fix: harden web runtime and follow-up auth/db security fixes (#21)

## Summary - harden the web runtime with JSON body limits, stricter generation input validation, rate limiting, and trusted Origin/Referer checks for cookie-authenticated mutations - redact password-reset tokens from debug email transport logs and fail closed for unsupported email providers - scope generation idempotency keys per user with a Prisma migration and regression coverage ## Testing - docker build -f infra/docker/web.Dockerfile -t nroxy-web-check . - docker run --rm --entrypoint sh nroxy-web-check -lc "pnpm --filter @nproxy/providers test && pnpm --filter @nproxy/db test && pnpm --filter @nproxy/web test" Closes #14 Closes #7 Closes #8 Co-authored-by: sirily <sirily@git.shararam.party> Reviewed-on: #21
2026-03-11 16:28:56 +03:00
parent 9641678fa3
commit 1a7250467e
14 changed files with 924 additions and 202 deletions
--- a/packages/providers/package.json
+++ b/packages/providers/package.json
@@ -16,7 +16,9 @@
  ],
  "scripts": {
    "build": "tsc -p tsconfig.json",
-    "check": "tsc -p tsconfig.json --noEmit"
+    "check": "tsc -p tsconfig.json --noEmit",
+    "pretest": "pnpm build",
+    "test": "node --test dist/**/*.test.js"
  },
  "dependencies": {
    "@nproxy/domain": "workspace:*"
--- a/packages/providers/src/email.test.ts
+++ b/packages/providers/src/email.test.ts
@@ -0,0 +1,43 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createEmailTransport } from "./email.js";
+
+test("example email transport redacts password-reset tokens before logging", async () => {
+  const transport = createEmailTransport({
+    provider: "example",
+    from: "noreply@nproxy.test",
+    apiKey: "unused",
+  });
+  const logMessages: string[] = [];
+  const originalConsoleLog = console.log;
+  console.log = (message?: unknown) => {
+    logMessages.push(String(message ?? ""));
+  };
+
+  try {
+    await transport.send({
+      to: "user@example.com",
+      subject: "Reset your password",
+      text: "Reset link: https://app.nproxy.test/reset-password?token=secret-token-123",
+    });
+  } finally {
+    console.log = originalConsoleLog;
+  }
+
+  assert.equal(logMessages.length, 1);
+  assert.match(logMessages[0] ?? "", /"mode":"debug_redacted"/);
+  assert.match(logMessages[0] ?? "", /token=\[REDACTED\]/);
+  assert.doesNotMatch(logMessages[0] ?? "", /secret-token-123/);
+});
+
+test("unsupported email providers fail closed", () => {
+  assert.throws(
+    () =>
+      createEmailTransport({
+        provider: "smtp",
+        from: "noreply@nproxy.test",
+        apiKey: "unused",
+      }),
+    /Unsupported email provider: smtp/,
+  );
+});
--- a/packages/providers/src/email.ts
+++ b/packages/providers/src/email.ts
@@ -20,29 +20,20 @@ export function createEmailTransport(config: {
          JSON.stringify({
            service: "email",
            provider: config.provider,
+            mode: "debug_redacted",
            from: config.from,
            to: input.to,
            subject: input.subject,
-            text: input.text,
+            textPreview: redactEmailText(input.text),
          }),
        );
      },
    };
  }

-  return {
-    async send(input) {
-      console.log(
-        JSON.stringify({
-          service: "email",
-          provider: config.provider,
-          mode: "noop_fallback",
-          from: config.from,
-          to: input.to,
-          subject: input.subject,
-          text: input.text,
-        }),
-      );
-    },
-  };
+  throw new Error(`Unsupported email provider: ${config.provider}`);
+}
+
+function redactEmailText(text: string): string {
+  return text.replace(/([?&]token=)[^&\s]+/gi, "$1[REDACTED]");
 }