Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings: - Add validation tags to all DTO request structs (max lengths, ranges, enums) - Replace unsafe type assertions with MustGetAuthUser helper across all handlers - Remove query-param token auth from admin middleware (prevents URL token leakage) - Add request validation calls in handlers that were missing c.Validate() - Remove goroutines in handlers (timezone update now synchronous) - Add sanitize middleware and path traversal protection (path_utils) - Stop resetting admin passwords on migration restart - Warn on well-known default SECRET_KEY - Add ~30 new test files covering security regressions, auth safety, repos, and services - Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 09:48:01 -06:00
parent 56d6fa4514
commit 7690f07a2b
123 changed files with 8321 additions and 750 deletions
--- a/deploy/swarm-stack.prod.yml
+++ b/deploy/swarm-stack.prod.yml
@@ -0,0 +1,288 @@
+version: "3.8"
+
+services:
+  redis:
+    image: redis:7-alpine
+    command: redis-server --appendonly yes --appendfsync everysec
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 5s
+      placement:
+        max_replicas_per_node: 1
+    networks:
+      - casera-network
+
+  api:
+    image: ${API_IMAGE}
+    ports:
+      - target: 8000
+        published: ${API_PORT}
+        protocol: tcp
+        mode: ingress
+    environment:
+      PORT: "8000"
+      DEBUG: "${DEBUG}"
+      ALLOWED_HOSTS: "${ALLOWED_HOSTS}"
+      CORS_ALLOWED_ORIGINS: "${CORS_ALLOWED_ORIGINS}"
+      TIMEZONE: "${TIMEZONE}"
+      BASE_URL: "${BASE_URL}"
+      ADMIN_PANEL_URL: "${ADMIN_PANEL_URL}"
+
+      DB_HOST: "${DB_HOST}"
+      DB_PORT: "${DB_PORT}"
+      POSTGRES_USER: "${POSTGRES_USER}"
+      POSTGRES_DB: "${POSTGRES_DB}"
+      DB_SSLMODE: "${DB_SSLMODE}"
+      DB_MAX_OPEN_CONNS: "${DB_MAX_OPEN_CONNS}"
+      DB_MAX_IDLE_CONNS: "${DB_MAX_IDLE_CONNS}"
+      DB_MAX_LIFETIME: "${DB_MAX_LIFETIME}"
+
+      REDIS_URL: "${REDIS_URL}"
+      REDIS_DB: "${REDIS_DB}"
+
+      EMAIL_HOST: "${EMAIL_HOST}"
+      EMAIL_PORT: "${EMAIL_PORT}"
+      EMAIL_HOST_USER: "${EMAIL_HOST_USER}"
+      DEFAULT_FROM_EMAIL: "${DEFAULT_FROM_EMAIL}"
+      EMAIL_USE_TLS: "${EMAIL_USE_TLS}"
+
+      APNS_AUTH_KEY_PATH: "/run/secrets/apns_auth_key"
+      APNS_AUTH_KEY_ID: "${APNS_AUTH_KEY_ID}"
+      APNS_TEAM_ID: "${APNS_TEAM_ID}"
+      APNS_TOPIC: "${APNS_TOPIC}"
+      APNS_USE_SANDBOX: "${APNS_USE_SANDBOX}"
+      APNS_PRODUCTION: "${APNS_PRODUCTION}"
+
+      STORAGE_UPLOAD_DIR: "${STORAGE_UPLOAD_DIR}"
+      STORAGE_BASE_URL: "${STORAGE_BASE_URL}"
+      STORAGE_MAX_FILE_SIZE: "${STORAGE_MAX_FILE_SIZE}"
+      STORAGE_ALLOWED_TYPES: "${STORAGE_ALLOWED_TYPES}"
+
+      FEATURE_PUSH_ENABLED: "${FEATURE_PUSH_ENABLED}"
+      FEATURE_EMAIL_ENABLED: "${FEATURE_EMAIL_ENABLED}"
+      FEATURE_WEBHOOKS_ENABLED: "${FEATURE_WEBHOOKS_ENABLED}"
+      FEATURE_ONBOARDING_EMAILS_ENABLED: "${FEATURE_ONBOARDING_EMAILS_ENABLED}"
+      FEATURE_PDF_REPORTS_ENABLED: "${FEATURE_PDF_REPORTS_ENABLED}"
+      FEATURE_WORKER_ENABLED: "${FEATURE_WORKER_ENABLED}"
+
+      APPLE_CLIENT_ID: "${APPLE_CLIENT_ID}"
+      APPLE_TEAM_ID: "${APPLE_TEAM_ID}"
+      GOOGLE_CLIENT_ID: "${GOOGLE_CLIENT_ID}"
+      GOOGLE_ANDROID_CLIENT_ID: "${GOOGLE_ANDROID_CLIENT_ID}"
+      GOOGLE_IOS_CLIENT_ID: "${GOOGLE_IOS_CLIENT_ID}"
+      APPLE_IAP_KEY_PATH: "${APPLE_IAP_KEY_PATH}"
+      APPLE_IAP_KEY_ID: "${APPLE_IAP_KEY_ID}"
+      APPLE_IAP_ISSUER_ID: "${APPLE_IAP_ISSUER_ID}"
+      APPLE_IAP_BUNDLE_ID: "${APPLE_IAP_BUNDLE_ID}"
+      APPLE_IAP_SANDBOX: "${APPLE_IAP_SANDBOX}"
+      GOOGLE_IAP_SERVICE_ACCOUNT_PATH: "${GOOGLE_IAP_SERVICE_ACCOUNT_PATH}"
+      GOOGLE_IAP_PACKAGE_NAME: "${GOOGLE_IAP_PACKAGE_NAME}"
+    command:
+      - /bin/sh
+      - -lc
+      - |
+        set -eu
+        export POSTGRES_PASSWORD="$$(cat /run/secrets/postgres_password)"
+        export SECRET_KEY="$$(cat /run/secrets/secret_key)"
+        export EMAIL_HOST_PASSWORD="$$(cat /run/secrets/email_host_password)"
+        export FCM_SERVER_KEY="$$(cat /run/secrets/fcm_server_key)"
+        exec /app/api
+    secrets:
+      - source: ${POSTGRES_PASSWORD_SECRET}
+        target: postgres_password
+      - source: ${SECRET_KEY_SECRET}
+        target: secret_key
+      - source: ${EMAIL_HOST_PASSWORD_SECRET}
+        target: email_host_password
+      - source: ${FCM_SERVER_KEY_SECRET}
+        target: fcm_server_key
+      - source: ${APNS_AUTH_KEY_SECRET}
+        target: apns_auth_key
+    volumes:
+      - uploads:/app/uploads
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8000/api/health/"]
+      interval: 30s
+      timeout: 10s
+      start_period: 15s
+      retries: 3
+    deploy:
+      replicas: ${API_REPLICAS}
+      restart_policy:
+        condition: any
+        delay: 5s
+      update_config:
+        parallelism: 1
+        delay: 10s
+        order: start-first
+      rollback_config:
+        parallelism: 1
+        delay: 5s
+        order: stop-first
+    networks:
+      - casera-network
+
+  admin:
+    image: ${ADMIN_IMAGE}
+    ports:
+      - target: 3000
+        published: ${ADMIN_PORT}
+        protocol: tcp
+        mode: ingress
+    environment:
+      PORT: "3000"
+      HOSTNAME: "0.0.0.0"
+      NEXT_PUBLIC_API_URL: "${NEXT_PUBLIC_API_URL}"
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/admin/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    deploy:
+      replicas: ${ADMIN_REPLICAS}
+      restart_policy:
+        condition: any
+        delay: 5s
+      update_config:
+        parallelism: 1
+        delay: 10s
+        order: start-first
+      rollback_config:
+        parallelism: 1
+        delay: 5s
+        order: stop-first
+    networks:
+      - casera-network
+
+  worker:
+    image: ${WORKER_IMAGE}
+    environment:
+      DB_HOST: "${DB_HOST}"
+      DB_PORT: "${DB_PORT}"
+      POSTGRES_USER: "${POSTGRES_USER}"
+      POSTGRES_DB: "${POSTGRES_DB}"
+      DB_SSLMODE: "${DB_SSLMODE}"
+      DB_MAX_OPEN_CONNS: "${DB_MAX_OPEN_CONNS}"
+      DB_MAX_IDLE_CONNS: "${DB_MAX_IDLE_CONNS}"
+      DB_MAX_LIFETIME: "${DB_MAX_LIFETIME}"
+
+      REDIS_URL: "${REDIS_URL}"
+      REDIS_DB: "${REDIS_DB}"
+
+      EMAIL_HOST: "${EMAIL_HOST}"
+      EMAIL_PORT: "${EMAIL_PORT}"
+      EMAIL_HOST_USER: "${EMAIL_HOST_USER}"
+      DEFAULT_FROM_EMAIL: "${DEFAULT_FROM_EMAIL}"
+      EMAIL_USE_TLS: "${EMAIL_USE_TLS}"
+
+      APNS_AUTH_KEY_PATH: "/run/secrets/apns_auth_key"
+      APNS_AUTH_KEY_ID: "${APNS_AUTH_KEY_ID}"
+      APNS_TEAM_ID: "${APNS_TEAM_ID}"
+      APNS_TOPIC: "${APNS_TOPIC}"
+      APNS_USE_SANDBOX: "${APNS_USE_SANDBOX}"
+      APNS_PRODUCTION: "${APNS_PRODUCTION}"
+
+      TASK_REMINDER_HOUR: "${TASK_REMINDER_HOUR}"
+      OVERDUE_REMINDER_HOUR: "${OVERDUE_REMINDER_HOUR}"
+      DAILY_DIGEST_HOUR: "${DAILY_DIGEST_HOUR}"
+
+      FEATURE_PUSH_ENABLED: "${FEATURE_PUSH_ENABLED}"
+      FEATURE_EMAIL_ENABLED: "${FEATURE_EMAIL_ENABLED}"
+      FEATURE_WEBHOOKS_ENABLED: "${FEATURE_WEBHOOKS_ENABLED}"
+      FEATURE_ONBOARDING_EMAILS_ENABLED: "${FEATURE_ONBOARDING_EMAILS_ENABLED}"
+      FEATURE_PDF_REPORTS_ENABLED: "${FEATURE_PDF_REPORTS_ENABLED}"
+      FEATURE_WORKER_ENABLED: "${FEATURE_WORKER_ENABLED}"
+    command:
+      - /bin/sh
+      - -lc
+      - |
+        set -eu
+        export POSTGRES_PASSWORD="$$(cat /run/secrets/postgres_password)"
+        export SECRET_KEY="$$(cat /run/secrets/secret_key)"
+        export EMAIL_HOST_PASSWORD="$$(cat /run/secrets/email_host_password)"
+        export FCM_SERVER_KEY="$$(cat /run/secrets/fcm_server_key)"
+        exec /app/worker
+    secrets:
+      - source: ${POSTGRES_PASSWORD_SECRET}
+        target: postgres_password
+      - source: ${SECRET_KEY_SECRET}
+        target: secret_key
+      - source: ${EMAIL_HOST_PASSWORD_SECRET}
+        target: email_host_password
+      - source: ${FCM_SERVER_KEY_SECRET}
+        target: fcm_server_key
+      - source: ${APNS_AUTH_KEY_SECRET}
+        target: apns_auth_key
+    deploy:
+      replicas: ${WORKER_REPLICAS}
+      restart_policy:
+        condition: any
+        delay: 5s
+      update_config:
+        parallelism: 1
+        delay: 10s
+        order: start-first
+      rollback_config:
+        parallelism: 1
+        delay: 5s
+        order: stop-first
+    networks:
+      - casera-network
+
+  dozzle:
+    image: amir20/dozzle:latest
+    ports:
+      - target: 8080
+        published: ${DOZZLE_PORT}
+        protocol: tcp
+        mode: ingress
+    environment:
+      DOZZLE_NO_ANALYTICS: "true"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 5s
+      placement:
+        constraints:
+          - node.role == manager
+    networks:
+      - casera-network
+
+volumes:
+  redis_data:
+  uploads:
+
+networks:
+  casera-network:
+    driver: overlay
+    driver_opts:
+      encrypted: "true"
+
+secrets:
+  postgres_password:
+    external: true
+    name: ${POSTGRES_PASSWORD_SECRET}
+  secret_key:
+    external: true
+    name: ${SECRET_KEY_SECRET}
+  email_host_password:
+    external: true
+    name: ${EMAIL_HOST_PASSWORD_SECRET}
+  fcm_server_key:
+    external: true
+    name: ${FCM_SERVER_KEY_SECRET}
+  apns_auth_key:
+    external: true
+    name: ${APNS_AUTH_KEY_SECRET}