fix(security): cross-event authz, SSE ticket flow, account hardening, audit logs
Follow-up to the comprehensive code review. Five batches: 1. Cross-event authorization: host_delete_upload, unban_user, and host_delete_comment now scope by auth.event_id. Adds Upload::find_by_id_and_event / soft_delete_in_event and a Comment::soft_delete_in_event variant that joins through upload. 2. Token exposure: SSE auth no longer puts the JWT in the URL. New /api/v1/stream/ticket endpoint mints a short-lived single-use ticket bound to the session; the EventSource passes ?ticket=... instead. Refuse to start in APP_ENV=production with the dev JWT sentinel; warn loudly otherwise. 3. Account hardening: per-IP+name rate limit on /recover (mitigates targeted lockout DoS), per-IP rate limit on /admin/login, random 32-char admin recovery PIN (replaces "0000"), structured tracing events for wrong PIN, lockout, failed admin login, ban/unban/role change/pin-reset/host-delete. 4. DoS / correctness: comment listing paginated (LIMIT 50 + ?before= cursor), hashtag extraction whitelisted to ASCII alnum+underscore (≤40 chars) with unit tests, display_name / caption / comment body length validated in chars rather than bytes. 5. Cleanup: session-touch failures now logged, DATABASE_MAX_CONNECTIONS env var (default 10). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -15,6 +15,8 @@ import { getToken } from './auth';
|
||||
import { api } from './api';
|
||||
import type { DeltaResponse } from './types';
|
||||
|
||||
type StreamTicketResponse = { ticket: string };
|
||||
|
||||
type EventHandler = (data: string) => void;
|
||||
|
||||
let eventSource: EventSource | null = null;
|
||||
@@ -69,38 +71,59 @@ export function connectSse(): void {
|
||||
const token = getToken();
|
||||
if (!token || eventSource) return;
|
||||
|
||||
// EventSource doesn't support custom headers, so pass token as query param.
|
||||
eventSource = new EventSource(`/api/v1/stream?token=${encodeURIComponent(token)}`);
|
||||
|
||||
eventSource.onopen = () => {
|
||||
// Successful connection — reset the backoff counter.
|
||||
reconnectAttempt = 0;
|
||||
// If we have a previous timestamp this is a reconnect — fetch the gap.
|
||||
const since = lastEventTime;
|
||||
if (since) {
|
||||
void deltaFetchAndFan(since);
|
||||
// EventSource can't send an Authorization header, so we exchange the JWT for
|
||||
// a short-lived single-use ticket via POST /stream/ticket (Bearer auth) and
|
||||
// pass that on the URL. The JWT itself never appears in URLs / access logs.
|
||||
void (async () => {
|
||||
let ticket: string;
|
||||
try {
|
||||
const res = await api.post<StreamTicketResponse>('/stream/ticket', {});
|
||||
ticket = res.ticket;
|
||||
} catch {
|
||||
// Failed to mint a ticket (auth lapse, network blip). Back off and retry
|
||||
// via the existing error path.
|
||||
scheduleReconnect();
|
||||
return;
|
||||
}
|
||||
lastEventTime = new Date().toISOString();
|
||||
};
|
||||
// Auth flow may have torn things down while we were awaiting the ticket.
|
||||
if (!getToken() || eventSource) return;
|
||||
|
||||
for (const eventName of KNOWN_EVENTS) {
|
||||
eventSource.addEventListener(eventName, (e) =>
|
||||
dispatch(eventName, (e as MessageEvent).data)
|
||||
);
|
||||
}
|
||||
eventSource = new EventSource(`/api/v1/stream?ticket=${encodeURIComponent(ticket)}`);
|
||||
|
||||
eventSource.onerror = () => {
|
||||
// EventSource auto-reconnects but the connection state can stay broken; close
|
||||
// and try again ourselves with exponential backoff capped at 60s. Prevents
|
||||
// retry storms (and lets the backend recover quietly) when the server is down
|
||||
// for a while or when 100+ guests reconnect simultaneously after an outage.
|
||||
disconnectSse();
|
||||
reconnectAttempt++;
|
||||
const delay = Math.min(60_000, 1_000 * 2 ** (reconnectAttempt - 1));
|
||||
const jitter = Math.random() * 500;
|
||||
if (reconnectTimer) clearTimeout(reconnectTimer);
|
||||
reconnectTimer = setTimeout(connectSse, delay + jitter);
|
||||
};
|
||||
eventSource.onopen = () => {
|
||||
// Successful connection — reset the backoff counter.
|
||||
reconnectAttempt = 0;
|
||||
// If we have a previous timestamp this is a reconnect — fetch the gap.
|
||||
const since = lastEventTime;
|
||||
if (since) {
|
||||
void deltaFetchAndFan(since);
|
||||
}
|
||||
lastEventTime = new Date().toISOString();
|
||||
};
|
||||
|
||||
for (const eventName of KNOWN_EVENTS) {
|
||||
eventSource.addEventListener(eventName, (e) =>
|
||||
dispatch(eventName, (e as MessageEvent).data)
|
||||
);
|
||||
}
|
||||
|
||||
eventSource.onerror = () => {
|
||||
// EventSource auto-reconnects but the connection state can stay broken; close
|
||||
// and try again ourselves with exponential backoff capped at 60s. Prevents
|
||||
// retry storms (and lets the backend recover quietly) when the server is down
|
||||
// for a while or when 100+ guests reconnect simultaneously after an outage.
|
||||
disconnectSse();
|
||||
scheduleReconnect();
|
||||
};
|
||||
})();
|
||||
}
|
||||
|
||||
function scheduleReconnect(): void {
|
||||
reconnectAttempt++;
|
||||
const delay = Math.min(60_000, 1_000 * 2 ** (reconnectAttempt - 1));
|
||||
const jitter = Math.random() * 500;
|
||||
if (reconnectTimer) clearTimeout(reconnectTimer);
|
||||
reconnectTimer = setTimeout(connectSse, delay + jitter);
|
||||
}
|
||||
|
||||
export function disconnectSse(): void {
|
||||
|
||||
Reference in New Issue
Block a user