Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: root commit of OWSAP security testing/tightening
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details

Browse Source
This commit is contained in:
Ricearoni1245
2026-03-01 20:46:47 -06:00
parent 1645896e54
commit 079b8b9492
25 changed files with 1131 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
tests-results-for-OWASP/A07-Identification-and-Authentication-Failures.md Normal file
View File

@@ -0,0 +1,70 @@
# A07: Identification and Authentication Failures
Last updated: March 1, 2026
## Findings addressed
1. No explicit account lockout after repeated failed login attempts (brute-force risk).
2. Password policy for registration and password updates was too weak (length-only).
## Fixes implemented
1. Added login lockout controls:
- Tracks failed login attempts per normalized email in server memory.
- Locks login for a configurable window after threshold failures.
- Returns `429` with code `LOGIN_LOCKED` and `Retry-After` header during lockout.
2. Added strong password policy:
- Minimum length `12`.
- Requires lowercase, uppercase, number, and symbol.
- Applied to:
- `/auth/register` password.
- `/me/password` new password.
3. Added auth hardening configuration:
- `AUTH_MAX_FAILED_ATTEMPTS` (default: `5`)
- `AUTH_LOCKOUT_WINDOW_MS` (default: `900000`, 15 minutes)
## Files changed
1. `api/src/server.ts`
2. `api/src/env.ts`
3. `.env.example`
4. `api/tests/auth.routes.test.ts`
5. `api/tests/identification-auth-failures.test.ts`
6. `api/vitest.security.config.ts`
## Verification
Dedicated security suite command (executed):
```bash
cd api
npx vitest --run -c vitest.security.config.ts
```
Verified output:
- Test Files: `5 passed (5)`
- Tests: `12 passed (12)`
Dedicated A07 checks in `identification-auth-failures.test.ts`:
1. Runtime checks weak password rejection for registration and `/me/password` update flow.
2. Runtime checks lockout threshold/window behavior with configured `AUTH_MAX_FAILED_ATTEMPTS` and verifies `LOGIN_LOCKED` response + `Retry-After`.
Runtime auth flow checks added in `auth.routes.test.ts`:
1. Rejects weak passwords on registration.
2. Locks login after repeated failed attempts.
Run this in an environment with PostgreSQL running to verify runtime behavior:
```bash
cd api
npm test -- tests/auth.routes.test.ts tests/identification-auth-failures.test.ts
```
## Residual notes
1. Current lockout state is in-memory per API instance; for horizontally scaled production, move lockout tracking to a shared store (Redis/DB) for consistent enforcement across instances.