Production hardening: security, resilience, observability, and compliance

Password complexity: custom validator requiring uppercase, lowercase, digit (min 8 chars) Token expiry: 90-day token lifetime with refresh endpoint (60-90 day renewal window) Health check: /api/health/ now pings Postgres + Redis, returns 503 on failure Audit logging: async audit_log table for auth events (login, register, delete, etc.) Circuit breaker: APNs/FCM push sends wrapped with 5-failure threshold, 30s recovery FK indexes: 27 missing foreign key indexes across all tables (migration 017) CSP header: default-src 'none'; frame-ancestors 'none' Gzip compression: level 5 with media endpoint skipper Prometheus metrics: /metrics endpoint using existing monitoring service External timeouts: 15s push, 30s SMTP, context timeouts on all external calls Migrations: 016 (token created_at), 017 (FK indexes), 018 (audit_log) Tests: circuit breaker (15), audit service (8), token refresh (7), health (4), middleware expiry (5), validator (new)
2026-03-26 14:05:28 -05:00
parent 4abc57535e
commit b679f28e55
30 changed files with 2077 additions and 47 deletions
--- a/internal/handlers/auth_handler.go
+++ b/internal/handlers/auth_handler.go
@@ -23,6 +23,7 @@ type AuthHandler struct {
 	appleAuthService  *services.AppleAuthService
 	googleAuthService *services.GoogleAuthService
 	storageService    *services.StorageService
+	auditService      *services.AuditService
 }

 // NewAuthHandler creates a new auth handler
@@ -49,6 +50,11 @@ func (h *AuthHandler) SetStorageService(storageService *services.StorageService)
 	h.storageService = storageService
 }

+// SetAuditService sets the audit service for logging security events
+func (h *AuthHandler) SetAuditService(auditService *services.AuditService) {
+	h.auditService = auditService
+}
+
 // Login handles POST /api/auth/login/
 func (h *AuthHandler) Login(c echo.Context) error {
 	var req requests.LoginRequest
@@ -62,9 +68,19 @@ func (h *AuthHandler) Login(c echo.Context) error {
 	response, err := h.authService.Login(&req)
 	if err != nil {
 		log.Debug().Err(err).Str("identifier", req.Username).Msg("Login failed")
+		if h.auditService != nil {
+			h.auditService.LogEvent(c, nil, services.AuditEventLoginFailed, map[string]interface{}{
+				"identifier": req.Username,
+			})
+		}
 		return err
 	}

+	if h.auditService != nil {
+		userID := response.User.ID
+		h.auditService.LogEvent(c, &userID, services.AuditEventLogin, nil)
+	}
+
 	return c.JSON(http.StatusOK, response)
 }

@@ -84,6 +100,14 @@ func (h *AuthHandler) Register(c echo.Context) error {
 		return err
 	}

+	if h.auditService != nil {
+		userID := response.User.ID
+		h.auditService.LogEvent(c, &userID, services.AuditEventRegister, map[string]interface{}{
+			"username": req.Username,
+			"email":    req.Email,
+		})
+	}
+
 	// Send welcome email with confirmation code (async)
 	if h.emailService != nil && confirmationCode != "" {
 		go func() {
@@ -108,6 +132,14 @@ func (h *AuthHandler) Logout(c echo.Context) error {
 		return apperrors.Unauthorized("error.not_authenticated")
 	}

+	// Log audit event before invalidating the token
+	if h.auditService != nil {
+		user := middleware.GetAuthUser(c)
+		if user != nil {
+			h.auditService.LogEvent(c, &user.ID, services.AuditEventLogout, nil)
+		}
+	}
+
 	// Invalidate token in database
 	if err := h.authService.Logout(token); err != nil {
 		log.Warn().Err(err).Msg("Failed to delete token from database")
@@ -270,6 +302,12 @@ func (h *AuthHandler) ForgotPassword(c echo.Context) error {
 		}()
 	}

+	if h.auditService != nil {
+		h.auditService.LogEvent(c, nil, services.AuditEventPasswordReset, map[string]interface{}{
+			"email": req.Email,
+		})
+	}
+
 	// Always return success to prevent email enumeration
 	return c.JSON(http.StatusOK, responses.ForgotPasswordResponse{
 		Message: "Password reset email sent",
@@ -314,6 +352,12 @@ func (h *AuthHandler) ResetPassword(c echo.Context) error {
 		return err
 	}

+	if h.auditService != nil {
+		h.auditService.LogEvent(c, nil, services.AuditEventPasswordChanged, map[string]interface{}{
+			"method": "reset_token",
+		})
+	}
+
 	return c.JSON(http.StatusOK, responses.ResetPasswordResponse{
 		Message: "Password reset successful",
 	})
@@ -413,6 +457,34 @@ func (h *AuthHandler) GoogleSignIn(c echo.Context) error {
 	return c.JSON(http.StatusOK, response)
 }

+// RefreshToken handles POST /api/auth/refresh/
+func (h *AuthHandler) RefreshToken(c echo.Context) error {
+	user, err := middleware.MustGetAuthUser(c)
+	if err != nil {
+		return err
+	}
+
+	token := middleware.GetAuthToken(c)
+	if token == "" {
+		return apperrors.Unauthorized("error.not_authenticated")
+	}
+
+	response, err := h.authService.RefreshToken(token, user.ID)
+	if err != nil {
+		log.Debug().Err(err).Uint("user_id", user.ID).Msg("Token refresh failed")
+		return err
+	}
+
+	// If the token was refreshed (new token), invalidate the old one from cache
+	if response.Token != token && h.cache != nil {
+		if cacheErr := h.cache.InvalidateAuthToken(c.Request().Context(), token); cacheErr != nil {
+			log.Warn().Err(cacheErr).Msg("Failed to invalidate old token from cache during refresh")
+		}
+	}
+
+	return c.JSON(http.StatusOK, response)
+}
+
 // DeleteAccount handles DELETE /api/auth/account/
 func (h *AuthHandler) DeleteAccount(c echo.Context) error {
 	user, err := middleware.MustGetAuthUser(c)
@@ -431,6 +503,14 @@ func (h *AuthHandler) DeleteAccount(c echo.Context) error {
 		return err
 	}

+	if h.auditService != nil {
+		h.auditService.LogEvent(c, &user.ID, services.AuditEventAccountDeleted, map[string]interface{}{
+			"user_id":  user.ID,
+			"username": user.Username,
+			"email":    user.Email,
+		})
+	}
+
 	// Delete files from disk (best effort, don't fail the request)
 	if h.storageService != nil && len(fileURLs) > 0 {
 		go func() {