fix(security): remediate 2026-05-12 audit findings (Stages 2–5)
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -308,7 +308,18 @@ func (s *NotificationService) registerAPNSDevice(ctx context.Context, userID uin
|
||||
// Check if device exists
|
||||
existing, err := s.notificationRepo.WithContext(ctx).FindAPNSDeviceByToken(req.RegistrationID)
|
||||
if err == nil {
|
||||
// Update existing device
|
||||
// Audit C8 / LOW-3: APNs device tokens are recycled across devices,
|
||||
// app reinstalls and OS reassignments, so a token already bound to a
|
||||
// different account is a stale binding — not a hijack. Reassign it to
|
||||
// the current (authenticated) registrant rather than reject: a 409
|
||||
// here would lock the legitimate new owner of a recycled token out of
|
||||
// push entirely. The reassignment is logged as a security-relevant
|
||||
// event so a genuine token-takeover attempt is still traceable.
|
||||
if existing.UserID != nil && *existing.UserID != userID {
|
||||
log.Warn().Uint("user_id", userID).Uint("previous_owner_id", *existing.UserID).
|
||||
Msg("APNS device token reassigned to a new account")
|
||||
}
|
||||
// Update existing device — reassign to the current user
|
||||
existing.UserID = &userID
|
||||
existing.Active = true
|
||||
existing.Name = req.Name
|
||||
@@ -337,7 +348,18 @@ func (s *NotificationService) registerGCMDevice(ctx context.Context, userID uint
|
||||
// Check if device exists
|
||||
existing, err := s.notificationRepo.WithContext(ctx).FindGCMDeviceByToken(req.RegistrationID)
|
||||
if err == nil {
|
||||
// Update existing device
|
||||
// Audit C8 / LOW-3: FCM device tokens are recycled across devices,
|
||||
// app reinstalls and OS reassignments, so a token already bound to a
|
||||
// different account is a stale binding — not a hijack. Reassign it to
|
||||
// the current (authenticated) registrant rather than reject: a 409
|
||||
// here would lock the legitimate new owner of a recycled token out of
|
||||
// push entirely. The reassignment is logged as a security-relevant
|
||||
// event so a genuine token-takeover attempt is still traceable.
|
||||
if existing.UserID != nil && *existing.UserID != userID {
|
||||
log.Warn().Uint("user_id", userID).Uint("previous_owner_id", *existing.UserID).
|
||||
Msg("GCM device token reassigned to a new account")
|
||||
}
|
||||
// Update existing device — reassign to the current user
|
||||
existing.UserID = &userID
|
||||
existing.Active = true
|
||||
existing.Name = req.Name
|
||||
|
||||
Reference in New Issue
Block a user