akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

feat: add SMTP settings page and user management features

Browse Source 
- Added a new SMTP settings page with functionality to configure SMTP settings, test connections, and send test emails.
- Implemented user management page to list users, invite new users, and manage user permissions.
- Created modals for inviting users and editing user permissions.
- Added tests for the new SMTP settings and user management functionalities.
- Updated navigation to include links to the new SMTP settings and user management pages.
This commit is contained in:
GitHub Actions
2025-12-05 00:47:57 +00:00
parent d3c5196631
commit c06c2829a6
27 changed files with 6050 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
backend/internal/api/middleware/security.go Normal file
View File

@@ -0,0 +1,126 @@
package middleware
import (
"fmt"
"strings"
"github.com/gin-gonic/gin"
)
// SecurityHeadersConfig holds configuration for the security headers middleware.
type SecurityHeadersConfig struct {
// IsDevelopment enables less strict settings for local development
IsDevelopment bool
// CustomCSPDirectives allows adding extra CSP directives
CustomCSPDirectives map[string]string
}
// DefaultSecurityHeadersConfig returns a secure default configuration.
func DefaultSecurityHeadersConfig() SecurityHeadersConfig {
return SecurityHeadersConfig{
IsDevelopment: false,
CustomCSPDirectives: nil,
}
}
// SecurityHeaders returns middleware that sets security-related HTTP headers.
// This implements Phase 1 of the security hardening plan.
func SecurityHeaders(cfg SecurityHeadersConfig) gin.HandlerFunc {
return func(c *gin.Context) {
// Build Content-Security-Policy
csp := buildCSP(cfg)
c.Header("Content-Security-Policy", csp)
// Strict-Transport-Security (HSTS)
// max-age=31536000 = 1 year
// includeSubDomains ensures all subdomains also use HTTPS
// preload allows browser preload lists (requires submission to hstspreload.org)
if !cfg.IsDevelopment {
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
}
// X-Frame-Options: Prevent clickjacking
// DENY prevents any framing; SAMEORIGIN would allow same-origin framing
c.Header("X-Frame-Options", "DENY")
// X-Content-Type-Options: Prevent MIME sniffing
c.Header("X-Content-Type-Options", "nosniff")
// X-XSS-Protection: Enable browser XSS filtering (legacy but still useful)
// mode=block tells browser to block the response if XSS is detected
c.Header("X-XSS-Protection", "1; mode=block")
// Referrer-Policy: Control referrer information sent with requests
// strict-origin-when-cross-origin sends full URL for same-origin, origin only for cross-origin
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
// Permissions-Policy: Restrict browser features
// Disable features that aren't needed for security
c.Header("Permissions-Policy", buildPermissionsPolicy())
// Cross-Origin-Opener-Policy: Isolate browsing context
c.Header("Cross-Origin-Opener-Policy", "same-origin")
// Cross-Origin-Resource-Policy: Prevent cross-origin reads
c.Header("Cross-Origin-Resource-Policy", "same-origin")
// Cross-Origin-Embedder-Policy: Require CORP for cross-origin resources
// Note: This can break some external resources, use with caution
// c.Header("Cross-Origin-Embedder-Policy", "require-corp")
c.Next()
}
}
// buildCSP constructs the Content-Security-Policy header value.
func buildCSP(cfg SecurityHeadersConfig) string {
// Base CSP directives for a secure single-page application
directives := map[string]string{
"default-src": "'self'",
"script-src": "'self'",
"style-src": "'self' 'unsafe-inline'", // unsafe-inline needed for many CSS-in-JS solutions
"img-src": "'self' data: https:", // Allow HTTPS images and data URIs
"font-src": "'self' data:", // Allow self-hosted fonts and data URIs
"connect-src": "'self'", // API connections
"frame-src": "'none'", // No iframes
"object-src": "'none'", // No plugins (Flash, etc.)
"base-uri": "'self'", // Restrict base tag
"form-action": "'self'", // Restrict form submissions
}
// In development, allow more sources for hot reloading, etc.
if cfg.IsDevelopment {
directives["script-src"] = "'self' 'unsafe-inline' 'unsafe-eval'"
directives["connect-src"] = "'self' ws: wss:" // WebSocket for HMR
}
// Apply custom directives
for key, value := range cfg.CustomCSPDirectives {
directives[key] = value
}
// Build the CSP string
var parts []string
for directive, value := range directives {
parts = append(parts, fmt.Sprintf("%s %s", directive, value))
}
return strings.Join(parts, "; ")
}
// buildPermissionsPolicy constructs the Permissions-Policy header value.
func buildPermissionsPolicy() string {
// Disable features we don't need
policies := []string{
"accelerometer=()",
"camera=()",
"geolocation=()",
"gyroscope=()",
"magnetometer=()",
"microphone=()",
"payment=()",
"usb=()",
}
return strings.Join(policies, ", ")
}

182
backend/internal/api/middleware/security_test.go Normal file
View File

@@ -0,0 +1,182 @@
package middleware
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/assert"
)
func TestSecurityHeaders(t *testing.T) {
gin.SetMode(gin.TestMode)
tests := []struct {
name string
isDevelopment bool
checkHeaders func(t *testing.T, resp *httptest.ResponseRecorder)
}{
{
name: "production mode sets HSTS",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
hsts := resp.Header().Get("Strict-Transport-Security")
assert.Contains(t, hsts, "max-age=31536000")
assert.Contains(t, hsts, "includeSubDomains")
assert.Contains(t, hsts, "preload")
},
},
{
name: "development mode skips HSTS",
isDevelopment: true,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
hsts := resp.Header().Get("Strict-Transport-Security")
assert.Empty(t, hsts)
},
},
{
name: "sets X-Frame-Options",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
assert.Equal(t, "DENY", resp.Header().Get("X-Frame-Options"))
},
},
{
name: "sets X-Content-Type-Options",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
assert.Equal(t, "nosniff", resp.Header().Get("X-Content-Type-Options"))
},
},
{
name: "sets X-XSS-Protection",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
assert.Equal(t, "1; mode=block", resp.Header().Get("X-XSS-Protection"))
},
},
{
name: "sets Referrer-Policy",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
assert.Equal(t, "strict-origin-when-cross-origin", resp.Header().Get("Referrer-Policy"))
},
},
{
name: "sets Content-Security-Policy",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
csp := resp.Header().Get("Content-Security-Policy")
assert.NotEmpty(t, csp)
assert.Contains(t, csp, "default-src")
},
},
{
name: "development mode CSP allows unsafe-eval",
isDevelopment: true,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
csp := resp.Header().Get("Content-Security-Policy")
assert.Contains(t, csp, "unsafe-eval")
},
},
{
name: "sets Permissions-Policy",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
pp := resp.Header().Get("Permissions-Policy")
assert.NotEmpty(t, pp)
assert.Contains(t, pp, "camera=()")
assert.Contains(t, pp, "microphone=()")
},
},
{
name: "sets Cross-Origin-Opener-Policy",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
assert.Equal(t, "same-origin", resp.Header().Get("Cross-Origin-Opener-Policy"))
},
},
{
name: "sets Cross-Origin-Resource-Policy",
isDevelopment: false,
checkHeaders: func(t *testing.T, resp *httptest.ResponseRecorder) {
assert.Equal(t, "same-origin", resp.Header().Get("Cross-Origin-Resource-Policy"))
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
router := gin.New()
router.Use(SecurityHeaders(SecurityHeadersConfig{
IsDevelopment: tt.isDevelopment,
}))
router.GET("/test", func(c *gin.Context) {
c.String(http.StatusOK, "OK")
})
req := httptest.NewRequest(http.MethodGet, "/test", nil)
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
assert.Equal(t, http.StatusOK, resp.Code)
tt.checkHeaders(t, resp)
})
}
}
func TestSecurityHeadersCustomCSP(t *testing.T) {
gin.SetMode(gin.TestMode)
router := gin.New()
router.Use(SecurityHeaders(SecurityHeadersConfig{
IsDevelopment: false,
CustomCSPDirectives: map[string]string{
"frame-src": "'self' https://trusted.com",
},
}))
router.GET("/test", func(c *gin.Context) {
c.String(http.StatusOK, "OK")
})
req := httptest.NewRequest(http.MethodGet, "/test", nil)
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
csp := resp.Header().Get("Content-Security-Policy")
assert.Contains(t, csp, "frame-src 'self' https://trusted.com")
}
func TestDefaultSecurityHeadersConfig(t *testing.T) {
cfg := DefaultSecurityHeadersConfig()
assert.False(t, cfg.IsDevelopment)
assert.Nil(t, cfg.CustomCSPDirectives)
}
func TestBuildCSP(t *testing.T) {
t.Run("production CSP", func(t *testing.T) {
csp := buildCSP(SecurityHeadersConfig{IsDevelopment: false})
assert.Contains(t, csp, "default-src 'self'")
assert.Contains(t, csp, "script-src 'self'")
assert.NotContains(t, csp, "unsafe-eval")
})
t.Run("development CSP", func(t *testing.T) {
csp := buildCSP(SecurityHeadersConfig{IsDevelopment: true})
assert.Contains(t, csp, "unsafe-eval")
assert.Contains(t, csp, "ws:")
})
}
func TestBuildPermissionsPolicy(t *testing.T) {
pp := buildPermissionsPolicy()
// Check that dangerous features are disabled
disabledFeatures := []string{"camera", "microphone", "geolocation", "payment"}
for _, feature := range disabledFeatures {
assert.True(t, strings.Contains(pp, feature+"=()"),
"Expected %s to be disabled in permissions policy", feature)
}
}