Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
15e0c0a88a3e9733a1fd7d3b00ee1ce1c4cf62a0
SkyMoney/tests-results-for-OWASP/A07-Identification-and-Authentication-Failures.md
Ricearoni1245 15e0c0a88a
Some checks failed
Deploy / deploy (push) Successful in 1m28s
Details
Security Tests / security-non-db (push) Failing after 18s
Details
Security Tests / security-db (push) Failing after 22s
Details
feat: implement forgot password, added security updates
2026-03-01 21:47:15 -06:00

2.6 KiB
Raw Blame History

A07: Identification and Authentication Failures

Last updated: March 1, 2026

Findings addressed

  1. No explicit account lockout after repeated failed login attempts (brute-force risk).
  2. Password policy for registration and password updates was too weak (length-only).

Fixes implemented

  1. Added login lockout controls:
  • Tracks failed login attempts per normalized email in server memory.
  • Locks login for a configurable window after threshold failures.
  • Returns 429 with code LOGIN_LOCKED and Retry-After header during lockout.
  1. Added strong password policy:
  • Minimum length 12.
  • Requires lowercase, uppercase, number, and symbol.
  • Applied to:
    • /auth/register password.
    • /me/password new password.
  1. Added auth hardening configuration:
  • AUTH_MAX_FAILED_ATTEMPTS (default: 5)
  • AUTH_LOCKOUT_WINDOW_MS (default: 900000, 15 minutes)
  1. Added forgot-password hardening:
  • Public reset request endpoint always returns a generic success response.
  • Reset token issuance is restricted to verified users.
  • Reset confirmation enforces strong password policy and one-time expiring token usage.
  • Successful reset updates passwordChangedAt so existing sessions become invalid.

Files changed

  1. api/src/server.ts
  2. api/src/env.ts
  3. .env.example
  4. api/tests/auth.routes.test.ts
  5. api/tests/identification-auth-failures.test.ts
  6. api/vitest.security.config.ts
  7. api/tests/forgot-password.security.test.ts
  8. api/prisma/schema.prisma
  9. api/prisma/migrations/20260302000000_add_password_changed_at/migration.sql

Verification

Dedicated security suite command (executed):

cd api
npx vitest --run -c vitest.security.config.ts

Verified output:

  • Test Files: 5 passed (5)
  • Tests: 12 passed (12)

Dedicated A07 checks in identification-auth-failures.test.ts:

  1. Runtime checks weak password rejection for registration and /me/password update flow.
  2. Runtime checks lockout threshold/window behavior with configured AUTH_MAX_FAILED_ATTEMPTS and verifies LOGIN_LOCKED response + Retry-After.

Runtime auth flow checks added in auth.routes.test.ts:

  1. Rejects weak passwords on registration.
  2. Locks login after repeated failed attempts.

Run this in an environment with PostgreSQL running to verify runtime behavior:

cd api
npm test -- tests/auth.routes.test.ts tests/identification-auth-failures.test.ts

Residual notes

  1. Current lockout state is in-memory per API instance; for horizontally scaled production, move lockout tracking to a shared store (Redis/DB) for consistent enforcement across instances.
Reference in New Issue View Git Blame Copy Permalink