debd0d98fc
Fixes identified from full security audit covering auth, crypto, injection, infrastructure, and configuration security. Critical: - C1: Fail-closed on unrecognized NODE_ENV (prevent DEV_SECRET in staging) - C3: Validate API token expires_at (reject invalid dates that bypass expiry) High: - H1: Refresh JWT role from DB on each session (reflect demotions immediately) - H2: Docker socket proxy for l4-port-manager (restrict API surface) - H5: Block dangerous WAF custom directives (SecRuleEngine, SecAuditEngine) - H7: Require explicit NEXTAUTH_TRUST_HOST instead of always trusting Host - H8: Semantic validation of sync payload (block metadata SSRF, size limits) Medium: - M3: Rate limit password change current-password verification - M5: Parameterized SQL in log/waf parsers (replace template literals) - M6: Nonce-based CSP replacing unsafe-inline for script-src - M9: Strip Caddy placeholders from rewrite path_prefix - M10: Sanitize authentik outpostDomain (path traversal, placeholders) - M14: Deny access on missing JWT role instead of defaulting to "user" Low: - L1: Require Origin header on mutating session-authenticated requests - L4: Enforce password complexity on user password changes - L5: Time-limited legacy SHA-256 key fallback (grace period until 2026-06-01) - L6: Escape LIKE metacharacters in audit log search - L7: Runtime-validate WAF excluded_rule_ids as positive integers Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
111 lines
3.6 KiB
TypeScript
111 lines
3.6 KiB
TypeScript
import { NextRequest, NextResponse } from "next/server";
|
|
import { auth, checkSameOrigin } from "@/src/lib/auth";
|
|
import { getUserById, updateUserPassword } from "@/src/lib/models/user";
|
|
import { createAuditEvent } from "@/src/lib/models/audit";
|
|
import { isRateLimited, registerFailedAttempt, resetAttempts } from "@/src/lib/rate-limit";
|
|
import bcrypt from "bcryptjs";
|
|
|
|
export async function POST(request: NextRequest) {
|
|
const originCheck = checkSameOrigin(request);
|
|
if (originCheck) return originCheck;
|
|
|
|
try {
|
|
const session = await auth();
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
|
}
|
|
|
|
// M3: Rate limit password change attempts to prevent brute-forcing current password
|
|
const rateLimitKey = `password-change:${session.user.id}`;
|
|
const rateCheck = isRateLimited(rateLimitKey);
|
|
if (rateCheck.blocked) {
|
|
return NextResponse.json(
|
|
{ error: "Too many attempts. Please try again later." },
|
|
{ status: 429, headers: rateCheck.retryAfterMs ? { "Retry-After": String(Math.ceil(rateCheck.retryAfterMs / 1000)) } : undefined }
|
|
);
|
|
}
|
|
|
|
const body = await request.json();
|
|
const { currentPassword, newPassword } = body;
|
|
|
|
// L4: Enforce password complexity matching production admin password requirements
|
|
if (!newPassword || newPassword.length < 12) {
|
|
return NextResponse.json(
|
|
{ error: "New password must be at least 12 characters long" },
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
const complexityErrors: string[] = [];
|
|
if (!/[A-Z]/.test(newPassword) || !/[a-z]/.test(newPassword)) {
|
|
complexityErrors.push("must include both uppercase and lowercase letters");
|
|
}
|
|
if (!/[0-9]/.test(newPassword)) {
|
|
complexityErrors.push("must include at least one number");
|
|
}
|
|
if (!/[^A-Za-z0-9]/.test(newPassword)) {
|
|
complexityErrors.push("must include at least one special character");
|
|
}
|
|
if (complexityErrors.length > 0) {
|
|
return NextResponse.json(
|
|
{ error: `Password ${complexityErrors.join(", ")}` },
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
|
|
const userId = Number(session.user.id);
|
|
const user = await getUserById(userId);
|
|
|
|
if (!user) {
|
|
return NextResponse.json({ error: "User not found" }, { status: 404 });
|
|
}
|
|
|
|
// If user has a password, verify current password
|
|
if (user.password_hash) {
|
|
if (!currentPassword) {
|
|
return NextResponse.json(
|
|
{ error: "Current password is required" },
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
|
|
const isValid = bcrypt.compareSync(currentPassword, user.password_hash);
|
|
if (!isValid) {
|
|
registerFailedAttempt(rateLimitKey);
|
|
return NextResponse.json(
|
|
{ error: "Current password is incorrect" },
|
|
{ status: 401 }
|
|
);
|
|
}
|
|
}
|
|
|
|
// Password verified successfully — reset rate limit counter
|
|
resetAttempts(rateLimitKey);
|
|
|
|
// Hash new password
|
|
const newPasswordHash = bcrypt.hashSync(newPassword, 12);
|
|
|
|
// Update password
|
|
await updateUserPassword(userId, newPasswordHash);
|
|
|
|
// Audit log
|
|
await createAuditEvent({
|
|
userId,
|
|
action: user.password_hash ? "password_changed" : "password_set",
|
|
entityType: "user",
|
|
entityId: userId,
|
|
summary: user.password_hash ? "User changed their password" : "User set a password",
|
|
});
|
|
|
|
return NextResponse.json({
|
|
success: true,
|
|
message: "Password updated successfully"
|
|
});
|
|
} catch (error) {
|
|
console.error("Password change error:", error);
|
|
return NextResponse.json(
|
|
{ error: "Failed to change password" },
|
|
{ status: 500 }
|
|
);
|
|
}
|
|
}
|