Harden backend auth paths, token lifecycle, and spoofable request metadata

docker/nginx/nginx.conf

@@ -53,7 +53,7 @@ http {
       proxy_pass http://betterbase_server;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_read_timeout 60s;
     }
@@ -62,13 +62,14 @@ http {
       proxy_pass http://betterbase_server;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
     location /health {
       proxy_pass http://betterbase_server;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
@@ -78,7 +79,7 @@ http {
       proxy_pass http://minio;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       client_max_body_size 100m;
     }
@@ -88,7 +89,7 @@ http {
       proxy_pass http://betterbase_dashboard;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       # SPA fallback
       proxy_intercept_errors on;
@@ -98,7 +99,7 @@ http {
     location @dashboard_fallback {
       proxy_pass http://betterbase_dashboard;
       proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
@@ -110,7 +111,7 @@ http {
       proxy_set_header Connection "upgrade";
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_read_timeout 3600s;
     }

packages/server/migrations/017_revoked_admin_tokens.sql

@@ -0,0 +1,9 @@
+CREATE TABLE IF NOT EXISTS betterbase_meta.revoked_admin_tokens (
+  jti TEXT PRIMARY KEY,
+  admin_user_id TEXT REFERENCES betterbase_meta.admin_users(id) ON DELETE SET NULL,
+  revoked_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  expires_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_revoked_admin_tokens_expires_at
+  ON betterbase_meta.revoked_admin_tokens (expires_at);

packages/server/src/index.ts

@@ -36,7 +36,7 @@ app.use("*", async (c, next) => {
 
 	const projectId = c.req.header("X-Project-ID") ?? null;
 	const userAgent = c.req.header("User-Agent")?.slice(0, 255) ?? null;
-	const ip = c.req.header("X-Forwarded-For")?.split(",")[0] ?? null;
+	const ip = c.req.header("X-Real-IP") ?? null;
 
 	// Fire-and-forget log insert (don't await, don't fail requests on log error)
 	getPool()

packages/server/src/lib/audit.ts

@@ -71,7 +71,5 @@ export async function writeAuditLog(entry: AuditEntry): Promise<void> {
 
 // Helper: extract IP from Hono context
 export function getClientIp(headers: Headers): string {
-	return (
-		headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? headers.get("x-real-ip") ?? "unknown"
-	);
+	return headers.get("x-real-ip") ?? headers.get("x-forwarded-for")?.split(",").pop()?.trim() ?? "unknown";
 }

packages/server/src/lib/auth.ts

@@ -1,14 +1,16 @@
 import bcrypt from "bcryptjs";
+import { randomUUID } from "crypto";
 import { SignJWT, jwtVerify } from "jose";
 import type { Pool } from "pg";
+import { getPool } from "./db";
 import { validateEnv } from "./env";
 
 const getSecret = () => {
 	const env = validateEnv();
 	return new TextEncoder().encode(env.BETTERBASE_JWT_SECRET);
 };
 
-const TOKEN_EXPIRY = "30d";
+const TOKEN_EXPIRY = "8h";
 const BCRYPT_ROUNDS = 12;
 
 // --- Password ---
@@ -24,21 +26,67 @@ export async function verifyPassword(password: string, hash: string): Promise<bo
 // --- JWT for admin sessions ---
 
 export async function signAdminToken(adminUserId: string): Promise<string> {
+	const env = validateEnv();
 	return new SignJWT({ sub: adminUserId, type: "admin" })
 		.setProtectedHeader({ alg: "HS256" })
 		.setIssuedAt()
 		.setExpirationTime(TOKEN_EXPIRY)
+		.setIssuer(env.BETTERBASE_JWT_ISSUER)
+		.setAudience(env.BETTERBASE_JWT_AUDIENCE)
+		.setJti(randomUUID())
 		.sign(getSecret());
 }
 
-export async function verifyAdminToken(token: string): Promise<{ sub: string } | null> {
+export async function verifyAdminToken(
+	token: string,
+): Promise<{ sub: string; jti: string | undefined; exp?: number } | null> {
+	// Step 1: Verify JWT signature and payload validity
+	let payload: any;
 	try {
-		const { payload } = await jwtVerify(token, getSecret());
+		const env = validateEnv();
+		const verified = await jwtVerify(token, getSecret(), {
+			issuer: env.BETTERBASE_JWT_ISSUER,
+			audience: env.BETTERBASE_JWT_AUDIENCE,
+		});
+		payload = verified.payload;
+
 		if (payload.type !== "admin") return null;
-		return { sub: payload.sub as string };
+		if (!payload.sub) return null;
+
+		// Log warning if jti is missing
+		if (!payload.jti) {
+			console.warn(`[auth] Token missing jti claim (sub=${payload.sub})`);
+		}
 	} catch {
+		// Cryptographic verification failed - invalid token
 		return null;
 	}
+
+	// Step 2: Check revocation list (fail-closed on DB errors)
+	// Skip revocation check if jti is missing
+	if (payload.jti) {
+		try {
+			const pool = getPool();
+			const { rows } = await pool.query(
+				"SELECT 1 FROM betterbase_meta.revoked_admin_tokens WHERE jti = $1 LIMIT 1",
+				[payload.jti],
+			);
+			if (rows.length > 0) return null;
+		} catch (err) {
+			// DB/query error - log and fail closed
+			console.error(
+				`[auth] DB error checking token revocation (jti=${payload.jti}, sub=${payload.sub}):`,
+				err,
+			);
+			return null;
+		}
+	}
+
+	return {
+		sub: payload.sub as string,
+		jti: payload.jti as string | undefined,
+		exp: payload.exp as number | undefined
+	};
 }
 
 // --- Middleware helper: extract + verify token from Authorization header ---

packages/server/src/lib/env.ts

@@ -17,6 +17,8 @@ const EnvSchema = z.object({
 	INNGEST_SIGNING_KEY: z.string().optional(),
 	INNGEST_EVENT_KEY: z.string().optional(),
 	PORT: z.string().default("3000"),
+	BETTERBASE_JWT_ISSUER: z.string().default("betterbase"),
+	BETTERBASE_JWT_AUDIENCE: z.string().default("betterbase-admin"),
 });
 
 export type Env = z.infer<typeof EnvSchema>;
@@ -53,6 +55,15 @@ export function validateEnv(): Env {
 		result.data.INNGEST_EVENT_KEY = "betterbase-dev-event-key";
 	}
 
+	if (result.data.STORAGE_ENDPOINT) {
+		if (!result.data.STORAGE_ACCESS_KEY || !result.data.STORAGE_SECRET_KEY) {
+			console.error(
+				"[env] STORAGE_ACCESS_KEY and STORAGE_SECRET_KEY are required when STORAGE_ENDPOINT is set",
+			);
+			process.exit(1);
+		}
+	}
+
 	validatedEnv = result.data;
 	return validatedEnv;
 }

packages/server/src/lib/inngest.ts

@@ -1,21 +1,6 @@
 import { createHash } from "node:crypto";
 import { EventSchemas, Inngest } from "inngest";
-
-// ─── CSV Escaping Helper ───────────────────────────────────────────────────────
-// Helper to escape CSV values - prevents CSV injection and handles special characters
-const escapeCSVValue = (value: unknown): string => {
-	if (value === null || value === undefined) return "";
-	const str = String(value);
-	// Prefix formula injection characters (=, +, -, @, \t, \r, \n) with single quote
-	if (str.match(/^[=\+\-@\t\r\n]/)) {
-		return `"${str.replace(/"/g, '""')}"`;
-	}
-	// Wrap in quotes if contains comma, quote, or newline
-	if (str.includes(",") || str.includes('"') || str.includes("\n") || str.includes("\r")) {
-		return `"${str.replace(/"/g, '""')}"`;
-	}
-	return str;
-};
+import { escapeCSVValue } from "./csv";
 
 // Helper to validate schema name - prevents SQL injection
 const validateSchemaName = (slug: string): string => {
@@ -556,11 +541,35 @@ export const pollNotificationRules = inngest.createFunction(
 	},
 );
 
+// ─── Function: Cleanup Expired Revoked Tokens (Cron) ─────────────────────────
+
+export const cleanupExpiredTokens = inngest.createFunction(
+	{
+		id: "cleanup-expired-revoked-tokens",
+		retries: 1,
+	},
+	// Runs every hour
+	{ cron: "0 * * * *" },
+	async ({ step }) => {
+		const deleted = await step.run("delete-expired-tokens", async () => {
+			const { getPool } = await import("./db");
+			const pool = getPool();
+			const { rowCount } = await pool.query(
+				"DELETE FROM betterbase_meta.revoked_admin_tokens WHERE expires_at IS NOT NULL AND expires_at < NOW()",
+			);
+			return rowCount ?? 0;
+		});
+
+		return { deleted };
+	},
+);
+
 // ─── All functions (used in serve() registration) ────────────────────────────
 
 export const allInngestFunctions = [
 	deliverWebhook,
 	evaluateNotificationRule,
 	exportProjectUsers,
 	pollNotificationRules,
+	cleanupExpiredTokens,
 ];

packages/server/src/routes/admin/auth.ts

@@ -1,6 +1,7 @@
 import { zValidator } from "@hono/zod-validator";
 import { Hono } from "hono";
 import { z } from "zod";
+import { getClientIp, writeAuditLog } from "../../lib/audit";
 import {
 	extractBearerToken,
 	signAdminToken,
@@ -62,8 +63,40 @@ authRoutes.get("/me", async (c) => {
 	return c.json({ admin: rows[0] });
 });
 
-// POST /admin/auth/logout  (client-side token discard — stateless)
-authRoutes.post("/logout", (c) => c.json({ success: true }));
+// POST /admin/auth/logout
+authRoutes.post("/logout", async (c) => {
+	const token = extractBearerToken(c.req.header("Authorization"));
+	if (!token) return c.json({ success: true });
+
+	const payload = await verifyAdminToken(token);
+	if (!payload) return c.json({ success: true });
+
+	const pool = getPool();
+	// Only revoke if jti is present
+	if (payload.jti && payload.exp) {
+		await pool.query(
+			`INSERT INTO betterbase_meta.revoked_admin_tokens (jti, admin_user_id, expires_at)
+			 VALUES ($1, $2, to_timestamp($3))
+			 ON CONFLICT (jti) DO NOTHING`,
+			[payload.jti, payload.sub, payload.exp],
+		);
+	}
+
+	const { rows } = await pool.query("SELECT id, email FROM betterbase_meta.admin_users WHERE id = $1", [
+		payload.sub,
+	]);
+	if (rows.length > 0) {
+		await writeAuditLog({
+			actorId: rows[0].id,
+			actorEmail: rows[0].email,
+			action: "admin.logout",
+			ipAddress: getClientIp(c.req.raw.headers),
+			userAgent: c.req.header("User-Agent") ?? undefined,
+		});
+	}
+
+	return c.json({ success: true });
+});
 
 // GET /admin/auth/setup-status — check if admin exists (no body validation)
 authRoutes.get("/setup-status", async (c) => {

packages/server/src/routes/admin/project-scoped/users.ts

@@ -2,6 +2,7 @@ import { zValidator } from "@hono/zod-validator";
 import { Hono } from "hono";
 import { z } from "zod";
 import { getClientIp, writeAuditLog } from "../../../lib/audit";
+import { escapeCSVValue } from "../../../lib/csv";
 import { getPool } from "../../../lib/db";
 
 export const projectUserRoutes = new Hono();
@@ -233,14 +234,16 @@ projectUserRoutes.post("/export", async (c) => {
 		header +
 		rows
 			.map(
-				(r) => `${r.id},"${r.name}","${r.email}",${r.email_verified},${r.created_at},${r.banned}`,
+				(r) =>
+					`${escapeCSVValue(r.id)},${escapeCSVValue(r.name)},${escapeCSVValue(r.email)},${r.email_verified},${escapeCSVValue(r.created_at)},${r.banned}`,
 			)
 			.join("\n");
 
 	return new Response(csv, {
 		headers: {
-			"Content-Type": "text/csv",
+			"Content-Type": "text/csv; charset=utf-8",
 			"Content-Disposition": `attachment; filename="users-${project.slug}-${Date.now()}.csv"`,
+			"Content-Security-Policy": "default-src 'none'",
 		},
 	});
 });