Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
2484eb9b9d44c1835f581d8348e7f13c1f96d6a9
Nexus/apps/web/src/server/auth.ts
T
Hartmut afabaa0b7a fix(security): prevent TOTP replay attacks and fix user enumeration in verifyTotp 
Adds lastTotpAt timestamp to User model. After a successful TOTP validation,
the timestamp is recorded. Any reuse of the same code within the 30-second
window is rejected as a replay attack.

verifyTotp now returns a single generic UNAUTHORIZED error regardless of
whether the user ID is invalid or TOTP is not enabled, preventing enumeration
of user IDs and MFA status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 21:41:09 +02:00

314 lines
11 KiB
TypeScript
Raw Blame History

import { prisma } from "@capakraken/db";
import { authRateLimiter } from "@capakraken/api/middleware/rate-limit";
import { createAuditEntry } from "@capakraken/api/lib/audit";
import { logger } from "@capakraken/api/lib/logger";
import NextAuth, { type NextAuthConfig } from "next-auth";
import Credentials from "next-auth/providers/credentials";
import { CredentialsSignin } from "next-auth";
import { verify } from "@node-rs/argon2";
import { z } from "zod";
import { assertSecureRuntimeEnv } from "./runtime-env";
import { authConfig } from "./auth.config.js";
assertSecureRuntimeEnv();
// Auth.js v5: throw CredentialsSignin subclasses so the `code` is forwarded
// to the client via SignInResponse.code — plain Error throws become
// CallbackRouteError and the message is never visible to the client.
export class MfaRequiredError extends CredentialsSignin {
code = "MFA_REQUIRED" as const;
}
export class MfaRequiredSetupError extends CredentialsSignin {
code = "MFA_REQUIRED_SETUP" as const;
}
export class InvalidTotpError extends CredentialsSignin {
code = "INVALID_TOTP" as const;
}
const LoginSchema = z.object({
email: z.string().email(),
password: z.string().min(1),
totp: z.string().optional(),
});
const config = {
...authConfig,
trustHost: true,
providers: [
Credentials({
name: "credentials",
credentials: {
email: { label: "Email", type: "email" },
password: { label: "Password", type: "password" },
totp: { label: "TOTP", type: "text" },
},
async authorize(credentials) {
const parsed = LoginSchema.safeParse(credentials);
if (!parsed.success) return null;
const { email, password, totp } = parsed.data;
const isE2eTestMode = process.env["E2E_TEST_MODE"] === "true";
// Rate limit: 5 login attempts per 15 minutes per email
const rateLimitResult = isE2eTestMode
? { allowed: true }
: await authRateLimiter(email.toLowerCase());
if (!rateLimitResult.allowed) {
// Audit failed login (rate limited)
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: email.toLowerCase(),
entityName: email,
action: "CREATE",
summary: "Login blocked — rate limit exceeded",
source: "ui",
});
throw new Error("Too many login attempts. Please try again later.");
}
const user = await prisma.user.findUnique({ where: { email } });
if (!user?.passwordHash) {
logger.warn({ email, reason: "user_not_found" }, "Failed login attempt");
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: email.toLowerCase(),
entityName: email,
action: "CREATE",
summary: "Login failed — user not found",
source: "ui",
});
return null;
}
if (!user.isActive) {
logger.warn({ email, userId: user.id, reason: "account_deactivated" }, "Login blocked — account deactivated");
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: user.id,
entityName: user.email,
action: "CREATE",
userId: user.id,
summary: "Login blocked — account deactivated",
source: "ui",
});
return null;
}
const isValid = await verify(user.passwordHash, password);
if (!isValid) {
logger.warn({ email, reason: "invalid_password" }, "Failed login attempt");
// Audit failed login (bad password)
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: user.id,
entityName: user.email,
action: "CREATE",
userId: user.id,
summary: "Login failed — invalid password",
source: "ui",
});
return null;
}
// MFA check: if TOTP is enabled, require the token
if (user.totpEnabled && user.totpSecret) {
if (!totp) {
// Signal to the client that MFA is required (include userId for re-submission)
throw new MfaRequiredError();
}
const { TOTP, Secret } = await import("otpauth");
const totpInstance = new TOTP({
issuer: "CapaKraken",
label: user.email,
algorithm: "SHA1",
digits: 6,
period: 30,
secret: Secret.fromBase32(user.totpSecret),
});
const delta = totpInstance.validate({ token: totp, window: 1 });
if (delta === null) {
logger.warn({ email, reason: "invalid_totp" }, "Failed MFA verification");
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: user.id,
entityName: user.email,
action: "CREATE",
userId: user.id,
summary: "Login failed — invalid TOTP token",
source: "ui",
});
throw new InvalidTotpError();
}
// Replay-attack prevention: reject if the same 30-second window was already used
const userWithTotp = await prisma.user.findUnique({
where: { id: user.id },
select: { lastTotpAt: true },
}) as { lastTotpAt: Date | null } | null;
if (
userWithTotp?.lastTotpAt != null &&
Date.now() - userWithTotp.lastTotpAt.getTime() < 30_000
) {
logger.warn({ email, reason: "totp_replay" }, "TOTP replay attack blocked");
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: user.id,
entityName: user.email,
action: "CREATE",
userId: user.id,
summary: "Login failed — TOTP replay detected",
source: "ui",
});
throw new InvalidTotpError();
}
// Record successful TOTP use to prevent replay within the same window
await (prisma.user.update as Function)({
where: { id: user.id },
data: { lastTotpAt: new Date() },
});
}
// MFA enforcement: if the user's role is in requireMfaForRoles but they
// haven't set up TOTP yet, block login and signal setup requirement.
if (!user.totpEnabled) {
const settings = await prisma.systemSettings.findUnique({
where: { id: "singleton" },
select: { requireMfaForRoles: true },
});
const requireMfaForRoles = (settings?.requireMfaForRoles as string[] | null) ?? [];
if (requireMfaForRoles.includes(user.systemRole)) {
throw new MfaRequiredSetupError();
}
}
// Track last login time
await prisma.user.update({
where: { id: user.id },
data: { lastLoginAt: new Date() },
});
logger.info({ email, userId: user.id }, "Successful login");
// Audit successful login
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: user.id,
entityName: user.email,
action: "CREATE",
userId: user.id,
summary: "User logged in",
source: "ui",
});
return {
id: user.id,
email: user.email,
name: user.name,
role: user.systemRole,
};
},
}),
],
callbacks: {
async session({ session, token }) {
if (token.sub) {
session.user.id = token.sub;
}
if (token.role) {
(session.user as typeof session.user & { role: string }).role = token.role as string;
}
// Use token.sid (not token.jti) to avoid conflict with Auth.js's internal JWT ID claim
if (token.sid) {
(session.user as typeof session.user & { jti: string }).jti = token.sid as string;
}
return session;
},
async jwt({ token, user }) {
if (user) {
token.role = (user as typeof user & { role: string }).role;
// Generate a unique session ID for tracking.
// We use token.sid (not token.jti) because Auth.js manages token.jti
// internally and may overwrite it after the jwt callback returns.
const jti = crypto.randomUUID();
token.sid = jti;
// Skip active-session registration in E2E test mode.
// Test logins must not pollute the active_sessions table — doing so
// kicks real user sessions when the concurrent-session limit is reached.
const isE2eTestMode = process.env["E2E_TEST_MODE"] === "true";
if (isE2eTestMode) return token;
// Enforce concurrent session limit (kick-oldest strategy)
try {
const settings = await prisma.systemSettings.findUnique({
where: { id: "singleton" },
select: { maxConcurrentSessions: true },
});
const maxSessions = settings?.maxConcurrentSessions ?? 3;
// Register this new session
await prisma.activeSession.create({
data: { userId: user.id!, jti },
});
// Count active sessions and delete the oldest if over the limit
const activeSessions = await prisma.activeSession.findMany({
where: { userId: user.id! },
orderBy: { createdAt: "asc" },
select: { id: true },
});
if (activeSessions.length > maxSessions) {
const toDelete = activeSessions.slice(0, activeSessions.length - maxSessions);
await prisma.activeSession.deleteMany({
where: { id: { in: toDelete.map((s) => s.id) } },
});
logger.info({ userId: user.id, kicked: toDelete.length, maxSessions }, "Kicked oldest sessions");
}
} catch (err) {
// Non-blocking: don't prevent login if session tracking fails
logger.error({ err }, "Failed to enforce concurrent session limit");
}
}
return token;
},
},
events: {
async signOut(message) {
// Auth.js fires this event on sign-out; extract userId from the JWT token
const token = "token" in message ? message.token : null;
const userId = token?.sub ?? null;
const email = token?.email ?? "unknown";
const jti = (token?.sid ?? token?.jti) as string | undefined;
// Remove from active session registry
if (jti) {
void prisma.activeSession.delete({ where: { jti } }).catch(() => { /* already gone */ });
}
void createAuditEntry({
db: prisma,
entityType: "Auth",
entityId: userId ?? email,
entityName: email,
action: "DELETE",
...(userId ? { userId } : {}),
summary: "User logged out",
source: "ui",
});
},
},
} satisfies NextAuthConfig;
export const { handlers, auth } = NextAuth(config);
Reference in New Issue View Git Blame Copy Permalink