: "6.0.0", advisory: "Prisma 6.x for latest security patches" },
"@sentry/nextjs": { minVersion: "8.0.0", advisory: "Sentry v8 for latest fixes" },
ioredis: { minVersion: "5.4.0", advisory: "ioredis 5.4+ for connection security" },
"next-auth": { minVersion: "5.0.0", advisory: "Auth.js v5 for security hardening" },
};
interface Finding {
package: string;
currentVersion: string;
minimumVersion: string;
severity: "high" | "medium" | "low";
advisory: string;
}
/**
* Simple semver comparison: returns true if `current` >= `minimum`.
* Handles standard x.y.z versions and beta/rc suffixes.
*/
function isVersionSafe(current: string, minimum: string): boolean {
const normalize = (v: string) =>
v
.replace(/^[~^>=<]*/, "")
.split("-")[0]!
.split(".")
.map((n) => parseInt(n, 10) || 0);
const cur = normalize(current);
const min = normalize(minimum);
for (let i = 0; i < 3; i++) {
const c = cur[i] ?? 0;
const m = min[i] ?? 0;
if (c > m) return true;
if (c < m) return false;
}
return true; // equal
}
function scanPackageJson(): Finding[] {
const findings: Finding[] = [];
try {
// Read root package.json and web app package.json
const paths = [
join(process.cwd(), "package.json"),
join(process.cwd(), "../../package.json"), // monorepo root from apps/web
];
const allDeps: Record<string, string> = {};
for (const p of paths) {
try {
const content = JSON.parse(readFileSync(p, "utf-8"));
Object.assign(allDeps, content.dependencies ?? {}, content.devDependencies ?? {});
} catch {
// File not found — skip
}
}
for (const [pkg, rule] of Object.entries(MINIMUM_SAFE_VERSIONS)) {
const installed = allDeps[pkg];
if (!installed) continue;
if (!isVersionSafe(installed, rule.minVersion)) {
findings.push({
package: pkg,
currentVersion: installed,
minimumVersion: rule.minVersion,
severity: "high",
advisory: rule.advisory ?? "Update recommended",
});
}
}
} catch (error) {
logger.error(
{ error, route: "/api/cron/security-audit" },
"Failed to scan package manifests for security audit",
);
}
return findings;
}
/**
* GET /api/cron/security-audit
*
* Checks installed dependency versions against known minimum safe versions.
* Creates a CRITICAL notification for ADMIN users if high-severity issues found.
*
* Protected by CRON_SECRET environment variable.
* When set, requests must include `Authorization: Bearer <secret>`.
*/
export async function GET(request: Request) {
const deny = verifyCronSecret(request);
if (deny) return deny;
try {
const findings = scanPackageJson();
const highSeverity = findings.filter((f) => f.severity === "high");
// Alert admins if high-severity findings exist
if (highSeverity.length > 0) {
const adminUsers = await prisma.user.findMany({
where: { systemRole: "ADMIN" },
select: { id: true },
});
if (adminUsers.length > 0) {
const details = highSeverity
.map((f) => `${f.package}@${f.currentVersion} (need >=${f.minimumVersion})`)
.join(", ");
await createNotificationsForUsers({
db: prisma,
userIds: adminUsers.map((u) => u.id),
type: "SYSTEM_ALERT",
title: `Security Audit: ${highSeverity.length} high-severity finding(s)`,
body: `Outdated packages detected: ${details}. Run \`pnpm update\` and review advisories.`,
category: "system",
priority: "CRITICAL",
link: "/admin/settings",
});
}
}
return NextResponse.json({
ok: highSeverity.length === 0,
totalFindings: findings.length,
highSeverity: highSeverity.length,
findings,
scannedAt: new Date().toISOString(),
});
} catch (error) {
logger.error({ error, route: "/api/cron/security-audit" }, "Security audit cron failed");
return NextResponse.json({ ok: false, error: "Internal error" }, { status: 500 });
}
}
Reference in New Issue View Git Blame Copy Permalink