Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
01c45d0344946be07c967344c14ec3d95f20e375
Nexus/apps/web/src/server/runtime-env.ts
T
Hartmut 01c45d0344 security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56) 
Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 14:56:43 +02:00

111 lines
3.4 KiB
TypeScript
Raw Blame History

import { getDevBypassViolations } from "@capakraken/api/lib/runtime-security";
const DISALLOWED_PRODUCTION_SECRETS = new Set([
"dev-secret-change-in-production",
"changeme",
"change-me",
"default",
"secret",
"ci-build-placeholder-secret-minimum-32-chars",
"ci-test-secret-minimum-32-chars-xx",
]);
// A cryptographically generated secret (openssl rand -base64 32 / -hex 32)
// has ≥ 32 ASCII characters and high Shannon entropy (≥ 4 bits per char
// for base64, ≥ 4 for hex). Values below these thresholds are either
// too short to resist offline brute force of the JWT signature, or are
// low-entropy strings like "password1234567890123456789012345678" that
// pass a simple length check but are trivially guessable.
const MIN_AUTH_SECRET_LENGTH = 32;
const MIN_AUTH_SECRET_SHANNON_ENTROPY = 3.5;
function shannonEntropy(value: string): number {
if (value.length === 0) return 0;
const counts = new Map<string, number>();
for (const ch of value) {
counts.set(ch, (counts.get(ch) ?? 0) + 1);
}
let entropy = 0;
for (const count of counts.values()) {
const p = count / value.length;
entropy -= p * Math.log2(p);
}
return entropy;
}
type RuntimeEnv = Partial<Record<string, string | undefined>>;
function readEnvValue(env: RuntimeEnv, ...names: string[]): string | null {
for (const name of names) {
const value = env[name]?.trim();
if (value) {
return value;
}
}
return null;
}
function isProductionLike(env: RuntimeEnv): boolean {
return (env.NODE_ENV ?? "").trim() === "production";
}
function isLocalhost(hostname: string): boolean {
return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
}
export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[] {
if (!isProductionLike(env)) {
return [];
}
const violations: string[] = [];
const authSecret = readEnvValue(env, "AUTH_SECRET", "NEXTAUTH_SECRET");
const authUrl = readEnvValue(env, "AUTH_URL", "NEXTAUTH_URL");
if (!authSecret) {
violations.push("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
} else if (DISALLOWED_PRODUCTION_SECRETS.has(authSecret)) {
violations.push(
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
);
} else {
if (authSecret.length < MIN_AUTH_SECRET_LENGTH) {
violations.push(
`AUTH_SECRET or NEXTAUTH_SECRET must be at least ${MIN_AUTH_SECRET_LENGTH} characters in production.`,
);
}
if (shannonEntropy(authSecret) < MIN_AUTH_SECRET_SHANNON_ENTROPY) {
violations.push(
"AUTH_SECRET or NEXTAUTH_SECRET entropy is too low; generate with `openssl rand -base64 32`.",
);
}
}
violations.push(...getDevBypassViolations(env));
if (!authUrl) {
violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
} else {
try {
const parsed = new URL(authUrl);
if (parsed.protocol !== "https:" && !isLocalhost(parsed.hostname)) {
violations.push("AUTH_URL or NEXTAUTH_URL must use https in production.");
}
} catch {
violations.push("AUTH_URL or NEXTAUTH_URL must be a valid URL in production.");
}
}
return violations;
}
export function assertSecureRuntimeEnv(env: RuntimeEnv = process.env): void {
const violations = getRuntimeEnvViolations(env);
if (violations.length === 0) {
return;
}
throw new Error(`Invalid production runtime configuration: ${violations.join(" ")}`);
}
Reference in New Issue View Git Blame Copy Permalink