Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
079b8b94929c4b01b1d9874e6bf9ed8a3957fea4
SkyMoney/tests-results-for-OWASP/post-deployment-verification-checklist.md
Ricearoni1245 079b8b9492
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details
chore: root commit of OWSAP security testing/tightening
2026-03-01 20:46:47 -06:00

2.5 KiB
Raw Blame History

Post-Deployment Verification Checklist

Use this after every deploy (staging and production).

Preconditions

  1. Deployment completed successfully.
  2. Migrations completed successfully.
  3. Correct environment flags:
  • AUTH_DISABLED=false
  • ALLOW_INSECURE_AUTH_FOR_DEV=false
  1. Test DB preflight (for DB-backed suites):
  • TEST_DATABASE_URL points to a reachable PostgreSQL instance.
  • Example quick check:
echo "$TEST_DATABASE_URL"

Expected:

  • single valid URL value
  • host/port match the intended test database (for local runs usually 127.0.0.1:5432)

A01 smoke checks

Replace ${API_BASE} with your deployed API base URL.

1) Protected route requires auth

curl -i "${API_BASE}/dashboard"

Expected:

  • HTTP 401
  • response body includes UNAUTHENTICATED

2) Spoofed identity header is ignored

curl -i -H "x-user-id: spoofed-user-id" "${API_BASE}/dashboard"

Expected:

  • HTTP 401

3) Admin rollover is not publicly callable

curl -i -X POST "${API_BASE}/admin/rollover" \
  -H "Content-Type: application/json" \
  -d '{"dryRun":true}'

Expected:

  • HTTP 403

A09 smoke checks

4) Security events are emitted for failed auth attempts

Trigger a failed login attempt:

curl -i -X POST "${API_BASE}/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email":"nonexistent@example.com","password":"WrongPass123!"}'

Expected:

  • HTTP 401
  • API logs include a structured securityEvent for auth.login with outcome=failure
  • log entry includes requestId

A10 smoke checks

5) Production origin configuration is public and non-local

Verify production env/config:

  • APP_ORIGIN uses public HTTPS host (not localhost/private IP ranges)

Expected:

  • API boots successfully with production env validation.

Automated regression checks

Run in CI against a prod-like environment:

cd api
npm test -- tests/auth.routes.test.ts tests/access-control.account-delete.test.ts tests/access-control.admin-rollover.test.ts
SECURITY_DB_TESTS=0 npx vitest run -c vitest.security.config.ts
SECURITY_DB_TESTS=1 npx vitest run -c vitest.security.config.ts

Expected:

  • all tests pass

Note:

  • A06/A07 runtime suites require PostgreSQL availability.
  • SECURITY_DB_TESTS=0 runs non-DB security controls only.
  • SECURITY_DB_TESTS=1 includes DB-backed A06/A07 suites.

Sign-off

  1. Record outputs in evidence-log-template.md.
  2. Review open residual risks in residual-risk-backlog.md.
  3. Mark release security check as pass/fail.
Reference in New Issue View Git Blame Copy Permalink