From 3fd3285c137dc0468ce43385307efa22de4bea1c Mon Sep 17 00:00:00 2001 From: Steve Dogiakos Date: Thu, 11 Jun 2026 21:54:35 -0600 Subject: [PATCH] fix(auth): harden session lifecycle, reset links, and OIDC logging - Fix session store expiry: cookie.maxAge is already in milliseconds, so stored sessions outlived the cookie by 1000x - Regenerate the session ID on login, first-run setup, and OIDC login to prevent session fixation - Mark session cookies Secure on TLS connections (secure: 'auto') and add TRUST_PROXY support for reverse-proxy deployments - Build password reset links from APP_BASE_URL instead of the Host header to prevent reset-link poisoning - Rate-limit forgot-password requests (5 per IP per 15 minutes) - Strip OIDC debug logging that leaked authorization codes, subject IDs, and emails to logs --- .env.example | 8 ++ README.md | 5 ++ docker-compose.yml | 4 + src/app.js | 10 ++- src/lib/SessionStore.js | 3 +- src/routes/auth.js | 163 ++++++++++++++++++++-------------------- 6 files changed, 109 insertions(+), 84 deletions(-) diff --git a/.env.example b/.env.example index 4afb6f3..efd94b9 100644 --- a/.env.example +++ b/.env.example @@ -6,6 +6,14 @@ SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days) PORT=3000 DB_PATH=/app/data/check-printing.db +# Public base URL of the app — used to build password reset links. +# Strongly recommended in production (prevents host-header link poisoning). +APP_BASE_URL=https://checks.example.com + +# Set to 1 when running behind a reverse proxy (TLS termination) so client IPs +# and HTTPS detection work correctly. Leave unset for direct LAN access. +TRUST_PROXY= + # OIDC / SSO (optional — omit or leave blank to disable) OIDC_ENABLED=false OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration diff --git a/README.md b/README.md index 6f1203b..8ba8e18 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,8 @@ docker exec -it check-printing node migrations/import-mdb.js \ | `SESSION_MAX_AGE_HOURS` | `168` | Session lifetime in hours (default 7 days) | | `PORT` | `3000` | HTTP listen port | | `DB_PATH` | `/app/data/check-printing.db` | SQLite database file path | +| `APP_BASE_URL` | *(empty)* | Public base URL used in password reset links, e.g. `https://checks.example.com`. Recommended in production | +| `TRUST_PROXY` | *(empty)* | Set to `1` when running behind a reverse proxy so client IPs and HTTPS detection work correctly | | `OIDC_ENABLED` | *(empty)* | Set to `true` or `1` to enable OIDC login | | `OIDC_DISCOVERY_URL` | *(empty)* | Provider's `.well-known/openid-configuration` URL | | `OIDC_CLIENT_ID` | *(empty)* | OIDC client ID | @@ -185,6 +187,9 @@ services: - check-printing-data:/app/data environment: - SESSION_SECRET=${SESSION_SECRET} + # Optional: public base URL for reset links, reverse-proxy support + - APP_BASE_URL=${APP_BASE_URL:-} + - TRUST_PROXY=${TRUST_PROXY:-} # Optional: OIDC / SSO - OIDC_ENABLED=${OIDC_ENABLED:-} - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-} diff --git a/docker-compose.yml b/docker-compose.yml index 9e4ad2f..e0f456b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,6 +14,10 @@ services: - DB_PATH=/app/data/check-printing.db # Required in production — generate with: openssl rand -hex 32 - SESSION_SECRET=${SESSION_SECRET} + # Public base URL for password reset links (recommended) + - APP_BASE_URL=${APP_BASE_URL:-} + # Set to 1 when behind a reverse proxy / TLS termination + - TRUST_PROXY=${TRUST_PROXY:-} # OIDC / SSO (optional — omit or leave blank to disable) - OIDC_ENABLED=${OIDC_ENABLED:-} - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-} diff --git a/src/app.js b/src/app.js index d407bef..88021d7 100644 --- a/src/app.js +++ b/src/app.js @@ -27,12 +27,20 @@ const SESSION_SECRET = process.env.SESSION_SECRET; const SESSION_MAX_AGE_MS = (parseInt(process.env.SESSION_MAX_AGE_HOURS, 10) || 168) * 60 * 60 * 1000; +// Behind a reverse proxy (TLS termination), set TRUST_PROXY=1 so req.ip and +// req.protocol reflect the original client instead of the proxy. +if (process.env.TRUST_PROXY === '1' || process.env.TRUST_PROXY === 'true') { + app.set('trust proxy', 1); +} + app.use(session({ store: new SessionStore(db), secret: SESSION_SECRET, resave: false, saveUninitialized: false, - cookie: { httpOnly: true, sameSite: 'strict', maxAge: SESSION_MAX_AGE_MS }, + // secure: 'auto' marks the cookie Secure only on TLS connections, so plain-HTTP + // LAN deployments keep working while proxied HTTPS deployments get Secure cookies + cookie: { httpOnly: true, sameSite: 'strict', secure: 'auto', maxAge: SESSION_MAX_AGE_MS }, })); // Security headers diff --git a/src/lib/SessionStore.js b/src/lib/SessionStore.js index b169f1e..bf9d8ef 100644 --- a/src/lib/SessionStore.js +++ b/src/lib/SessionStore.js @@ -28,8 +28,9 @@ class SessionStore extends Store { set(sid, sess, cb) { try { + // cookie.maxAge is already in milliseconds const maxAge = (sess.cookie && sess.cookie.maxAge) - ? sess.cookie.maxAge * 1000 + ? sess.cookie.maxAge : 7 * 24 * 60 * 60 * 1000; const expired = Date.now() + maxAge; this.db.prepare( diff --git a/src/routes/auth.js b/src/routes/auth.js index 4211abf..6423a1f 100644 --- a/src/routes/auth.js +++ b/src/routes/auth.js @@ -15,45 +15,57 @@ function validatePassword(password) { return null; } -// ── Login rate limiter ──────────────────────────────────────────────────────── -// Tracks failed login attempts per IP. After 10 failures within 15 minutes, +// ── Rate limiting ───────────────────────────────────────────────────────────── +// Sliding-window counter per key (IP). After `max` hits within `windowMs`, // further attempts are blocked until the window resets. -const loginAttempts = new Map(); // ip -> { count, resetAt } -const RATE_WINDOW_MS = 15 * 60 * 1000; // 15 minutes -const RATE_MAX_FAILS = 10; +function makeRateLimiter(max, windowMs) { + const attempts = new Map(); // key -> { count, resetAt } -function checkLoginRate(ip) { - const now = Date.now(); - const entry = loginAttempts.get(ip); - if (!entry || now > entry.resetAt) { - loginAttempts.set(ip, { count: 0, resetAt: now + RATE_WINDOW_MS }); - return true; // allow - } - return entry.count < RATE_MAX_FAILS; + // Purge stale entries every 30 minutes to prevent unbounded memory growth + setInterval(() => { + const now = Date.now(); + for (const [key, entry] of attempts) { + if (now > entry.resetAt) attempts.delete(key); + } + }, 30 * 60 * 1000).unref(); + + return { + allowed(key) { + const entry = attempts.get(key); + if (!entry || Date.now() > entry.resetAt) return true; + return entry.count < max; + }, + record(key) { + const now = Date.now(); + const entry = attempts.get(key); + if (!entry || now > entry.resetAt) { + attempts.set(key, { count: 1, resetAt: now + windowMs }); + } else { + entry.count++; + } + }, + clear(key) { + attempts.delete(key); + }, + }; } -function recordLoginFailure(ip) { - const now = Date.now(); - const entry = loginAttempts.get(ip); - if (!entry || now > entry.resetAt) { - loginAttempts.set(ip, { count: 1, resetAt: now + RATE_WINDOW_MS }); - } else { - entry.count++; - } -} +// 10 failed logins per IP per 15 minutes +const loginLimiter = makeRateLimiter(10, 15 * 60 * 1000); +// 5 reset emails per IP per 15 minutes (counts every request, success or not) +const resetLimiter = makeRateLimiter(5, 15 * 60 * 1000); -function clearLoginFailures(ip) { - loginAttempts.delete(ip); +// Regenerates the session ID before establishing a login (prevents session fixation) +function establishSession(req, user, cb) { + req.session.regenerate(err => { + if (err) return cb(err); + req.session.userId = user.id; + req.session.username = user.username; + req.session.role = user.role; + cb(null); + }); } -// Purge stale entries every 30 minutes to prevent unbounded memory growth -setInterval(() => { - const now = Date.now(); - for (const [ip, entry] of loginAttempts) { - if (now > entry.resetAt) loginAttempts.delete(ip); - } -}, 30 * 60 * 1000).unref(); - // GET /api/auth/setup-needed — true when no users exist (first-run) router.get('/setup-needed', (req, res) => { const { n } = db.prepare('SELECT COUNT(*) AS n FROM users').get(); @@ -75,18 +87,18 @@ router.post('/setup', async (req, res) => { "INSERT INTO users (username, password_hash, role) VALUES (?, ?, 'admin')" ).run(username.trim(), hash); - req.session.userId = result.lastInsertRowid; - req.session.username = username.trim(); - req.session.role = 'admin'; - - res.status(201).json({ id: result.lastInsertRowid, username: username.trim(), role: 'admin' }); + const user = { id: result.lastInsertRowid, username: username.trim(), role: 'admin' }; + establishSession(req, user, err => { + if (err) return res.status(500).json({ error: 'Failed to create session.' }); + res.status(201).json(user); + }); }); // POST /api/auth/login router.post('/login', async (req, res) => { const ip = req.ip || req.socket.remoteAddress || 'unknown'; - if (!checkLoginRate(ip)) { + if (!loginLimiter.allowed(ip)) { return res.status(429).json({ error: 'Too many failed login attempts. Please try again later.' }); } @@ -95,22 +107,21 @@ router.post('/login', async (req, res) => { const user = db.prepare('SELECT * FROM users WHERE username = ? COLLATE NOCASE').get(username.trim()); if (!user) { - recordLoginFailure(ip); + loginLimiter.record(ip); return res.status(401).json({ error: 'Invalid username or password.' }); } const match = await bcrypt.compare(password, user.password_hash); if (!match) { - recordLoginFailure(ip); + loginLimiter.record(ip); return res.status(401).json({ error: 'Invalid username or password.' }); } - clearLoginFailures(ip); - req.session.userId = user.id; - req.session.username = user.username; - req.session.role = user.role; - - res.json({ id: user.id, username: user.username, role: user.role }); + loginLimiter.clear(ip); + establishSession(req, user, err => { + if (err) return res.status(500).json({ error: 'Failed to create session.' }); + res.json({ id: user.id, username: user.username, role: user.role }); + }); }); // POST /api/auth/logout @@ -154,6 +165,12 @@ router.post('/change-password', async (req, res) => { // POST /api/auth/forgot-password — always 200 to avoid user enumeration router.post('/forgot-password', async (req, res) => { + const ip = req.ip || req.socket.remoteAddress || 'unknown'; + if (!resetLimiter.allowed(ip)) { + return res.status(429).json({ error: 'Too many reset requests. Please try again later.' }); + } + resetLimiter.record(ip); + const { email } = req.body; if (!email) return res.status(400).json({ error: 'Email is required.' }); @@ -168,7 +185,9 @@ router.post('/forgot-password', async (req, res) => { db.prepare('INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, ?, ?)').run(user.id, tokenHash, expiresAt); })(); - const baseUrl = `${req.protocol}://${req.get('host')}`; + // Prefer the configured base URL; deriving it from the Host header lets an + // attacker poison reset links (host header injection) + const baseUrl = (process.env.APP_BASE_URL || `${req.protocol}://${req.get('host')}`).replace(/\/+$/, ''); const resetLink = `${baseUrl}/#reset?token=${token}`; try { @@ -221,17 +240,13 @@ function getOidcSettings() { async function getOidcClient(settings) { const { Issuer } = require('openid-client'); - console.log('[oidc] discovering issuer from:', settings.discovery_url); const issuer = await Issuer.discover(settings.discovery_url); - console.log('[oidc] discovered issuer:', issuer.issuer); - const client = new issuer.Client({ + return new issuer.Client({ client_id: settings.client_id, client_secret: settings.client_secret, redirect_uris: [settings.redirect_uri], response_types: ['code'], }); - console.log('[oidc] client created, redirect_uri:', settings.redirect_uri); - return client; } // GET /api/auth/oidc/config — public, returns whether OIDC is enabled + button label @@ -244,8 +259,6 @@ router.get('/oidc/config', (req, res) => { router.get('/oidc/authorize', async (req, res) => { try { const settings = getOidcSettings(); - console.log('[oidc] authorize: enabled=%s, discovery_url=%s, client_id=%s, redirect_uri=%s', - settings.enabled, settings.discovery_url, settings.client_id, settings.redirect_uri); if (!settings.enabled) return res.status(400).json({ error: 'OIDC is not enabled.' }); const { generators } = require('openid-client'); @@ -266,11 +279,10 @@ router.get('/oidc/authorize', async (req, res) => { code_challenge_method: 'S256', }); - console.log('[oidc] authorize: redirecting to:', authUrl.substring(0, 200) + '...'); // Ensure session is persisted before redirecting (saveUninitialized is false) req.session.save(() => res.redirect(authUrl)); } catch (err) { - console.error('[oidc] authorize error:', err.message, err.stack); + console.error('[oidc] authorize error:', err.message); res.redirect('/#oidc-error=' + encodeURIComponent('Failed to initiate SSO login.')); } }); @@ -278,7 +290,6 @@ router.get('/oidc/authorize', async (req, res) => { // GET /api/auth/oidc/callback — handles the provider redirect router.get('/oidc/callback', async (req, res) => { try { - console.log('[oidc] callback: query params:', JSON.stringify(req.query)); const settings = getOidcSettings(); if (!settings.enabled) return res.redirect('/#oidc-error=' + encodeURIComponent('OIDC is not enabled.')); @@ -287,12 +298,9 @@ router.get('/oidc/callback', async (req, res) => { console.error('[oidc] callback: no oidc session data found — session may have expired or cookie lost'); return res.redirect('/#oidc-error=' + encodeURIComponent('Session expired. Please try again.')); } - console.log('[oidc] callback: session has oidc data, linking=%s, linkUserId=%s', - !!oidcSession.linking, oidcSession.linkUserId || 'n/a'); const client = await getOidcClient(settings); const params = client.callbackParams(req); - console.log('[oidc] callback: exchanging code for tokens...'); const tokenSet = await client.callback(settings.redirect_uri, params, { code_verifier: oidcSession.code_verifier, @@ -303,25 +311,21 @@ router.get('/oidc/callback', async (req, res) => { const claims = tokenSet.claims(); const sub = claims.sub; const issuer = claims.iss; - console.log('[oidc] callback: token exchange OK, sub=%s, iss=%s, email=%s, name=%s', - sub, issuer, claims.email || 'n/a', claims.name || 'n/a'); delete req.session.oidc; // Self-service linking flow if (oidcSession.linking && oidcSession.linkUserId) { - console.log('[oidc] callback: linking flow for userId=%s', oidcSession.linkUserId); const existing = db.prepare( 'SELECT id FROM users WHERE oidc_issuer = ? AND oidc_sub = ? AND id != ?' ).get(issuer, sub, oidcSession.linkUserId); if (existing) { - console.warn('[oidc] callback: identity already linked to userId=%s', existing.id); return res.redirect('/#oidc-error=' + encodeURIComponent('This identity is already linked to another account.')); } db.prepare("UPDATE users SET oidc_sub = ?, oidc_issuer = ?, updated_at = datetime('now') WHERE id = ?") .run(sub, issuer, oidcSession.linkUserId); - console.log('[oidc] callback: linked sub=%s to userId=%s', sub, oidcSession.linkUserId); + console.log('[oidc] linked identity to userId=%s', oidcSession.linkUserId); return res.redirect('/#oidc-linked'); } @@ -331,26 +335,23 @@ router.get('/oidc/callback', async (req, res) => { ).get(issuer, sub); if (!user) { - console.warn('[oidc] callback: no user found for iss=%s sub=%s — not linked', issuer, sub); + console.warn('[oidc] callback: identity not linked to any user'); return res.redirect('/#oidc-error=' + encodeURIComponent( 'No account is linked to this identity. Ask an admin to link your account, or sign in with your password and link it yourself.' )); } - console.log('[oidc] callback: login success, userId=%s, username=%s, role=%s', user.id, user.username, user.role); - req.session.userId = user.id; - req.session.username = user.username; - req.session.role = user.role; - - // Load account access into session (mirrors login behavior) - if (user.role !== 'admin') { - const accts = db.prepare('SELECT account_id, role FROM user_accounts WHERE user_id = ?').all(user.id); - req.session.accounts = accts; - } - - res.redirect('/'); + console.log('[oidc] login success for userId=%s', user.id); + establishSession(req, user, err => { + if (err) return res.redirect('/#oidc-error=' + encodeURIComponent('SSO login failed. Please try again.')); + // Load account access into session (mirrors login behavior) + if (user.role !== 'admin') { + req.session.accounts = db.prepare('SELECT account_id, role FROM user_accounts WHERE user_id = ?').all(user.id); + } + res.redirect('/'); + }); } catch (err) { - console.error('[oidc] callback error:', err.message, err.stack); + console.error('[oidc] callback error:', err.message); res.redirect('/#oidc-error=' + encodeURIComponent('SSO login failed. Please try again.')); } }); @@ -362,7 +363,6 @@ router.get('/oidc/link', async (req, res) => { } try { - console.log('[oidc] link: userId=%s initiating linking flow', req.session.userId); const settings = getOidcSettings(); if (!settings.enabled) return res.redirect('/#oidc-error=' + encodeURIComponent('OIDC is not enabled.')); @@ -384,10 +384,9 @@ router.get('/oidc/link', async (req, res) => { code_challenge_method: 'S256', }); - console.log('[oidc] link: redirecting to provider'); req.session.save(() => res.redirect(authUrl)); } catch (err) { - console.error('[oidc] link error:', err.message, err.stack); + console.error('[oidc] link error:', err.message); res.redirect('/#oidc-error=' + encodeURIComponent('Failed to initiate SSO linking.')); } });