6 Commits

Author	SHA1	Message	Date
akanealw	99819b70ff	added caddy-proxy-manager for testing	2026-04-21 22:49:08 +00:00
fuomag9	3a16d6e9b1	Replace next-auth with Better Auth, migrate DB columns to camelCase ... - Replace next-auth v5 beta with better-auth v1.6.2 (stable releases) - Add multi-provider OAuth support with admin UI configuration - New oauthProviders table with encrypted secrets (AES-256-GCM) - Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable - OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers - Settings page "Authentication Providers" section for admin management - Account linking uses new accounts table (multi-provider per user) - Username plugin for credentials sign-in (replaces email@localhost pattern) - bcrypt password compatibility (existing hashes work) - Database-backed sessions via Kysely adapter (bun:sqlite direct) - Configurable rate limiting via AUTH_RATE_LIMIT_* env vars - All DB columns migrated from snake_case to camelCase - All TypeScript types/models migrated to camelCase properties - Removed casing: "snake_case" from Drizzle config - Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId} - package-lock.json removed and gitignored (using bun.lock) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-12 21:11:48 +02:00
fuomag9	b480c2cf5d	chore: remove finding-ID prefixes from code comments ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 12:51:39 +01:00
fuomag9	debd0d98fc	security: fix 17 vulnerabilities from comprehensive pentest ... Fixes identified from full security audit covering auth, crypto, injection, infrastructure, and configuration security. Critical: - C1: Fail-closed on unrecognized NODE_ENV (prevent DEV_SECRET in staging) - C3: Validate API token expires_at (reject invalid dates that bypass expiry) High: - H1: Refresh JWT role from DB on each session (reflect demotions immediately) - H2: Docker socket proxy for l4-port-manager (restrict API surface) - H5: Block dangerous WAF custom directives (SecRuleEngine, SecAuditEngine) - H7: Require explicit NEXTAUTH_TRUST_HOST instead of always trusting Host - H8: Semantic validation of sync payload (block metadata SSRF, size limits) Medium: - M3: Rate limit password change current-password verification - M5: Parameterized SQL in log/waf parsers (replace template literals) - M6: Nonce-based CSP replacing unsafe-inline for script-src - M9: Strip Caddy placeholders from rewrite path_prefix - M10: Sanitize authentik outpostDomain (path traversal, placeholders) - M14: Deny access on missing JWT role instead of defaulting to "user" Low: - L1: Require Origin header on mutating session-authenticated requests - L4: Enforce password complexity on user password changes - L5: Time-limited legacy SHA-256 key fallback (grace period until 2026-06-01) - L6: Escape LIKE metacharacters in audit log search - L7: Runtime-validate WAF excluded_rule_ids as positive integers Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 12:14:44 +01:00
fuomag9	bdd3019214	security: add same-origin CSRF check to state-changing user API routes ... Adds checkSameOrigin() helper in auth.ts that validates the Origin header against the Host header. If Origin is present and mismatched, returns 403. Applied to all 5 custom POST routes flagged in CPM-003 (NEXT-CSRF-001): - change-password, link-oauth-start, unlink-oauth, update-avatar, logout SameSite=Lax (NextAuth default) already blocks standard cross-site CSRF; this adds defense-in-depth against subdomain and misconfiguration scenarios. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-05 01:04:18 +01:00
fuomag9	be21f46ad5	Added user tab and oauth2, streamlined readme	2025-12-28 15:14:56 +01:00