security: implement tickets #28-#35 + architecture decision #30

#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s), throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit exceeded + userId key isolation. #29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for USER/VIEWER, 200 for allowed roles + xlsx format). #31 - pgAdmin credentials moved out of docker-compose.yml into env vars; PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext exposure in committed files. #34 - Server-side HTML sanitization for comment bodies via stripHtml(): strips all tags + decodes safe entities before persistence; 16 unit tests covering passthrough, injection patterns, entity decoding. #35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users without TOTP enabled; user-scoped localStorage snooze (7 days); links to /account/security; accessibility role=alert; 7 structural unit tests. #33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window; CRITICAL notification to ADMINs; fail-closed via verifyCronSecret; 10 unit tests. #32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP signal if role is enforced but TOTP not set up; signin page redirects to /account/security?mfa_required=1; settings schema + view model updated; 11 unit tests. #30 - API keys architecture decision documented in LEARNINGS.md; no code written — product decision required before implementation. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 23:25:06 +02:00
parent f8550110eb
commit 435c871e1f
22 changed files with 1071 additions and 11 deletions
@@ -0,0 +1,205 @@
+/**
+ * Unit tests for GET /api/cron/auth-anomaly-check.
+ *
+ * Tests cover:
+ *   - CRON_SECRET enforcement (fail-closed, timing-safe)
+ *   - No anomalies below threshold
+ *   - HIGH_GLOBAL_FAILURE_RATE signal when global threshold breached
+ *   - CONCENTRATED_FAILURES signal when per-entity threshold breached
+ *   - Notifications sent to admins only when anomalies exist
+ *   - No admin notification when no anomalies
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { THRESHOLDS } from "./route.js";
+
+// ─── Prisma mock ─────────────────────────────────────────────────────────────
+const auditLogFindManyMock = vi.hoisted(() => vi.fn());
+const userFindManyMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@capakraken/db", () => ({
+  prisma: {
+    auditLog: { findMany: auditLogFindManyMock },
+    user: { findMany: userFindManyMock },
+  },
+}));
+
+// ─── createNotificationsForUsers mock ─────────────────────────────────────────
+const createNotificationsMock = vi.hoisted(() => vi.fn().mockResolvedValue(undefined));
+
+vi.mock("@capakraken/api", () => ({
+  createNotificationsForUsers: createNotificationsMock,
+}));
+
+vi.mock("@capakraken/api/lib/logger", () => ({
+  logger: { warn: vi.fn(), error: vi.fn(), info: vi.fn() },
+}));
+
+// ─── cron-auth mock ───────────────────────────────────────────────────────────
+const verifyCronSecretMock = vi.hoisted(() => vi.fn());
+
+vi.mock("~/lib/cron-auth.js", () => ({
+  verifyCronSecret: verifyCronSecretMock,
+}));
+
+// ─── helpers ──────────────────────────────────────────────────────────────────
+
+function makeFailureEvent(entityId = "user_1") {
+  return { entityId, summary: "Login failed — invalid password" };
+}
+
+function makeRequest() {
+  return new Request("http://localhost/api/cron/auth-anomaly-check", {
+    headers: { Authorization: "Bearer test-secret" },
+  });
+}
+
+// ─── import after mocks ───────────────────────────────────────────────────────
+// Route is imported lazily via dynamic import inside tests so that
+// vi.mock() hoisting is guaranteed to complete first.
+async function importRoute() {
+  const mod = await import("./route.js");
+  return mod;
+}
+
+// ─── tests ────────────────────────────────────────────────────────────────────
+
+describe("GET /api/cron/auth-anomaly-check — cron secret enforcement", () => {
+  beforeEach(() => { vi.clearAllMocks(); });
+
+  it("returns 401 when verifyCronSecret denies the request", async () => {
+    const { NextResponse } = await import("next/server");
+    verifyCronSecretMock.mockReturnValue(
+      NextResponse.json({ error: "Unauthorized" }, { status: 401 }),
+    );
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(401);
+  });
+
+  it("proceeds when verifyCronSecret returns null (allowed)", async () => {
+    verifyCronSecretMock.mockReturnValue(null);
+    auditLogFindManyMock.mockResolvedValue([]);
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(200);
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — no anomalies", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("returns ok:true with zero anomalies when failures are below thresholds", async () => {
+    // Spread failures across different entities so neither the global nor the
+    // per-entity threshold is breached.
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures - 1 }, (_, i) =>
+        makeFailureEvent(`user_${i}`),
+      ),
+    );
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { ok: boolean; anomalies: unknown[] };
+    expect(res.status).toBe(200);
+    expect(body.ok).toBe(true);
+    expect(body.anomalies).toHaveLength(0);
+  });
+
+  it("does not notify admins when no anomalies are found", async () => {
+    auditLogFindManyMock.mockResolvedValue([]);
+    const { GET } = await importRoute();
+    await GET(makeRequest());
+    expect(createNotificationsMock).not.toHaveBeenCalled();
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — HIGH_GLOBAL_FAILURE_RATE", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("detects HIGH_GLOBAL_FAILURE_RATE when total failures reach the threshold", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.globalFailures }, () => makeFailureEvent("user_x")),
+    );
+    userFindManyMock.mockResolvedValue([{ id: "admin_1" }]);
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { anomalies: Array<{ type: string }> };
+    expect(body.anomalies.some((a) => a.type === "HIGH_GLOBAL_FAILURE_RATE")).toBe(true);
+  });
+
+  it("notifies admins when HIGH_GLOBAL_FAILURE_RATE is detected", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.globalFailures }, () => makeFailureEvent("user_x")),
+    );
+    userFindManyMock.mockResolvedValue([{ id: "admin_1" }]);
+    const { GET } = await importRoute();
+    await GET(makeRequest());
+    expect(createNotificationsMock).toHaveBeenCalledOnce();
+    const call = createNotificationsMock.mock.calls[0]![0] as { userIds: string[]; priority: string };
+    expect(call.userIds).toContain("admin_1");
+    expect(call.priority).toBe("CRITICAL");
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — CONCENTRATED_FAILURES", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("detects CONCENTRATED_FAILURES when per-entity failures reach the threshold", async () => {
+    // One entity hits the per-entity threshold (but total stays below global)
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures }, () => makeFailureEvent("target_user")),
+    );
+    userFindManyMock.mockResolvedValue([{ id: "admin_1" }]);
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { anomalies: Array<{ type: string; entityId: string }> };
+    const concentrated = body.anomalies.find((a) => a.type === "CONCENTRATED_FAILURES");
+    expect(concentrated).toBeDefined();
+    expect(concentrated!.entityId).toBe("target_user");
+  });
+
+  it("does not flag an entity that is below the per-entity threshold", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures - 1 }, () => makeFailureEvent("target_user")),
+    );
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    const body = await res.json() as { anomalies: Array<{ type: string }> };
+    expect(body.anomalies.some((a) => a.type === "CONCENTRATED_FAILURES")).toBe(false);
+  });
+
+  it("does not notify when no admins exist", async () => {
+    auditLogFindManyMock.mockResolvedValue(
+      Array.from({ length: THRESHOLDS.perEntityFailures }, () => makeFailureEvent("target_user")),
+    );
+    userFindManyMock.mockResolvedValue([]); // no admins
+    const { GET } = await importRoute();
+    await GET(makeRequest());
+    expect(createNotificationsMock).not.toHaveBeenCalled();
+  });
+});
+
+describe("GET /api/cron/auth-anomaly-check — error handling", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    verifyCronSecretMock.mockReturnValue(null);
+  });
+
+  it("returns 500 when the DB query throws", async () => {
+    auditLogFindManyMock.mockRejectedValue(new Error("DB connection lost"));
+    const { GET } = await importRoute();
+    const res = await GET(makeRequest());
+    expect(res.status).toBe(500);
+    const body = await res.json() as { ok: boolean };
+    expect(body.ok).toBe(false);
+  });
+});