Trey t
c77ff07ce9
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
48 lines
2.2 KiB
SQL
48 lines
2.2 KiB
SQL
-- +goose Up
|
|
-- Audit C5/C6/C10/C13: bind each in-app-purchase transaction to exactly one
|
|
-- account so a valid receipt cannot be replayed against a second account to
|
|
-- grant Pro for free.
|
|
--
|
|
-- apple_original_transaction_id is a dedicated, indexed column — it replaces
|
|
-- the LIKE '%...%' scan over apple_receipt_data that the Apple webhook used
|
|
-- to find users (C13). google_purchase_token already exists; we just add the
|
|
-- uniqueness guarantee.
|
|
ALTER TABLE subscription_usersubscription
|
|
ADD COLUMN IF NOT EXISTS apple_original_transaction_id text;
|
|
|
|
-- Partial unique indexes: one account per transaction. NULL/empty rows are
|
|
-- excluded so accounts without an IAP are unaffected.
|
|
CREATE UNIQUE INDEX IF NOT EXISTS uq_subscription_apple_original_txn
|
|
ON subscription_usersubscription (apple_original_transaction_id)
|
|
WHERE apple_original_transaction_id IS NOT NULL
|
|
AND apple_original_transaction_id <> '';
|
|
|
|
-- Pre-flight dedup for the Google index below. apple_original_transaction_id
|
|
-- is brand-new (added above), so it is all-NULL and cannot collide. But
|
|
-- google_purchase_token is a pre-existing column, and the C6 replay bug being
|
|
-- fixed here is exactly "the same token bound to multiple accounts" — so
|
|
-- duplicate rows may exist and would make the UNIQUE index below fail to
|
|
-- build, aborting the migrate Job. Keep the earliest subscription row for
|
|
-- each token and clear the token on the rest; those rows lose a binding that
|
|
-- was disputed anyway, while the original (earliest) owner keeps it.
|
|
UPDATE subscription_usersubscription s
|
|
SET google_purchase_token = NULL
|
|
WHERE google_purchase_token IS NOT NULL
|
|
AND google_purchase_token <> ''
|
|
AND id <> (
|
|
SELECT MIN(s2.id)
|
|
FROM subscription_usersubscription s2
|
|
WHERE s2.google_purchase_token = s.google_purchase_token
|
|
);
|
|
|
|
CREATE UNIQUE INDEX IF NOT EXISTS uq_subscription_google_purchase_token
|
|
ON subscription_usersubscription (google_purchase_token)
|
|
WHERE google_purchase_token IS NOT NULL
|
|
AND google_purchase_token <> '';
|
|
|
|
-- +goose Down
|
|
DROP INDEX IF EXISTS uq_subscription_google_purchase_token;
|
|
DROP INDEX IF EXISTS uq_subscription_apple_original_txn;
|
|
ALTER TABLE subscription_usersubscription
|
|
DROP COLUMN IF EXISTS apple_original_transaction_id;
|