Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7c72e81998ddc03f13ccfea4570aa5f9af3c09c
SkyMoney/tests-results-for-OWASP/post-deployment-verification-checklist.md
Ricearoni1245 079b8b9492
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details
chore: root commit of OWSAP security testing/tightening
2026-03-01 20:46:47 -06:00

108 lines
2.5 KiB
Markdown
Raw Blame History

# Post-Deployment Verification Checklist
Use this after every deploy (staging and production).
## Preconditions
1. Deployment completed successfully.
2. Migrations completed successfully.
3. Correct environment flags:
- `AUTH_DISABLED=false`
- `ALLOW_INSECURE_AUTH_FOR_DEV=false`
4. Test DB preflight (for DB-backed suites):
- `TEST_DATABASE_URL` points to a reachable PostgreSQL instance.
- Example quick check:
```bash
echo "$TEST_DATABASE_URL"
```
Expected:
- single valid URL value
- host/port match the intended test database (for local runs usually `127.0.0.1:5432`)
## A01 smoke checks
Replace `${API_BASE}` with your deployed API base URL.
### 1) Protected route requires auth
```bash
curl -i "${API_BASE}/dashboard"
```
Expected:
- HTTP `401`
- response body includes `UNAUTHENTICATED`
### 2) Spoofed identity header is ignored
```bash
curl -i -H "x-user-id: spoofed-user-id" "${API_BASE}/dashboard"
```
Expected:
- HTTP `401`
### 3) Admin rollover is not publicly callable
```bash
curl -i -X POST "${API_BASE}/admin/rollover" \
-H "Content-Type: application/json" \
-d '{"dryRun":true}'
```
Expected:
- HTTP `403`
## A09 smoke checks
### 4) Security events are emitted for failed auth attempts
Trigger a failed login attempt:
```bash
curl -i -X POST "${API_BASE}/auth/login" \
-H "Content-Type: application/json" \
-d '{"email":"nonexistent@example.com","password":"WrongPass123!"}'
```
Expected:
- HTTP `401`
- API logs include a structured `securityEvent` for `auth.login` with `outcome=failure`
- log entry includes `requestId`
## A10 smoke checks
### 5) Production origin configuration is public and non-local
Verify production env/config:
- `APP_ORIGIN` uses public HTTPS host (not localhost/private IP ranges)
Expected:
- API boots successfully with production env validation.
## Automated regression checks
Run in CI against a prod-like environment:
```bash
cd api
npm test -- tests/auth.routes.test.ts tests/access-control.account-delete.test.ts tests/access-control.admin-rollover.test.ts
SECURITY_DB_TESTS=0 npx vitest run -c vitest.security.config.ts
SECURITY_DB_TESTS=1 npx vitest run -c vitest.security.config.ts
```
Expected:
- all tests pass
Note:
- A06/A07 runtime suites require PostgreSQL availability.
- `SECURITY_DB_TESTS=0` runs non-DB security controls only.
- `SECURITY_DB_TESTS=1` includes DB-backed A06/A07 suites.
## Sign-off
1. Record outputs in `evidence-log-template.md`.
2. Review open residual risks in `residual-risk-backlog.md`.
3. Mark release security check as pass/fail.
Reference in New Issue View Git Blame Copy Permalink