Nexus

Hartmut/Nexus

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	01c45d0344	security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56 ) Client-side validators (reset-password, invite-accept, first-admin setup, user-create modal) previously checked password.length < 8 while every server-side Zod schema required .min(12). External API consumers (or a confused browser UI) could get past the client check but fail at the tRPC boundary — or worse, quietly under-enforce policy compared to what admins expect. Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in @capakraken/shared and import them from every pre-submit client validator and every server Zod schema. Single source of truth; drift becomes a compile error rather than a security finding. Also hardens the AUTH_SECRET runtime check: in addition to the existing placeholder-blacklist, production startup now rejects secrets shorter than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which would have passed the previous checks. Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in docs/security-architecture.md §3. Verified: - pnpm test:unit — 396 files / 1922 tests passed - pnpm --filter @capakraken/web exec tsc --noEmit — clean - pnpm --filter @capakraken/api exec tsc --noEmit — clean Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 14:56:43 +02:00
Hartmut	805bb0464f	security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50 ) - docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service and the app container's DATABASE_URL. No default — compose refuses to start without it, mirroring the existing PGADMIN_PASSWORD pattern. - Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into an inline env prefix on the `pnpm build` RUN step. Placeholders are still available to `next build` but no longer persist in the builder layer or in the published migrator image (which is FROM builder). - Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it. - .dockerignore: cover nested */.env, */.pem, */.key, /secrets/. - runtime-env.ts: add the CI build placeholder strings to the disallowed-secret set so a misconfigured prod deploy using the baked-in ARG defaults fails startup instead of silently running with a known-bad secret. - .env.example: document the new POSTGRES_PASSWORD requirement. - CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env (must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a dummy value in the E2E job where compose validates all services' interp. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 14:50:05 +02:00
Hartmut	a7362f17bd	refactor(config): enforce runtime auth secret policy	2026-03-30 23:40:00 +02:00

Author

SHA1

Message

Date

Hartmut

01c45d0344

security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56 )

Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 14:56:43 +02:00

Hartmut

805bb0464f

security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50 )

- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
  and the app container's DATABASE_URL. No default — compose refuses to start
  without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
  an inline env prefix on the `pnpm build` RUN step. Placeholders are still
  available to `next build` but no longer persist in the builder layer or in
  the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
  set so a misconfigured prod deploy using the baked-in ARG defaults fails
  startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
  (must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
  dummy value in the E2E job where compose validates all services' interp.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 14:50:05 +02:00

Hartmut

a7362f17bd

refactor(config): enforce runtime auth secret policy

2026-03-30 23:40:00 +02:00

3 Commits