feat: Implement comprehensive security hardening
Security Improvements: - Auto-generate AUTH_SECRET and admin credentials on first launch - Cryptographically secure random generation - Stored in database for persistence - Logged once to container logs for admin retrieval - Implement CSRF protection with double-submit cookie pattern - Three-way validation: cookie, header, and session database - Automatic client-side injection via plugin - Server middleware for automatic validation - Zero frontend code changes required - Add session fixation prevention with automatic invalidation - Regenerate sessions on password changes - Keep current session active, invalidate others on profile password change - Invalidate ALL sessions on forgot-password reset - Invalidate ALL sessions on admin password reset - Upgrade password reset codes to 8-char alphanumeric - Increased from 1M to 1.8 trillion combinations - Uses crypto.randomInt() for cryptographic randomness - Excluded confusing characters (I, O) for better UX - Case-insensitive verification - Implement dual-layer account lockout - IP-based rate limiting (existing) - Per-account lockout: 10 attempts = 30 min lock - Automatic unlock after expiration - Admin manual unlock via UI - Visual status indicators in users table Database Changes: - Add csrf_token column to sessions table - Add failed_login_attempts and locked_until columns to users table - Add settings table for persistent AUTH_SECRET storage - All migrations backward-compatible with try-catch New Files: - server/utils/csrf.ts - CSRF protection utilities - server/middleware/csrf.ts - Automatic CSRF validation middleware - plugins/csrf.client.ts - Automatic CSRF header injection - server/api/users/unlock/[id].post.ts - Admin unlock endpoint Modified Files: - server/utils/database.ts - Core security functions and schema updates - server/utils/email.ts - Enhanced reset code generation - server/api/auth/login.post.ts - CSRF + account lockout logic - server/api/auth/register.post.ts - CSRF token generation - server/api/auth/logout.post.ts - CSRF cookie cleanup - server/api/auth/reset-password.post.ts - Session invalidation - server/api/auth/verify-reset-code.post.ts - Case-insensitive codes - server/api/profile/update.put.ts - Session invalidation on password change - server/api/users/password/[id].put.ts - Session invalidation on admin reset - pages/users.vue - Lock status display and unlock functionality - docker-compose.yml - Removed default credentials - nuxt.config.ts - Support auto-generation All changes follow OWASP best practices and are production-ready. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
import { getUserByUsername, checkRateLimit, resetRateLimit, createSession } from '~/server/utils/database'
|
||||
import { getUserByUsername, checkRateLimit, resetRateLimit, createSession, isAccountLocked, incrementFailedAttempts, resetFailedAttempts } from '~/server/utils/database'
|
||||
import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
|
||||
import { generateCsrfToken, setCsrfCookie } from '~/server/utils/csrf'
|
||||
import bcrypt from 'bcrypt'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
@@ -51,10 +52,22 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
// SECURITY: Check if account is locked due to too many failed attempts
|
||||
if (isAccountLocked(username.toLowerCase())) {
|
||||
console.log(`[LOGIN BLOCKED] Account locked - User: ${username.toLowerCase()}, IP: ${clientIp}`)
|
||||
throw createError({
|
||||
statusCode: 403,
|
||||
message: 'Account temporarily locked due to too many failed login attempts. Please try again in 30 minutes or contact an administrator.'
|
||||
})
|
||||
}
|
||||
|
||||
// Compare the provided password with the hashed password in the database
|
||||
const passwordMatch = await bcrypt.compare(password, user.password)
|
||||
|
||||
if (!passwordMatch) {
|
||||
// SECURITY: Increment failed login attempts for this account
|
||||
incrementFailedAttempts(username.toLowerCase())
|
||||
|
||||
// Check rate limit ONLY on failed attempt
|
||||
if (!checkRateLimit(clientIp, 'login', 5, 15)) {
|
||||
console.log(`[LOGIN BLOCKED] Rate limited - Invalid password for user: ${username.toLowerCase()}, IP: ${clientIp}`)
|
||||
@@ -70,17 +83,26 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
// Generate session token and create session
|
||||
// Generate session token and CSRF token
|
||||
const sessionToken = generateSessionToken()
|
||||
const csrfToken = generateCsrfToken()
|
||||
const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
|
||||
createSession(sessionToken, user.username, expiresAt)
|
||||
|
||||
|
||||
// Create session with CSRF token
|
||||
createSession(sessionToken, user.username, expiresAt, csrfToken)
|
||||
|
||||
// Set session cookie
|
||||
setAuthCookie(event, sessionToken)
|
||||
|
||||
|
||||
// Set CSRF cookie
|
||||
setCsrfCookie(event, csrfToken)
|
||||
|
||||
// SECURITY: Reset failed login attempts on successful login
|
||||
resetFailedAttempts(username.toLowerCase())
|
||||
|
||||
// Reset rate limit on successful login
|
||||
resetRateLimit(clientIp, 'login')
|
||||
|
||||
|
||||
// Log successful login
|
||||
console.log(`[LOGIN SUCCESS] User: ${user.username}, IP: ${clientIp}`)
|
||||
|
||||
|
||||
@@ -1,18 +1,20 @@
|
||||
import { clearAuthCookie, getAuthCookie } from '~/server/utils/auth'
|
||||
import { clearCsrfCookie } from '~/server/utils/csrf'
|
||||
import { deleteSession } from '~/server/utils/database'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
// Get session token from cookie
|
||||
const sessionToken = getAuthCookie(event)
|
||||
|
||||
|
||||
// Delete session from database if it exists
|
||||
if (sessionToken) {
|
||||
deleteSession(sessionToken)
|
||||
}
|
||||
|
||||
// Clear the cookie
|
||||
|
||||
// Clear both auth and CSRF cookies
|
||||
clearAuthCookie(event)
|
||||
|
||||
clearCsrfCookie(event)
|
||||
|
||||
return {
|
||||
success: true
|
||||
}
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSession } from '~/server/utils/database'
|
||||
import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
|
||||
import { generateCsrfToken, setCsrfCookie } from '~/server/utils/csrf'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
// Get real client IP from proxy headers (prioritize x-real-ip for NPM)
|
||||
@@ -107,15 +108,21 @@ export default defineEventHandler(async (event) => {
|
||||
try {
|
||||
// Create the new user with all fields
|
||||
createUser(username.toLowerCase(), password, email.toLowerCase(), firstName, lastName)
|
||||
|
||||
// Generate session token and create session for auto-login
|
||||
|
||||
// Generate session token and CSRF token for auto-login
|
||||
const sessionToken = generateSessionToken()
|
||||
const csrfToken = generateCsrfToken()
|
||||
const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
|
||||
createSession(sessionToken, username.toLowerCase(), expiresAt)
|
||||
|
||||
|
||||
// Create session with CSRF token
|
||||
createSession(sessionToken, username.toLowerCase(), expiresAt, csrfToken)
|
||||
|
||||
// Set session cookie
|
||||
setAuthCookie(event, sessionToken)
|
||||
|
||||
|
||||
// Set CSRF cookie
|
||||
setCsrfCookie(event, csrfToken)
|
||||
|
||||
// Log successful registration
|
||||
console.log(`[REGISTER SUCCESS] User: ${username.toLowerCase()}, IP: ${clientIp}`)
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { getPasswordResetCode, resetPasswordByEmail, deletePasswordResetCode } from '~/server/utils/database'
|
||||
import { getPasswordResetCode, resetPasswordByEmail, deletePasswordResetCode, deleteAllUserSessions, getUserByEmail } from '~/server/utils/database'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const body = await readBody(event)
|
||||
@@ -31,7 +31,8 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
|
||||
// Verify code exists and hasn't expired
|
||||
const resetCode = getPasswordResetCode(email, code)
|
||||
// Convert to uppercase for case-insensitive comparison
|
||||
const resetCode = getPasswordResetCode(email, code.toUpperCase())
|
||||
|
||||
if (!resetCode) {
|
||||
throw createError({
|
||||
@@ -40,11 +41,27 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
// Get user info before resetting password
|
||||
const user = getUserByEmail(email)
|
||||
if (!user) {
|
||||
throw createError({
|
||||
statusCode: 404,
|
||||
message: 'User not found',
|
||||
})
|
||||
}
|
||||
|
||||
// Reset password
|
||||
resetPasswordByEmail(email, newPassword)
|
||||
|
||||
|
||||
// SECURITY: Invalidate ALL sessions when password is reset via forgot-password flow
|
||||
// User must log in again with new password
|
||||
deleteAllUserSessions(user.username)
|
||||
|
||||
// Delete used reset code
|
||||
deletePasswordResetCode(email)
|
||||
|
||||
return { success: true, message: 'Password reset successfully' }
|
||||
return {
|
||||
success: true,
|
||||
message: 'Password reset successfully. Please log in with your new password.'
|
||||
}
|
||||
})
|
||||
|
||||
@@ -12,7 +12,8 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
|
||||
// Verify code exists and hasn't expired
|
||||
const resetCode = getPasswordResetCode(email, code)
|
||||
// Convert to uppercase for case-insensitive comparison
|
||||
const resetCode = getPasswordResetCode(email, code.toUpperCase())
|
||||
|
||||
if (!resetCode) {
|
||||
throw createError({
|
||||
|
||||
Reference in New Issue
Block a user