security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)
Client-side validators (reset-password, invite-accept, first-admin setup, user-create modal) previously checked password.length < 8 while every server-side Zod schema required .min(12). External API consumers (or a confused browser UI) could get past the client check but fail at the tRPC boundary — or worse, quietly under-enforce policy compared to what admins expect. Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in @capakraken/shared and import them from every pre-submit client validator and every server Zod schema. Single source of truth; drift becomes a compile error rather than a security finding. Also hardens the AUTH_SECRET runtime check: in addition to the existing placeholder-blacklist, production startup now rejects secrets shorter than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which would have passed the previous checks. Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in docs/security-architecture.md §3. Verified: - pnpm test:unit — 396 files / 1922 tests passed - pnpm --filter @capakraken/web exec tsc --noEmit — clean - pnpm --filter @capakraken/api exec tsc --noEmit — clean Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -10,7 +10,7 @@ describe("runtime env validation", () => {
|
||||
expect(
|
||||
getRuntimeEnvViolations({
|
||||
NODE_ENV: "production",
|
||||
NEXTAUTH_SECRET: "super-long-random-secret",
|
||||
NEXTAUTH_SECRET: "super-long-random-secret-with-enough-entropy-abc123",
|
||||
NEXTAUTH_URL: "https://capakraken.example.com",
|
||||
}),
|
||||
).toEqual([]);
|
||||
@@ -49,11 +49,33 @@ describe("runtime env validation", () => {
|
||||
);
|
||||
});
|
||||
|
||||
it("rejects an auth secret shorter than the minimum length in production", () => {
|
||||
expect(
|
||||
getRuntimeEnvViolations({
|
||||
NODE_ENV: "production",
|
||||
NEXTAUTH_SECRET: "short-but-random-xyz", // 20 chars
|
||||
NEXTAUTH_URL: "https://capakraken.example.com",
|
||||
}),
|
||||
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must be at least 32 characters in production.");
|
||||
});
|
||||
|
||||
it("rejects a long-but-low-entropy auth secret in production", () => {
|
||||
expect(
|
||||
getRuntimeEnvViolations({
|
||||
NODE_ENV: "production",
|
||||
NEXTAUTH_SECRET: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 38 a's
|
||||
NEXTAUTH_URL: "https://capakraken.example.com",
|
||||
}),
|
||||
).toContain(
|
||||
"AUTH_SECRET or NEXTAUTH_SECRET entropy is too low; generate with `openssl rand -base64 32`.",
|
||||
);
|
||||
});
|
||||
|
||||
it("rejects non-https auth urls in production", () => {
|
||||
expect(
|
||||
getRuntimeEnvViolations({
|
||||
NODE_ENV: "production",
|
||||
NEXTAUTH_SECRET: "super-long-random-secret",
|
||||
NEXTAUTH_SECRET: "super-long-random-secret-with-enough-entropy-abc123",
|
||||
NEXTAUTH_URL: "http://capakraken.example.com",
|
||||
}),
|
||||
).toContain("AUTH_URL or NEXTAUTH_URL must use https in production.");
|
||||
|
||||
@@ -10,6 +10,29 @@ const DISALLOWED_PRODUCTION_SECRETS = new Set([
|
||||
"ci-test-secret-minimum-32-chars-xx",
|
||||
]);
|
||||
|
||||
// A cryptographically generated secret (openssl rand -base64 32 / -hex 32)
|
||||
// has ≥ 32 ASCII characters and high Shannon entropy (≥ 4 bits per char
|
||||
// for base64, ≥ 4 for hex). Values below these thresholds are either
|
||||
// too short to resist offline brute force of the JWT signature, or are
|
||||
// low-entropy strings like "password1234567890123456789012345678" that
|
||||
// pass a simple length check but are trivially guessable.
|
||||
const MIN_AUTH_SECRET_LENGTH = 32;
|
||||
const MIN_AUTH_SECRET_SHANNON_ENTROPY = 3.5;
|
||||
|
||||
function shannonEntropy(value: string): number {
|
||||
if (value.length === 0) return 0;
|
||||
const counts = new Map<string, number>();
|
||||
for (const ch of value) {
|
||||
counts.set(ch, (counts.get(ch) ?? 0) + 1);
|
||||
}
|
||||
let entropy = 0;
|
||||
for (const count of counts.values()) {
|
||||
const p = count / value.length;
|
||||
entropy -= p * Math.log2(p);
|
||||
}
|
||||
return entropy;
|
||||
}
|
||||
|
||||
type RuntimeEnv = Partial<Record<string, string | undefined>>;
|
||||
|
||||
function readEnvValue(env: RuntimeEnv, ...names: string[]): string | null {
|
||||
@@ -46,6 +69,17 @@ export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[]
|
||||
violations.push(
|
||||
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
|
||||
);
|
||||
} else {
|
||||
if (authSecret.length < MIN_AUTH_SECRET_LENGTH) {
|
||||
violations.push(
|
||||
`AUTH_SECRET or NEXTAUTH_SECRET must be at least ${MIN_AUTH_SECRET_LENGTH} characters in production.`,
|
||||
);
|
||||
}
|
||||
if (shannonEntropy(authSecret) < MIN_AUTH_SECRET_SHANNON_ENTROPY) {
|
||||
violations.push(
|
||||
"AUTH_SECRET or NEXTAUTH_SECRET entropy is too low; generate with `openssl rand -base64 32`.",
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
violations.push(...getDevBypassViolations(env));
|
||||
|
||||
Reference in New Issue
Block a user