Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks

Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit).
2026-03-02 23:53:55 +00:00
parent be3f37cfdd
commit eb953cdea5
67 changed files with 4461 additions and 410 deletions
--- a/products/shared/auth.ts
+++ b/products/shared/auth.ts
@@ -15,21 +15,11 @@ export interface AuthPayload {
 }

 /**
- * JWT auth middleware. Extracts tenant context from Bearer token.
- * Also supports API key auth via `X-API-Key` header (dd0c_ prefix).
+ * Returns an onRequest hook that validates JWT or API key auth.
+ * No URL matching — only register this hook inside a protected plugin scope.
 */
-export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool) {
-  app.decorateRequest('tenantId', '');
-  app.decorateRequest('userId', '');
-  app.decorateRequest('userRole', 'viewer');
-
-  app.addHook('onRequest', async (req: FastifyRequest, reply: FastifyReply) => {
-    if (req.url === '/health') return;
-    if (req.url.startsWith('/webhooks/')) return;
-    if (req.url.startsWith('/slack/')) return;
-    const path = req.url.split('?')[0];
-    if (path === '/api/v1/auth/login' || path === '/api/v1/auth/signup') return;
-
+export function authHook(jwtSecret: string, pool: Pool) {
+  return async (req: FastifyRequest, reply: FastifyReply) => {
    const apiKey = req.headers['x-api-key'] as string | undefined;
    const authHeader = req.headers['authorization'];

@@ -38,7 +28,7 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
        return reply.status(401).send({ error: 'Invalid API key format' });
      }

-      const prefix = apiKey.slice(0, 13); // dd0c_ + 8 hex chars
+      const prefix = apiKey.slice(0, 13);
      const keyHash = crypto.createHash('sha256').update(apiKey).digest('hex');

      const result = await pool.query(
@@ -61,7 +51,7 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
    if (authHeader?.startsWith('Bearer ')) {
      const token = authHeader.slice(7);
      try {
-        const payload = jwt.verify(token, jwtSecret) as AuthPayload;
+        const payload = jwt.verify(token, jwtSecret, { algorithms: ['HS256'] }) as AuthPayload;
        (req as any).tenantId = payload.tenantId;
        (req as any).userId = payload.userId;
        (req as any).userRole = payload.role;
@@ -72,7 +62,7 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
    }

    return reply.status(401).send({ error: 'Missing authentication' });
-  });
+  };
 }

 export function requireRole(req: FastifyRequest, reply: FastifyReply, minRole: AuthPayload['role']): boolean {
@@ -88,7 +78,7 @@ export function requireRole(req: FastifyRequest, reply: FastifyReply, minRole: A
 }

 export function signToken(payload: AuthPayload, secret: string, expiresIn = '24h'): string {
-  return jwt.sign(payload, secret, { expiresIn });
+  return jwt.sign(payload, secret, { expiresIn } as jwt.SignOptions);
 }

 // --- Password hashing (scrypt — no native bcrypt dep needed) ---
@@ -123,11 +113,21 @@ const loginSchema = z.object({
 const signupSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
-  tenant_name: z.string().min(1).max(100),
+  tenant_name: z.string().min(1).max(100).optional(),
+  invite_token: z.string().optional(),
+}).refine(
+  (data) => data.invite_token || data.tenant_name,
+  { message: 'Either tenant_name or invite_token is required', path: ['tenant_name'] },
+);
+
+const inviteSchema = z.object({
+  email: z.string().email(),
+  role: z.enum(['admin', 'member', 'viewer']).default('member'),
 });

+/** Public auth routes — login/signup. No auth required. */
 export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool: Pool) {
-  app.post('/api/v1/auth/login', async (req, reply) => {
+  app.post('/api/v1/auth/login', { config: { rateLimit: { max: 5, timeWindow: '1 minute' } } }, async (req, reply) => {
    const body = loginSchema.parse(req.body);

    const result = await pool.query(
@@ -152,29 +152,66 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
    return { token, expires_in: '24h' };
  });

-  app.post('/api/v1/auth/signup', async (req, reply) => {
+  app.post('/api/v1/auth/signup', { config: { rateLimit: { max: 3, timeWindow: '1 minute' } } }, async (req, reply) => {
    const body = signupSchema.parse(req.body);

-    // Check if email already exists
    const existing = await pool.query('SELECT id FROM users WHERE email = $1', [body.email]);
    if (existing.rows[0]) return reply.status(409).send({ error: 'Email already registered' });

    const passwordHash = await hashPassword(body.password);
-    const slug = body.tenant_name.toLowerCase().replace(/[^a-z0-9]+/g, '-').slice(0, 50);

    const client = await pool.connect();
    try {
      await client.query('BEGIN');

-      const tenant = await client.query(
-        `INSERT INTO tenants (name, slug) VALUES ($1, $2) RETURNING id`,
-        [body.tenant_name, slug],
-      );
-      const tenantId = tenant.rows[0].id;
+      let tenantId: string;
+      let role: string;
+
+      if (body.invite_token) {
+        // Invite-based signup
+        const invite = await client.query(
+          `SELECT id, tenant_id, role, expires_at, accepted_at FROM tenant_invites WHERE token = $1`,
+          [body.invite_token],
+        );
+        if (!invite.rows[0]) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'Invalid invite token' });
+        }
+        const inv = invite.rows[0];
+        if (inv.accepted_at) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'Invite already accepted' });
+        }
+        if (new Date(inv.expires_at) < new Date()) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'Invite expired' });
+        }
+
+        tenantId = inv.tenant_id;
+        role = inv.role;
+
+        await client.query(
+          `UPDATE tenant_invites SET accepted_at = NOW() WHERE id = $1`,
+          [inv.id],
+        );
+      } else {
+        // Normal signup — create new tenant
+        if (!body.tenant_name) {
+          await client.query('ROLLBACK');
+          return reply.status(400).send({ error: 'tenant_name is required for new signups' });
+        }
+        const slug = body.tenant_name.toLowerCase().replace(/[^a-z0-9]+/g, '-').slice(0, 42) + '-' + crypto.randomBytes(3).toString('hex');
+        const tenant = await client.query(
+          `INSERT INTO tenants (name, slug) VALUES ($1, $2) RETURNING id`,
+          [body.tenant_name, slug],
+        );
+        tenantId = tenant.rows[0].id;
+        role = 'owner';
+      }

      const user = await client.query(
-        `INSERT INTO users (tenant_id, email, password_hash, role) VALUES ($1, $2, $3, 'owner') RETURNING id`,
-        [tenantId, body.email, passwordHash],
+        `INSERT INTO users (tenant_id, email, password_hash, role) VALUES ($1, $2, $3, $4) RETURNING id`,
+        [tenantId, body.email, passwordHash, role],
      );

      await client.query('COMMIT');
@@ -183,7 +220,7 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
        tenantId,
        userId: user.rows[0].id,
        email: body.email,
-        role: 'owner',
+        role: role as AuthPayload['role'],
      }, jwtSecret);

      return reply.status(201).send({ token, tenant_id: tenantId, expires_in: '24h' });
@@ -194,7 +231,10 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
      client.release();
    }
  });
+}

+/** Protected auth routes — me, api-keys, invites. Must be registered inside an auth-protected plugin scope. */
+export function registerProtectedAuthRoutes(app: FastifyInstance, jwtSecret: string, pool: Pool) {
  app.get('/api/v1/auth/me', async (req, reply) => {
    return {
      tenant_id: (req as any).tenantId,
@@ -203,7 +243,6 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
    };
  });

-  // Generate API key
  app.post('/api/v1/auth/api-keys', async (req, reply) => {
    const tenantId = (req as any).tenantId;
    const userId = (req as any).userId;
@@ -219,7 +258,56 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
      [tenantId, userId, prefix, keyHash],
    );

-    // Return the raw key ONCE — it's never stored or retrievable again
    return reply.status(201).send({ api_key: rawKey, prefix });
  });
+
+  // --- Invite endpoints ---
+
+  // Create invite (admin+)
+  app.post('/api/v1/auth/invite', async (req, reply) => {
+    if (!requireRole(req, reply, 'admin')) return;
+    const tenantId = (req as any).tenantId;
+    const userId = (req as any).userId;
+    const body = inviteSchema.parse(req.body);
+
+    const token = crypto.randomBytes(32).toString('hex');
+    const result = await pool.query(
+      `INSERT INTO tenant_invites (tenant_id, email, role, token, invited_by)
+       VALUES ($1, $2, $3, $4, $5)
+       RETURNING expires_at`,
+      [tenantId, body.email, body.role, token, userId],
+    );
+
+    return reply.status(201).send({ invite_token: token, expires_at: result.rows[0].expires_at });
+  });
+
+  // List pending invites (admin+)
+  app.get('/api/v1/auth/invites', async (req, reply) => {
+    if (!requireRole(req, reply, 'admin')) return;
+    const tenantId = (req as any).tenantId;
+
+    const result = await pool.query(
+      `SELECT id, email, role, expires_at, created_at FROM tenant_invites
+       WHERE tenant_id = $1 AND accepted_at IS NULL AND expires_at > NOW()
+       ORDER BY created_at DESC`,
+      [tenantId],
+    );
+
+    return { invites: result.rows };
+  });
+
+  // Revoke invite (admin+)
+  app.delete('/api/v1/auth/invites/:id', async (req, reply) => {
+    if (!requireRole(req, reply, 'admin')) return;
+    const tenantId = (req as any).tenantId;
+    const { id } = req.params as { id: string };
+
+    const result = await pool.query(
+      `DELETE FROM tenant_invites WHERE id = $1 AND tenant_id = $2 AND accepted_at IS NULL RETURNING id`,
+      [id, tenantId],
+    );
+
+    if (!result.rows[0]) return reply.status(404).send({ error: 'Invite not found' });
+    return { deleted: true };
+  });
 }