feat(security): address findings from v2 security assessment
- L2: Add server_tokens off to nginx configs to hide version - M1: Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy headers to all nginx routes - L3: Add global NoCacheInterceptor (Cache-Control: no-store) on all API responses to prevent caching of sensitive financial data - C1: Disable open registration by default (ALLOW_OPEN_REGISTRATION env) - H3: Add logout endpoint with correct HTTP 200 status code - M2: Implement full password reset flow (forgot-password, reset-password, change-password) with hashed tokens, 15-min expiry, single-use - Reduce JWT access token expiry from 24h to 1h - Add EmailService stub (logs to shared.email_log) - Add DB migration 016 for password_reset_tokens table Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -8,6 +8,8 @@ import {
|
||||
Get,
|
||||
Res,
|
||||
Query,
|
||||
HttpCode,
|
||||
ForbiddenException,
|
||||
BadRequestException,
|
||||
} from '@nestjs/common';
|
||||
import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
|
||||
@@ -23,6 +25,7 @@ import { AllowViewer } from '../../common/decorators/allow-viewer.decorator';
|
||||
|
||||
const COOKIE_NAME = 'ledgeriq_rt';
|
||||
const isProduction = process.env.NODE_ENV === 'production';
|
||||
const isOpenRegistration = process.env.ALLOW_OPEN_REGISTRATION === 'true';
|
||||
|
||||
function setRefreshCookie(res: Response, token: string) {
|
||||
res.cookie(COOKIE_NAME, token, {
|
||||
@@ -49,9 +52,14 @@ export class AuthController {
|
||||
constructor(private authService: AuthService) {}
|
||||
|
||||
@Post('register')
|
||||
@ApiOperation({ summary: 'Register a new user' })
|
||||
@ApiOperation({ summary: 'Register a new user (disabled unless ALLOW_OPEN_REGISTRATION=true)' })
|
||||
@Throttle({ default: { limit: 5, ttl: 60000 } })
|
||||
async register(@Body() dto: RegisterDto, @Res({ passthrough: true }) res: Response) {
|
||||
if (!isOpenRegistration) {
|
||||
throw new ForbiddenException(
|
||||
'Open registration is disabled. Please use an invitation link to create your account.',
|
||||
);
|
||||
}
|
||||
const result = await this.authService.register(dto);
|
||||
if (result.refreshToken) {
|
||||
setRefreshCookie(res, result.refreshToken);
|
||||
@@ -93,6 +101,7 @@ export class AuthController {
|
||||
|
||||
@Post('logout')
|
||||
@ApiOperation({ summary: 'Logout and revoke refresh token' })
|
||||
@HttpCode(200)
|
||||
async logout(@Request() req: any, @Res({ passthrough: true }) res: Response) {
|
||||
const rawToken = req.cookies?.[COOKIE_NAME];
|
||||
if (rawToken) {
|
||||
@@ -104,6 +113,7 @@ export class AuthController {
|
||||
|
||||
@Post('logout-everywhere')
|
||||
@ApiOperation({ summary: 'Revoke all sessions' })
|
||||
@HttpCode(200)
|
||||
@ApiBearerAuth()
|
||||
@UseGuards(JwtAuthGuard)
|
||||
async logoutEverywhere(@Request() req: any, @Res({ passthrough: true }) res: Response) {
|
||||
@@ -183,4 +193,51 @@ export class AuthController {
|
||||
// Stubbed — will be implemented when email service is ready
|
||||
return { success: true, message: 'If an account exists, a new activation link has been sent.' };
|
||||
}
|
||||
|
||||
// ─── Password Reset Flow ──────────────────────────────────────────
|
||||
|
||||
@Post('forgot-password')
|
||||
@ApiOperation({ summary: 'Request a password reset email' })
|
||||
@HttpCode(200)
|
||||
@Throttle({ default: { limit: 3, ttl: 60000 } })
|
||||
async forgotPassword(@Body() body: { email: string }) {
|
||||
if (!body.email) throw new BadRequestException('Email is required');
|
||||
await this.authService.requestPasswordReset(body.email);
|
||||
// Always return same message to prevent account enumeration
|
||||
return { message: 'If that email exists, a password reset link has been sent.' };
|
||||
}
|
||||
|
||||
@Post('reset-password')
|
||||
@ApiOperation({ summary: 'Reset password using a reset token' })
|
||||
@HttpCode(200)
|
||||
@Throttle({ default: { limit: 5, ttl: 60000 } })
|
||||
async resetPassword(@Body() body: { token: string; newPassword: string }) {
|
||||
if (!body.token || !body.newPassword) {
|
||||
throw new BadRequestException('Token and newPassword are required');
|
||||
}
|
||||
if (body.newPassword.length < 8) {
|
||||
throw new BadRequestException('Password must be at least 8 characters');
|
||||
}
|
||||
await this.authService.resetPassword(body.token, body.newPassword);
|
||||
return { message: 'Password updated successfully.' };
|
||||
}
|
||||
|
||||
@Patch('change-password')
|
||||
@ApiOperation({ summary: 'Change password (authenticated)' })
|
||||
@ApiBearerAuth()
|
||||
@UseGuards(JwtAuthGuard)
|
||||
@AllowViewer()
|
||||
async changePassword(
|
||||
@Request() req: any,
|
||||
@Body() body: { currentPassword: string; newPassword: string },
|
||||
) {
|
||||
if (!body.currentPassword || !body.newPassword) {
|
||||
throw new BadRequestException('currentPassword and newPassword are required');
|
||||
}
|
||||
if (body.newPassword.length < 8) {
|
||||
throw new BadRequestException('Password must be at least 8 characters');
|
||||
}
|
||||
await this.authService.changePassword(req.user.sub, body.currentPassword, body.newPassword);
|
||||
return { message: 'Password changed successfully.' };
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user