fix(security): remediate 2026-05-12 audit findings (Stages 2–5)
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -8,6 +8,7 @@ import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"math/big"
|
||||
@@ -20,6 +21,7 @@ import (
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/labstack/echo/v4"
|
||||
"github.com/rs/zerolog/log"
|
||||
"gorm.io/gorm"
|
||||
|
||||
"github.com/treytartt/honeydue-api/internal/config"
|
||||
"github.com/treytartt/honeydue-api/internal/models"
|
||||
@@ -165,9 +167,13 @@ func (h *SubscriptionWebhookHandler) HandleAppleWebhook(c echo.Context) error {
|
||||
if notification.NotificationUUID != "" {
|
||||
alreadyProcessed, err := h.webhookEventRepo.HasProcessed("apple", notification.NotificationUUID)
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("Apple Webhook: Failed to check dedup")
|
||||
// Continue processing on dedup check failure (fail-open)
|
||||
} else if alreadyProcessed {
|
||||
// Audit H6: fail closed. A dedup-check failure must not let a
|
||||
// possibly-duplicate event through (duplicate refunds/grants).
|
||||
// Return 500 so Apple retries once the DB is healthy.
|
||||
log.Error().Err(err).Msg("Apple Webhook: dedup check failed — returning 500 for retry")
|
||||
return c.JSON(http.StatusInternalServerError, map[string]interface{}{"error": "dedup check failed"})
|
||||
}
|
||||
if alreadyProcessed {
|
||||
log.Info().Str("uuid", notification.NotificationUUID).Msg("Apple Webhook: Duplicate event, skipping")
|
||||
return c.JSON(http.StatusOK, map[string]interface{}{"status": "duplicate"})
|
||||
}
|
||||
@@ -352,10 +358,24 @@ func (h *SubscriptionWebhookHandler) processAppleNotification(
|
||||
}
|
||||
|
||||
func (h *SubscriptionWebhookHandler) findUserByAppleTransaction(originalTransactionID string) (*models.User, error) {
|
||||
// Look up user subscription by stored receipt data
|
||||
subscription, err := h.subscriptionRepo.FindByAppleReceiptContains(originalTransactionID)
|
||||
// Audit C13: exact match on the indexed apple_original_transaction_id
|
||||
// column. Falls back to the legacy escaped-LIKE scan over
|
||||
// apple_receipt_data only for subscriptions created before that column
|
||||
// existed (and thus not yet populated).
|
||||
subscription, err := h.subscriptionRepo.FindByAppleOriginalTransactionID(originalTransactionID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
// Only fall back to the legacy substring scan when the exact-match
|
||||
// column genuinely had no row (a subscription created before the
|
||||
// column existed). A real DB error must propagate — masking it as
|
||||
// "not found" could bind the webhook to the wrong account via the
|
||||
// LIKE scan, or silently drop a legitimate event.
|
||||
if !errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return nil, err
|
||||
}
|
||||
subscription, err = h.subscriptionRepo.FindByAppleReceiptContains(originalTransactionID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
user, err := h.userRepo.FindByID(subscription.UserID)
|
||||
@@ -566,9 +586,12 @@ func (h *SubscriptionWebhookHandler) HandleGoogleWebhook(c echo.Context) error {
|
||||
if messageID != "" {
|
||||
alreadyProcessed, err := h.webhookEventRepo.HasProcessed("google", messageID)
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("Google Webhook: Failed to check dedup")
|
||||
// Continue processing on dedup check failure (fail-open)
|
||||
} else if alreadyProcessed {
|
||||
// Audit H6: fail closed — see the Apple handler. Return 500 so
|
||||
// Google Pub/Sub redelivers once the DB is healthy.
|
||||
log.Error().Err(err).Msg("Google Webhook: dedup check failed — returning 500 for retry")
|
||||
return c.JSON(http.StatusInternalServerError, map[string]interface{}{"error": "dedup check failed"})
|
||||
}
|
||||
if alreadyProcessed {
|
||||
log.Info().Str("message_id", messageID).Msg("Google Webhook: Duplicate event, skipping")
|
||||
return c.JSON(http.StatusOK, map[string]interface{}{"status": "duplicate"})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user