Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
079b8b94929c4b01b1d9874e6bf9ed8a3957fea4
SkyMoney/tests-results-for-OWASP/A07-Identification-and-Authentication-Failures.md
Ricearoni1245 079b8b9492
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details
chore: root commit of OWSAP security testing/tightening
2026-03-01 20:46:47 -06:00

2.1 KiB
Raw Blame History

A07: Identification and Authentication Failures

Last updated: March 1, 2026

Findings addressed

  1. No explicit account lockout after repeated failed login attempts (brute-force risk).
  2. Password policy for registration and password updates was too weak (length-only).

Fixes implemented

  1. Added login lockout controls:
  • Tracks failed login attempts per normalized email in server memory.
  • Locks login for a configurable window after threshold failures.
  • Returns 429 with code LOGIN_LOCKED and Retry-After header during lockout.
  1. Added strong password policy:
  • Minimum length 12.
  • Requires lowercase, uppercase, number, and symbol.
  • Applied to:
    • /auth/register password.
    • /me/password new password.
  1. Added auth hardening configuration:
  • AUTH_MAX_FAILED_ATTEMPTS (default: 5)
  • AUTH_LOCKOUT_WINDOW_MS (default: 900000, 15 minutes)

Files changed

  1. api/src/server.ts
  2. api/src/env.ts
  3. .env.example
  4. api/tests/auth.routes.test.ts
  5. api/tests/identification-auth-failures.test.ts
  6. api/vitest.security.config.ts

Verification

Dedicated security suite command (executed):

cd api
npx vitest --run -c vitest.security.config.ts

Verified output:

  • Test Files: 5 passed (5)
  • Tests: 12 passed (12)

Dedicated A07 checks in identification-auth-failures.test.ts:

  1. Runtime checks weak password rejection for registration and /me/password update flow.
  2. Runtime checks lockout threshold/window behavior with configured AUTH_MAX_FAILED_ATTEMPTS and verifies LOGIN_LOCKED response + Retry-After.

Runtime auth flow checks added in auth.routes.test.ts:

  1. Rejects weak passwords on registration.
  2. Locks login after repeated failed attempts.

Run this in an environment with PostgreSQL running to verify runtime behavior:

cd api
npm test -- tests/auth.routes.test.ts tests/identification-auth-failures.test.ts

Residual notes

  1. Current lockout state is in-memory per API instance; for horizontally scaled production, move lockout tracking to a shared store (Redis/DB) for consistent enforcement across instances.
Reference in New Issue View Git Blame Copy Permalink