Skip to content

fix(security): harden auth, session, csrf, csp (sec-auth-01..09)#43

Open
Abdulkhalek-1 wants to merge 2 commits intomainfrom
fix/security-auth-2026-04-07
Open

fix(security): harden auth, session, csrf, csp (sec-auth-01..09)#43
Abdulkhalek-1 wants to merge 2 commits intomainfrom
fix/security-auth-2026-04-07

Conversation

@Abdulkhalek-1
Copy link
Copy Markdown
Collaborator

@Abdulkhalek-1 Abdulkhalek-1 commented Apr 7, 2026

Summary

Implements 9 security hardening plans covering OAuth, sessions, CSRF, and CSP.

# Plan Fix
01 session-secret-fail-fast Hard-fail in production if `DASHBOARD_SESSION_SECRET` missing/short
02 oauth-open-redirect Use `DASHBOARD_PUBLIC_URL` instead of `x-forwarded-host`
03 oauth-state-cookie-cleanup Clear `oauth_state` cookie after validation
04 session-regeneration-on-login Regenerate sessions on login to prevent fixation
05 stale-guild-cache Re-fetch guild membership every 5 min in `requireGuildAdmin`
06 csrf-double-submit CSRF double-submit token on mutating `/api` routes
07 csp-nonce-styles Replace `unsafe-inline` with per-request CSP nonces
08 oauth-state-samesite-strict `oauth_state` → `SameSite=Strict`
09 session-ttl-24h Session TTL 7d → 24h with sliding renewal

Changes

  • Modified: `config/src/index.ts`, `auth/routes.ts`, `server/index.ts`, `shared/session.ts`, `shared/middleware.ts`
  • New: `shared/csrf.ts`
  • Tests: `routes.test.ts`, `index.test.ts`, `csrf.test.ts`, `config/tests/index.test.ts`, plus updates to `session.test.ts`, `middleware.test.ts`, `auth.test.ts`

Follow-up required

The SPA client needs to fetch `/auth/csrf` and include `X-CSRF-Token` on POST/PUT/PATCH/DELETE. Not in this PR. Merging before the SPA update will break mutating API calls.

Test plan

  • `pnpm --filter @fluxcore/dashboard typecheck` — clean
  • `pnpm --filter @fluxcore/dashboard test` — 298 pass / 14 pre-existing baseline failures (one less than main; no new regressions)
  • Manual smoke: login flow with valid + spoofed `x-forwarded-host`
  • Manual smoke: session fixation prevention
  • Manual smoke: CSP nonce rendering on SPA pages
  • Manual smoke: verify CSRF rejection with/without token

🤖 Generated with Claude Code

@Abdulkhalek-1
docs(security): add auth hardening plans
eef01c9
@Abdulkhalek-1
fix(security): harden auth and session flows (sec-auth-01..09)
be61054 
Implements 9 security hardening plans covering OAuth, sessions, CSRF,
and CSP:

- sec-auth-01: hard-fail in production when DASHBOARD_SESSION_SECRET
  is missing or too short
- sec-auth-02: use trusted DASHBOARD_PUBLIC_URL for OAuth callback
  instead of attacker-controllable x-forwarded-host
- sec-auth-03: clear oauth_state cookie immediately after validation
  to prevent replay on failure
- sec-auth-04: regenerate sessions on login (drop existing rows for
  the user) to prevent fixation
- sec-auth-05: re-fetch fresh guild membership every 5 minutes in
  requireGuildAdmin to close stale-cache access window
- sec-auth-06: add CSRF double-submit token enforcement on mutating
  /api routes, issued via GET /auth/csrf
- sec-auth-07: replace style-src 'unsafe-inline' with per-request
  CSP nonces (helmet enableCSPNonces)
- sec-auth-08: tighten oauth_state cookie to SameSite=Strict
- sec-auth-09: reduce session TTL from 7 days to 24 hours

Adds DASHBOARD_PUBLIC_URL config field and new csrf.ts shared module.
Typecheck clean. Dashboard test suite: 14 fail / 298 pass -- net
improvement over baseline (15 failures); no new regressions.

Note: SPA client will need a follow-up change to fetch /auth/csrf and
include X-CSRF-Token on mutating requests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Abdulkhalek-1