Production hardening: security, resilience, observability, and compliance

Password complexity: custom validator requiring uppercase, lowercase, digit (min 8 chars) Token expiry: 90-day token lifetime with refresh endpoint (60-90 day renewal window) Health check: /api/health/ now pings Postgres + Redis, returns 503 on failure Audit logging: async audit_log table for auth events (login, register, delete, etc.) Circuit breaker: APNs/FCM push sends wrapped with 5-failure threshold, 30s recovery FK indexes: 27 missing foreign key indexes across all tables (migration 017) CSP header: default-src 'none'; frame-ancestors 'none' Gzip compression: level 5 with media endpoint skipper Prometheus metrics: /metrics endpoint using existing monitoring service External timeouts: 15s push, 30s SMTP, context timeouts on all external calls Migrations: 016 (token created_at), 017 (FK indexes), 018 (audit_log) Tests: circuit breaker (15), audit service (8), token refresh (7), health (4), middleware expiry (5), validator (new)
2026-03-26 14:05:28 -05:00
parent 4abc57535e
commit b679f28e55
30 changed files with 2077 additions and 47 deletions
--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@@ -12,6 +12,7 @@ import (
 	"gorm.io/gorm"

 	"github.com/treytartt/honeydue-api/internal/apperrors"
+	"github.com/treytartt/honeydue-api/internal/config"
 	"github.com/treytartt/honeydue-api/internal/models"
 	"github.com/treytartt/honeydue-api/internal/services"
 )
@@ -28,24 +29,56 @@ const (
 	// UserCacheTTL is how long full user records are cached in memory to
 	// avoid hitting the database on every authenticated request.
 	UserCacheTTL = 30 * time.Second
+
+	// DefaultTokenExpiryDays is the default number of days before a token expires.
+	DefaultTokenExpiryDays = 90
 )

 // AuthMiddleware provides token authentication middleware
 type AuthMiddleware struct {
-	db        *gorm.DB
-	cache     *services.CacheService
-	userCache *UserCache
+	db              *gorm.DB
+	cache           *services.CacheService
+	userCache       *UserCache
+	tokenExpiryDays int
 }

 // NewAuthMiddleware creates a new auth middleware instance
 func NewAuthMiddleware(db *gorm.DB, cache *services.CacheService) *AuthMiddleware {
 	return &AuthMiddleware{
-		db:        db,
-		cache:     cache,
-		userCache: NewUserCache(UserCacheTTL),
+		db:              db,
+		cache:           cache,
+		userCache:       NewUserCache(UserCacheTTL),
+		tokenExpiryDays: DefaultTokenExpiryDays,
 	}
 }

+// NewAuthMiddlewareWithConfig creates a new auth middleware instance with configuration
+func NewAuthMiddlewareWithConfig(db *gorm.DB, cache *services.CacheService, cfg *config.Config) *AuthMiddleware {
+	expiryDays := DefaultTokenExpiryDays
+	if cfg != nil && cfg.Security.TokenExpiryDays > 0 {
+		expiryDays = cfg.Security.TokenExpiryDays
+	}
+	return &AuthMiddleware{
+		db:              db,
+		cache:           cache,
+		userCache:       NewUserCache(UserCacheTTL),
+		tokenExpiryDays: expiryDays,
+	}
+}
+
+// TokenExpiryDuration returns the token expiry duration.
+func (m *AuthMiddleware) TokenExpiryDuration() time.Duration {
+	return time.Duration(m.tokenExpiryDays) * 24 * time.Hour
+}
+
+// isTokenExpired checks if a token's created timestamp indicates expiry.
+func (m *AuthMiddleware) isTokenExpired(created time.Time) bool {
+	if created.IsZero() {
+		return false // Legacy tokens without created time are not expired
+	}
+	return time.Since(created) > m.TokenExpiryDuration()
+}
+
 // TokenAuth returns an Echo middleware that validates token authentication
 func (m *AuthMiddleware) TokenAuth() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
@@ -56,7 +89,7 @@ func (m *AuthMiddleware) TokenAuth() echo.MiddlewareFunc {
 				return apperrors.Unauthorized("error.not_authenticated")
 			}

-			// Try to get user from cache first
+			// Try to get user from cache first (includes expiry check)
 			user, err := m.getUserFromCache(c.Request().Context(), token)
 			if err == nil && user != nil {
 				// Cache hit - set user in context and continue
@@ -65,16 +98,27 @@ func (m *AuthMiddleware) TokenAuth() echo.MiddlewareFunc {
 				return next(c)
 			}

+			// Check if the cache indicated token expiry
+			if err != nil && err.Error() == "token expired" {
+				return apperrors.Unauthorized("error.token_expired")
+			}
+
 			// Cache miss - look up token in database
-			user, err = m.getUserFromDatabase(token)
+			user, authToken, err := m.getUserFromDatabaseWithToken(token)
 			if err != nil {
 				log.Debug().Err(err).Str("token", truncateToken(token)).Msg("Token authentication failed")
 				return apperrors.Unauthorized("error.invalid_token")
 			}

-			// Cache the user ID for future requests
-			if cacheErr := m.cacheUserID(c.Request().Context(), token, user.ID); cacheErr != nil {
-				log.Warn().Err(cacheErr).Msg("Failed to cache user ID")
+			// Check token expiry
+			if m.isTokenExpired(authToken.Created) {
+				log.Debug().Str("token", truncateToken(token)).Time("created", authToken.Created).Msg("Token expired")
+				return apperrors.Unauthorized("error.token_expired")
+			}
+
+			// Cache the user ID and token creation time for future requests
+			if cacheErr := m.cacheTokenInfo(c.Request().Context(), token, user.ID, authToken.Created); cacheErr != nil {
+				log.Warn().Err(cacheErr).Msg("Failed to cache token info")
 			}

 			// Set user in context
@@ -104,9 +148,9 @@ func (m *AuthMiddleware) OptionalTokenAuth() echo.MiddlewareFunc {
 			}

 			// Try database
-			user, err = m.getUserFromDatabase(token)
-			if err == nil {
-				m.cacheUserID(c.Request().Context(), token, user.ID)
+			user, authToken, err := m.getUserFromDatabaseWithToken(token)
+			if err == nil && !m.isTokenExpired(authToken.Created) {
+				m.cacheTokenInfo(c.Request().Context(), token, user.ID, authToken.Created)
 				c.Set(AuthUserKey, user)
 				c.Set(AuthTokenKey, token)
 			}
@@ -145,12 +189,13 @@ func extractToken(c echo.Context) (string, error) {

 // getUserFromCache tries to get user from Redis cache, then from the
 // in-memory user cache, before falling back to the database.
+// Returns a "token expired" error if the cached creation time indicates expiry.
 func (m *AuthMiddleware) getUserFromCache(ctx context.Context, token string) (*models.User, error) {
 	if m.cache == nil {
 		return nil, fmt.Errorf("cache not available")
 	}

-	userID, err := m.cache.GetCachedAuthToken(ctx, token)
+	userID, createdUnix, err := m.cache.GetCachedAuthTokenWithCreated(ctx, token)
 	if err != nil {
 		if err == redis.Nil {
 			return nil, fmt.Errorf("token not in cache")
@@ -158,6 +203,15 @@ func (m *AuthMiddleware) getUserFromCache(ctx context.Context, token string) (*m
 		return nil, err
 	}

+	// Check token expiry from cached creation time
+	if createdUnix > 0 {
+		created := time.Unix(createdUnix, 0)
+		if m.isTokenExpired(created) {
+			m.cache.InvalidateAuthToken(ctx, token)
+			return nil, fmt.Errorf("token expired")
+		}
+	}
+
 	// Try in-memory user cache first to avoid a DB round-trip
 	if cached := m.userCache.Get(userID); cached != nil {
 		if !cached.IsActive {
@@ -187,22 +241,38 @@ func (m *AuthMiddleware) getUserFromCache(ctx context.Context, token string) (*m
 	return &user, nil
 }

-// getUserFromDatabase looks up the token in the database and caches the
-// resulting user record in memory.
-func (m *AuthMiddleware) getUserFromDatabase(token string) (*models.User, error) {
+// getUserFromDatabaseWithToken looks up the token in the database and returns
+// both the user and the auth token record (for expiry checking).
+func (m *AuthMiddleware) getUserFromDatabaseWithToken(token string) (*models.User, *models.AuthToken, error) {
 	var authToken models.AuthToken
 	if err := m.db.Preload("User").Where("key = ?", token).First(&authToken).Error; err != nil {
-		return nil, fmt.Errorf("token not found")
+		return nil, nil, fmt.Errorf("token not found")
 	}

 	// Check if user is active
 	if !authToken.User.IsActive {
-		return nil, fmt.Errorf("user is inactive")
+		return nil, nil, fmt.Errorf("user is inactive")
 	}

 	// Store in in-memory cache for subsequent requests
 	m.userCache.Set(&authToken.User)
-	return &authToken.User, nil
+	return &authToken.User, &authToken, nil
+}
+
+// getUserFromDatabase looks up the token in the database and caches the
+// resulting user record in memory.
+// Deprecated: Use getUserFromDatabaseWithToken for new code paths that need expiry checking.
+func (m *AuthMiddleware) getUserFromDatabase(token string) (*models.User, error) {
+	user, _, err := m.getUserFromDatabaseWithToken(token)
+	return user, err
+}
+
+// cacheTokenInfo caches the user ID and token creation time for a token
+func (m *AuthMiddleware) cacheTokenInfo(ctx context.Context, token string, userID uint, created time.Time) error {
+	if m.cache == nil {
+		return nil
+	}
+	return m.cache.CacheAuthTokenWithCreated(ctx, token, userID, created.Unix())
 }

 // cacheUserID caches the user ID for a token
--- a/internal/middleware/auth_expiry_test.go
+++ b/internal/middleware/auth_expiry_test.go
@@ -0,0 +1,165 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+
+	"github.com/treytartt/honeydue-api/internal/models"
+)
+
+// setupTestDB creates a temporary in-memory SQLite database with the required
+// tables for auth middleware tests.
+func setupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	require.NoError(t, err)
+
+	err = db.AutoMigrate(&models.User{}, &models.AuthToken{})
+	require.NoError(t, err)
+
+	return db
+}
+
+// createTestUserAndToken creates a user and an auth token, then backdates the
+// token's Created timestamp by the specified number of days.
+func createTestUserAndToken(t *testing.T, db *gorm.DB, username string, ageDays int) (*models.User, *models.AuthToken) {
+	t.Helper()
+
+	user := &models.User{
+		Username: username,
+		Email:    username + "@test.com",
+		IsActive: true,
+	}
+	require.NoError(t, user.SetPassword("password123"))
+	require.NoError(t, db.Create(user).Error)
+
+	token := &models.AuthToken{
+		UserID: user.ID,
+	}
+	require.NoError(t, db.Create(token).Error)
+
+	// Backdate the token's Created timestamp after creation to bypass autoCreateTime
+	backdated := time.Now().UTC().AddDate(0, 0, -ageDays)
+	require.NoError(t, db.Model(token).Update("created", backdated).Error)
+	token.Created = backdated
+
+	return user, token
+}
+
+func TestTokenAuth_RejectsExpiredToken(t *testing.T) {
+	db := setupTestDB(t)
+	_, token := createTestUserAndToken(t, db, "expired_user", 91) // 91 days old > 90 day expiry
+
+	m := NewAuthMiddleware(db, nil) // No Redis cache for these tests
+
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
+	req.Header.Set("Authorization", "Token "+token.Key)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := m.TokenAuth()(func(c echo.Context) error {
+		return c.String(http.StatusOK, "ok")
+	})
+
+	err := handler(c)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "error.token_expired")
+}
+
+func TestTokenAuth_AcceptsValidToken(t *testing.T) {
+	db := setupTestDB(t)
+	_, token := createTestUserAndToken(t, db, "valid_user", 30) // 30 days old < 90 day expiry
+
+	m := NewAuthMiddleware(db, nil)
+
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
+	req.Header.Set("Authorization", "Token "+token.Key)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := m.TokenAuth()(func(c echo.Context) error {
+		return c.String(http.StatusOK, "ok")
+	})
+
+	err := handler(c)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, rec.Code)
+
+	// Verify user was set in context
+	user := GetAuthUser(c)
+	require.NotNil(t, user)
+	assert.Equal(t, "valid_user", user.Username)
+}
+
+func TestTokenAuth_AcceptsTokenAtBoundary(t *testing.T) {
+	db := setupTestDB(t)
+	_, token := createTestUserAndToken(t, db, "boundary_user", 89) // 89 days old, just under 90 day expiry
+
+	m := NewAuthMiddleware(db, nil)
+
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
+	req.Header.Set("Authorization", "Token "+token.Key)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := m.TokenAuth()(func(c echo.Context) error {
+		return c.String(http.StatusOK, "ok")
+	})
+
+	err := handler(c)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, rec.Code)
+}
+
+func TestTokenAuth_RejectsInvalidToken(t *testing.T) {
+	db := setupTestDB(t)
+
+	m := NewAuthMiddleware(db, nil)
+
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
+	req.Header.Set("Authorization", "Token nonexistent-token")
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := m.TokenAuth()(func(c echo.Context) error {
+		return c.String(http.StatusOK, "ok")
+	})
+
+	err := handler(c)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "error.invalid_token")
+}
+
+func TestTokenAuth_RejectsNoAuthHeader(t *testing.T) {
+	db := setupTestDB(t)
+
+	m := NewAuthMiddleware(db, nil)
+
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := m.TokenAuth()(func(c echo.Context) error {
+		return c.String(http.StatusOK, "ok")
+	})
+
+	err := handler(c)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "error.not_authenticated")
+}