fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 22:28:33 -05:00
parent 2004f9c5b2
commit c77ff07ce9
59 changed files with 2819 additions and 1245 deletions
@@ -169,6 +169,34 @@ func (m *AuthMiddleware) OptionalTokenAuth() echo.MiddlewareFunc {
 	}
 }

+// RequireVerified returns middleware that rejects users whose email is not
+// verified (audit LIVE-L19). Apply it after TokenAuth to gate sensitive
+// actions — e.g. generating residence share codes — behind proof that the
+// account actually controls its email address.
+func (m *AuthMiddleware) RequireVerified() echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			user := GetAuthUser(c)
+			if user == nil {
+				return apperrors.Unauthorized("error.not_authenticated")
+			}
+			var verified bool
+			err := m.db.WithContext(c.Request().Context()).
+				Model(&models.UserProfile{}).
+				Where("user_id = ?", user.ID).
+				Select("verified").
+				Scan(&verified).Error
+			if err != nil {
+				return apperrors.Internal(err)
+			}
+			if !verified {
+				return apperrors.Forbidden("error.email_not_verified")
+			}
+			return next(c)
+		}
+	}
+}
+
 // extractToken extracts the token from the Authorization header
 func extractToken(c echo.Context) (string, error) {
 	authHeader := c.Request().Header.Get("Authorization")
@@ -297,7 +325,7 @@ func (m *AuthMiddleware) getUserFromDatabaseWithToken(ctx context.Context, token
 			u.last_login  AS u_last_login
 		`).
 		Joins("INNER JOIN auth_user u ON u.id = t.user_id").
-		Where("t.key = ?", token).
+		Where("t.key = ?", models.HashToken(token)). // audit C1: only the hash is stored
 		Limit(1).
 		Scan(&row).Error
 	if err != nil || row.Key == "" {
@@ -65,7 +65,7 @@ func TestTokenAuth_RejectsExpiredToken(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -86,7 +86,7 @@ func TestTokenAuth_AcceptsValidToken(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -112,7 +112,7 @@ func TestTokenAuth_AcceptsTokenAtBoundary(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -21,7 +21,7 @@ func TestTokenAuth_BearerScheme_Accepted(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Bearer "+token.Key)
+	req.Header.Set("Authorization", "Bearer "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -46,7 +46,7 @@ func TestTokenAuth_InvalidScheme_Rejected(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Basic "+token.Key)
+	req.Header.Set("Authorization", "Basic "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -110,7 +110,7 @@ func TestTokenAuth_InactiveUser_Rejected(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -156,7 +156,7 @@ func TestOptionalTokenAuth_ValidToken_SetsUser(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -182,7 +182,7 @@ func TestOptionalTokenAuth_ExpiredToken_IgnoresUser(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -242,7 +242,7 @@ func TestNewAuthMiddlewareWithConfig_CustomExpiryDays(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -270,7 +270,7 @@ func TestNewAuthMiddlewareWithConfig_ExpiredWithCustomExpiry(t *testing.T) {

 	e := echo.New()
 	req := httptest.NewRequest(http.MethodGet, "/api/test/", nil)
-	req.Header.Set("Authorization", "Token "+token.Key)
+	req.Header.Set("Authorization", "Token "+token.Plaintext)
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)

@@ -99,21 +99,23 @@ func parseTimezone(tz string) *time.Location {
 		return loc
 	}

-	// Try parsing as UTC offset (e.g., "-08:00", "+05:30")
-	// We parse a reference time with the given offset to extract the offset value
-	t, err := time.Parse("-07:00", tz)
-	if err == nil {
-		// time.Parse returns a time, we need to extract the offset
-		// The parsed time will have the offset embedded
-		_, offset := t.Zone()
-		return time.FixedZone(tz, offset)
+	// Try parsing as a UTC offset (e.g., "-08:00", "+05:30"). Audit H8:
+	// reject absurd offsets — real timezones are within ±14h of UTC — so a
+	// crafted X-Timezone header cannot shift date math arbitrarily.
+	const maxOffsetSeconds = 14 * 3600
+	if t, err := time.Parse("-07:00", tz); err == nil {
+		if _, offset := t.Zone(); offset >= -maxOffsetSeconds && offset <= maxOffsetSeconds {
+			return time.FixedZone(tz, offset)
+		}
+		return time.UTC
 	}

 	// Also try without colon (e.g., "-0800")
-	t, err = time.Parse("-0700", tz)
-	if err == nil {
-		_, offset := t.Zone()
-		return time.FixedZone(tz, offset)
+	if t, err := time.Parse("-0700", tz); err == nil {
+		if _, offset := t.Zone(); offset >= -maxOffsetSeconds && offset <= maxOffsetSeconds {
+			return time.FixedZone(tz, offset)
+		}
+		return time.UTC
 	}

 	// Default to UTC