admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): remediate 2026-05-12 audit findings (Stages 2–5)
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details

Browse Source 
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-05-16 22:28:33 -05:00
parent 2004f9c5b2
commit c77ff07ce9
59 changed files with 2819 additions and 1245 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/repositories/subscription_repo_test.go
+45
View File
@@ -226,3 +226,48 @@ func TestUpdateExpiresAt(t *testing.T) {
require.NotNil(t, updated.ExpiresAt)
assert.WithinDuration(t, newExpiry, *updated.ExpiresAt, time.Second, "expires_at should be updated")
}
// TestSubscriptionRepo_IAPTransactionReplayRejected is the regression test for
// audit C5/C6: an in-app-purchase transaction (an Apple original transaction
// ID or a Google purchase token) may be bound to exactly one account. Without
// that guarantee a valid receipt could be replayed against a second account
// to grant Pro for free. The guarantee is the pair of partial unique indexes
// added by migration 000004; AutoMigrate does not create them, so this test
// recreates them verbatim to exercise the same DB-level enforcement.
func TestSubscriptionRepo_IAPTransactionReplayRejected(t *testing.T) {
db := testutil.SetupTestDB(t)
require.NoError(t, db.Exec(`CREATE UNIQUE INDEX uq_subscription_apple_original_txn `+
`ON subscription_usersubscription (apple_original_transaction_id) `+
`WHERE apple_original_transaction_id IS NOT NULL AND apple_original_transaction_id <> ''`).Error)
require.NoError(t, db.Exec(`CREATE UNIQUE INDEX uq_subscription_google_purchase_token `+
`ON subscription_usersubscription (google_purchase_token) `+
`WHERE google_purchase_token IS NOT NULL AND google_purchase_token <> ''`).Error)
repo := NewSubscriptionRepository(db)
userA := testutil.CreateTestUser(t, db, "iapusera", "iapa@test.com", "password")
userB := testutil.CreateTestUser(t, db, "iapuserb", "iapb@test.com", "password")
require.NoError(t, db.Create(&models.UserSubscription{UserID: userA.ID, Tier: models.TierFree}).Error)
require.NoError(t, db.Create(&models.UserSubscription{UserID: userB.ID, Tier: models.TierFree}).Error)
t.Run("apple transaction cannot be claimed by a second account", func(t *testing.T) {
require.NoError(t, repo.UpdateAppleOriginalTransactionID(userA.ID, "apple-original-txn-1"),
"the first account binding the transaction must succeed")
err := repo.UpdateAppleOriginalTransactionID(userB.ID, "apple-original-txn-1")
require.Error(t, err,
"replaying account A's Apple transaction onto account B must be rejected (C5)")
})
t.Run("google purchase token cannot be claimed by a second account", func(t *testing.T) {
require.NoError(t, repo.UpdatePurchaseToken(userA.ID, "google-purchase-token-1"),
"the first account binding the token must succeed")
err := repo.UpdatePurchaseToken(userB.ID, "google-purchase-token-1")
require.Error(t, err,
"replaying account A's Google purchase token onto account B must be rejected (C6)")
})
t.Run("re-binding the same transaction to the same account is allowed", func(t *testing.T) {
// A renewal re-submitting the same transaction for its owner must not
// be rejected — the partial unique index excludes the row's own value.
require.NoError(t, repo.UpdateAppleOriginalTransactionID(userA.ID, "apple-original-txn-1"))
})
}