soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

implemented a lot of security measures

Browse Source
This commit is contained in:
Codex Agent
2025-12-09 20:29:32 +01:00
parent 4bdb93c171
commit 928d28fcaf
21 changed files with 953 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/process/changes/2025-12-08-security-review-kickoff.md Normal file
View File

@@ -0,0 +1,40 @@
# Security Review Kickoff — 2025-12-08
## Context
- Started structured security review spanning marketing/public API, Guest PWA, Event Admin, payments/webhooks, and media pipeline/storage.
- Needed a tracking checklist plus logging conventions for findings and follow-ups.
## Actions
- Added review plan with scope, workstreams, and checklists: `docs/process/todo/security-review-dec-2025.md`.
- Defined evidence logging: future session notes in `docs/process/changes/`, remediation tasks as Issues (label `TODO`) or `docs/process/todo/` entries linked to `SEC-*` tickets where applicable.
- Mapped roles/trust boundaries and inventoried marketing/public API route surfaces (locale-prefixed marketing group with throttled contact forms and signed gift voucher print; guest PWA view routes; Event Admin SPA catch-all; checkout/paddle webhook exposure; API v1 marketing + public event endpoints with throttles; tenant API protected by `auth:sanctum`, `tenant.collaborator`, `tenant.isolation`, `throttle:tenant-api`, plus `tenant.admin` on sensitive routes).
- Captured environment/header defaults: `.env.example` ships with `APP_DEBUG=true` (must be false in prod) and HTTP APP_URL; session defaults `same_site=lax`, `SESSION_ENCRYPT=false`, secure cookie flag unset; CORS uses Laravel defaults (all origins/methods, credentials=false) on `api/*`; CSP middleware added to web group sets nonce-based script-src but leaves style-src with `'unsafe-inline'` and broad https/data allowances; skips CSP when debug/local.
- Added data class/retention sketch: media storage (variants via signed URLs; tenant-governed retention), join tokens/access logs and planned hashing, auth/session tokens (Sanctum/PATs, OAuth), PII (contact form, member lists, billing contact), billing identifiers (Paddle/Stripe/PayPal), logs/analytics (Matomo consent plan, request timing middleware).
- Captured seeded test identities: Super admin (`ADMIN_EMAIL`/`ADMIN_PASSWORD`, defaults `admin@example.com` / `ChangeMe123!`), tenant admin demo (`tenant-demo@fotospiel.app` / `Demo1234!`), guest join token from demo event (`W2E3sbt7yclzpkAwNSARHYTVN1sPLBad8hfUjLVHmjkUviPd`), with seed commands (`migrate --seed` or targeted seeders).
- Noted env assumptions for dynamic testing: set HTTPS `APP_URL`, secure/samesite cookies, adjust `SANCTUM_STATEFUL_DOMAINS` for SPA/PWA origins, ensure storage disks and `storage:link` ready, supply webhook secrets/URLs, and run queues for media/security jobs.
- Mapped role→data/retention and drafted dynamic testing harness scope (marketing/API abuse checks, guest PWA upload/share/cache tests, event admin CRUD/IDOR checks, webhook replay for freshness/idempotency, media pipeline AV/EXIF tests).
- Converted the testing outline into actionable checklists per surface (marketing/API, guest PWA, event admin, webhooks/billing, media pipeline, cross-cutting headers/CSRF/rate limits).
- Added guest upload gating plan (scan-before-publish, auto-approve when clean; optional manual moderation flag; signed URLs/private storage, API changes).
## Next Steps
- [ ] Start executing checklists (begin with marketing/API headers/CSP/CORS + guest PWA upload/share flows) and log findings with PoCs and severities.
## Findings — Marketing/API headers & Guest PWA upload/share (2025-12-08)
**Marketing/API headers & CORS**
- Missing security headers: no HSTS, Referrer-Policy, Permissions-Policy, or frame-ancestors/X-Frame-Options on responses; CSP middleware only for web group and skipped in debug/local (prod only). → Recommend adding a response headers middleware to set HSTS (HTTPS-only), Referrer-Policy (`strict-origin-when-cross-origin`), Permissions-Policy (disable camera/mic/geolocation unless required), and frame-ancestors (`'none'` or app domain).
- CSP style-src still uses `'unsafe-inline'` with broad `https:`/`data:` allowances; plan in `SEC-FE-01` covers nonce/hash rollout. Needs prioritization to remove inline allowance and tighten connect/img/font lists.
- CORS was default-open; added env-driven allowlist in `config/cors.php` (origin list from `CORS_ALLOWED_ORIGINS`, app URL origin, dev hosts) and `.env.example` defaults. Prod should set exact domains; credentials stay off unless explicitly enabled.
**Guest PWA upload/share**
- Upload validation allows `image` types including SVG; files are stored and URLs returned via `Storage::url` without sanitisation. SVGs can carry script and would be served from first-party origin, enabling stored XSS via shared links/gallery. → Recommend rejecting SVG (or sanitising server-side) for guest uploads.
- No antivirus/EXIF scrubbing triggered in upload flow: `GuestPhotoUploaded` listener only sends notifications; `security` config not wired. → Recommend enqueueing AV/EXIF jobs on upload before marking `approved`/serving assets.
- Uploaded assets are immediately marked `status='approved'` and URLs returned (likely public if disk is public). Confirm disk visibility; if public, anyone with URL can fetch regardless of token. → Recommend using signed URLs/private visibility and deferring publication until approval/security scan succeeds.
**Mitigations implemented (2025-12-08)**
- CORS tightened: new env-driven allowlist in `config/cors.php` (`CORS_ALLOWED_ORIGINS` etc.), defaults to localhost; prod should set exact domains to match Traefik/nginx.
- Security headers middleware added (`ResponseSecurityHeaders`) for web/api: sets Referrer-Policy `strict-origin-when-cross-origin`, X-Content-Type-Options nosniff, X-Frame-Options SAMEORIGIN, Permissions-Policy (camera/mic/geo disabled), and HSTS on secure non-local requests.
- Guest upload hardened: rejects SVG via `mimes` allowlist, sets uploads to `status=pending` (no file URLs in response), and dispatches `ProcessPhotoSecurityScan` on upload. Scan job now auto-approves on clean or skipped scans, rejects on infected. Gallery endpoints already filter `status=approved`, so pending items are hidden until scan finishes.
- Gallery/API assets moving to signed access: gallery listings and stats now use temporary signed routes for thumbnails/full URLs (token + photo id) instead of raw `Storage::url` where possible; queries filter to approved status. Fallbacks remain for legacy paths.
- CSP tightened: added style nonce, allowed https style sources for Stripe/Paddle, removed `style-src 'unsafe-inline'` in non-dev (dev keeps inline for Vite), and added `frame-ancestors 'self'`. Script nonce already in place.
- Branding assets signed: added signed branding asset route with path allowlist; branding logos use signed URLs; blog banners now emit signed URLs instead of raw `Storage::url`. Tenant photo resource now emits signed URLs for full/thumbnail variants.

185
docs/process/todo/security-review-dec-2025.md Normal file
View File

@@ -0,0 +1,185 @@
# Security Review (Dec 2025)
## Goal
Run a structured security review across marketing frontend + public API, Guest PWA, and Event Admin to produce prioritized findings, PoCs, and remediation tasks aligned with the Security Hardening epic.
## Deliverables
- Threat model + scope notes.
- Findings list with severity/likelihood, PoCs, and recommended fixes.
- Follow-up tasks filed in `docs/process/todo/` or Issues (label `TODO`) mapped to existing `SEC-*` tickets where possible.
## Status (Stand 2025-12-08)
- Discovery: In progress (scope mapped; marketing/API route inventory captured).
- Code review: Not started.
- Dynamic testing: Not started.
- Reporting: Not started.
## Scope & Trust Boundaries
- Marketing site + public API (web + api route groups, CORS, rate limits).
- Guest PWA (resources/js/guest, service worker, background sync, offline cache, uploads).
- Event Admin / Tenant Admin PWA (Filament resources, React admin, OAuth2/PKCE, Sanctum).
- Payments/Webhooks (Paddle, RevenueCat), media pipeline (uploads/QR/PDF), storage visibility.
- Headers/CSP/cookies, session/config defaults, logging hygiene (no PII).
## Workstreams & Checklists
1) Foundations & Threat Model
- [x] Map roles/data:
- Marketing visitors (no auth; optional contact form PII).
- Guest attendees via join token (photos, likes, push subscriptions, optional contact/email if provided).
- Tenant collaborators/admins (event config, uploads, member lists, notifications).
- Super admins (platform-level controls).
- Automated actors (Paddle/RevenueCat webhooks, background workers/queues).
- [x] Data classes & storage/retention (baseline):
- Photos/media: stored in configured filesystem disks (see `filesystems.php`/storage pipeline), variants via signed URLs; retention governed by tenant settings (per PRP 09/10).
- Join tokens & gallery access: tokens (hashing planned), events, and access logs; rate-limit counters; short-lived signed share links.
- Account/auth: Sanctum tokens, OAuth (Google), session cookies (`same_site=lax`, secure flag env-driven), PATs; device/browser not fingerprinted by default.
- PII/contact: marketing contact form submissions (controller TBD), tenant member lists, notification preferences, billing contact details.
- Billing: Paddle/Stripe/PayPal identifiers, checkout sessions, add-on purchases; webhooks queued.
- Logs/metrics: structured logs (no PII mandate in PRP 09), Matomo analytics (consent-gated plan), request timing middleware.
- [x] Confirm env/header defaults for review:
- `.env.example` ships with `APP_DEBUG=true` and `APP_URL=http://localhost`; production must set `APP_DEBUG=false` and HTTPS URL.
- Session defaults: driver `redis` (unless overridden), `SESSION_ENCRYPT=false`, `SAME_SITE=lax`, `SESSION_SECURE_COOKIE` unset (inherits HTTPS), partitioned cookies disabled.
- CORS: default Laravel config (not customized) => `paths=['api/*','sanctum/csrf-cookie']`, `allowed_origins=['*']`, `allowed_methods=['*']`, credentials `false`.
- CSP: web group appends `ContentSecurityPolicy` middleware; in debug/local it skips header. In prod it sets nonce-based `script-src` and broad `style-src 'unsafe-inline' https: data:`; allows Stripe/Paddle/Localize, Matomo origin if configured.
- [x] Test identities / fixtures (seeded):
- Super admin: `ADMIN_EMAIL`/`ADMIN_PASSWORD` (defaults `admin@example.com` / `ChangeMe123!`) via `SuperAdminSeeder`.
- Tenant admin demo: `tenant-demo@fotospiel.app` / `Demo1234!` via `DemoTenantSeeder` (package assigned, verified, active).
- Guest tokens: `DemoEventSeeder` seeds `demo-wedding-2025` with join token `W2E3sbt7yclzpkAwNSARHYTVN1sPLBad8hfUjLVHmjkUviPd` (stored hashed+encrypted). Use for guest/PWA/API tests; additional demo event without explicit token uses generated token.
- Seed commands: `php artisan migrate --seed` (or targeted seeders: `db:seed --class=SuperAdminSeeder`, `DemoTenantSeeder`, `DemoEventSeeder`).
- [ ] Env assumptions for dynamic testing:
- Base URL/HTTPS: ensure `APP_URL` points to the test host with HTTPS; set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax/none` as needed for cross-origin tools.
- CORS/stateful domains: configure `SANCTUM_STATEFUL_DOMAINS` to include test origins (e.g., localhost:3000/5173) for SPA/PWA flows; consider tightening CORS from `*` to allowed hosts during tests if feasible.
- Storage: confirm disks (local/s3) and public assets linkage (`storage:link`) for media tests; signed URL generation in place.
- Webhooks: set Paddle/RevenueCat webhook secrets and target URLs; use throttling expectations (`throttle:60,1` on revenuecat; none on paddle webhooks).
- Queues: ensure queue workers running for uploads/scan jobs when exercising media pipelines.
## Role → Data/Storage/Retention Mapping (initial)
- Marketing visitor: contact form PII (controller storage TBD); cookies/localStorage for locale/consent; Matomo analytics (consent-gated); no persistent account.
- Guest (join token): event/gallery access via token; uploads (photo + EXIF), likes, push subscription keys; cached assets in PWA/service worker; signed share links; rate-limit counters and join-token access logs; retention tied to event/gallery expiry and tenant settings.
- Tenant collaborator/admin: account profile, tenant settings, events, members, notifications, tasks, uploads; billing identifiers for purchases; OAuth/Google tokens; Sanctum PATs/session cookies; audit/logs for actions; retention per tenant policy, legal retention for billing.
- Super admin: same as tenant admin plus platform-level audit/actions; impersonation logs expected; no extra PII beyond account.
- Webhooks (Paddle/RevenueCat): payload identifiers, signatures, session linkage; stored in webhook logs/queue jobs; retention per ops runbook.
## Dynamic Testing Harness Outline (draft)
- Identities: use seeded super admin, tenant demo, and demo guest token for auth contexts; create additional tenant collaborator if needed.
- Environments: run against local HTTPS host with `APP_URL` set; configure `SANCTUM_STATEFUL_DOMAINS` and cookies for Playwright/DAST sessions; ensure queues running.
- Surfaces to script:
- Marketing/API: contact form abuse/rate limit, coupon preview, gift voucher flows; check CORS preflight and CSP headers.
- Guest PWA: join token gallery load, photo upload (valid/invalid), like/share, push subscription register/delete, offline/cache poison checks; download/share signed URL enforcement.
- Event Admin: login (email/password + Google), CRUD on events/photos/members/tasks, package purchase intents (non-payment), photobooth enable/rotate; policy/IDOR checks.
- Webhooks: replay signed webhook samples (Paddle/RevenueCat) with stale timestamps to validate signature freshness and idempotency behavior.
- Media pipeline: upload with EXIF/malware test samples to observe AV/EXIF handling; verify signed URL visibility and expiry.
## Dynamic Testing Checklists (actionable)
- Marketing/API
- [ ] Verify CSP headers present in non-debug env; confirm nonce on scripts, no stray inline scripts/styles; note `'unsafe-inline'` styles as risk.
- [ ] Exercise contact form with/without JS; confirm throttling and spam validation; inspect error leakage.
- [ ] Coupon preview/gift voucher endpoints: validate rate limits, auth bypass attempts, input validation, CORS preflight, and response caching headers.
- [ ] Checkout wizard/login/register endpoints: session handling, CSRF, rate limits; ensure APP_DEBUG off to avoid stack traces.
- [ ] Public routes return 404/redirects without leaking internal paths.
- Guest PWA
- [ ] Gallery load with seeded token: check caching headers, ETag, and denial for invalid/expired token.
- [ ] Upload tests: valid image, oversized, wrong MIME, EXIF-laden, EICAR sample; expect AV/EXIF handling and clear errors.
- [ ] Likes/share: ensure signed share links required; verify signed asset URLs enforce expiry and token scope.
- [ ] Push subscription register/delete flows with bad payloads; ensure CORS/preflight and auth tied to token.
- [ ] Service worker/cache: verify scope, versioning, offline fallback, and resistance to cache poisoning (stale manifest/assets).
- Event Admin
- [ ] Login (email/password) and Google OAuth flow happy/failure paths; session fixation/regeneration checks.
- [ ] CRUD events/photos/members/tasks with tenant slug mismatch to probe IDOR; verify `tenant.isolation` + policies.
- [ ] Package purchase/payment-intent endpoints without completing payment—check idempotency/validation.
- [ ] Photobooth enable/rotate/disable endpoints with/without admin role.
- [ ] API rate limiting (`throttle:tenant-api`) and error shape consistency; check storage visibility toggles.
- Webhooks & Billing
- [ ] Replay Paddle/RevenueCat payloads with valid and stale timestamps; confirm signature verification and replay protection.
- [ ] Send duplicate IDs to test idempotency locks and queueing behavior; observe logs without PII leakage.
- [ ] Ensure webhook routes respect expected throttles (RevenueCat 60/min; Paddle currently none—note risk).
- Media Pipeline & Storage
- [ ] Signed URL expiry for gallery/download/share links; attempts outside tenant/token should fail.
- [ ] Verify private visibility defaults on new uploads and derivatives; public bucket exposure check.
- [ ] AV/EXIF queue path fires on upload; monitor job logs for failures.
- [x] Replace public URLs: gallery assets and branding/blog banners now use signed routes; tenant photo resource uses signed URLs for variants.
- Cross-cutting
- [ ] Headers: HSTS, X-Frame-Options/Frame-Ancestors, Referrer-Policy, Permissions-Policy; note gaps.
- [ ] CSRF on web forms and SPA flows; session cookie flags (Secure/HttpOnly/SameSite) over HTTPS.
- [ ] Rate limits alignment with documented policies; error messages avoid stack traces and sensitive data.
## CSP Tightening Plan
- Add style nonces everywhere inline styles exist (root blade/templates) and remove `style-src 'unsafe-inline'` outside dev.
- Ensure script nonce is applied (already set via Vite); audit any inline event handlers.
- Add `frame-ancestors 'self'` to CSP to align with X-Frame-Options.
## Guest Upload Gating Plan (scan-before-publish, auto-approve; optional moderation)
- Goals: keep guest uploads pending until AV/EXIF scan completes; auto-approve if clean; optional moderation toggle for tenants that want manual review; serve assets via signed URLs/private storage after approval.
- Storage/visibility:
- Store uploads on private disk (no public `Storage::url`); serve via signed URLs scoped to event/token with short TTL.
- Keep `status=pending` until scan completes; do not expose paths in API responses until approved.
- Security scanning:
- Dispatch `ProcessPhotoSecurityScan` on upload; mark `security_scan_status` and `security_scanned_at`.
- If infected/error: mark `rejected` with reason; optionally delete/quarantine asset and log.
- Approval workflow:
- Default: auto-approve when scan returns clean. Optional tenant/event flag `photo_upload_requires_manual_approval` to hold after scan for manual review (default off).
- Pending uploads can surface in admin (list + bulk approve/reject) only when manual flag is on.
- API changes:
- Guest upload response: return pending state and no direct file URLs while pending.
- Gallery/photos endpoints: filter to approved only; include pending count for admin if manual flag is on.
- Signed URL generation: use `Storage::temporaryUrl` or signed route; avoid raw public paths.
- Rate/abuse controls:
- Preserve per-token/device limits; consider stricter throttles while approval is enabled.
- Log join-token usage and anomalies for audit.
- Migration/rollout:
- Backfill existing photos to `approved` to avoid breaking live galleries.
- Feature flag to enable per-tenant/event; add config toggle and admin UI.
- Testing:
- Feature tests for pending upload, approval flow, rejection, and signed URL access control; scan failure path blocks approval.
- [x] Trust boundaries/entrypoints:
- Marketing/Inertia under `/{locale}` prefix (`de|en`) with session/Accept-Language fallback redirect; login/register guarded by `guest` middleware; contact forms throttled (`throttle:contact-form`); gift voucher print uses `signed`.
- Guest PWA entry at `/event`, `/g/{token}`, `/e/{token}/{path?}`, `/share/{slug}` (views rendered by `guest` blade; tokens unauthed).
- Event Admin shell under `/event-admin/*` with Google OAuth endpoints; auth enforced in controller; SPA catch-all `/{view?}`.
- Checkout endpoints always exposed (`/purchase-wizard/{package}`, `/checkout/{package}`, `/checkout/*` helpers, `/paddle/webhook`); Paddle webhook lacks explicit throttle middleware.
- API entry at `/api/v1` (see details below); testing-only routes gated by env check.
2) Marketing Frontend + Public API
- [x] Inventory routes/middleware (auth, rate limits, CORS, cache/ETag) and note anonymous vs authenticated paths:
- Marketing web routes: locale-prefixed group; auth pages gated by `guest`; contact/kontakt POST throttled; gift voucher print signed; profile/voucher-status require `auth`; marketing fallbacks render Inertia 404. Legacy unprefixed routes redirect to locale-prefixed equivalents.
- Event Admin: `/event-admin` routes include auth/login/logout/dashboard and SPA catch-all; rely on controller auth checks (middleware not on route).
- Guest PWA: view routes for gallery/event/share are unauthenticated; token patterns unconstrained except share slug regex.
- Checkout: purchase-wizard/checkout routes toggled by `config('checkout.enabled')`; login/register/track-abandoned POSTs exposed; Paddle webhook route has no rate limit middleware.
- Public API: `api/v1` marketing coupon/gift voucher endpoints throttled (`throttle:*`), RevenueCat webhook throttled `60,1`. Public event/gallery endpoints grouped under `throttle:100,1`; signed URLs for share assets/downloads; uploads exposed at `/events/{token}/upload` and `/photobooth/sparkbooth/upload`.
- Tenant API: `auth:sanctum`, `tenant.collaborator`, `tenant.isolation`, `throttle:tenant-api` on `/api/v1/tenant/*`; many routes further gated by `tenant.admin`; package/credit checks on event mutations; signed download/layout routes within tenant scope.
- [ ] Review controllers/resources for authz (policies/gates), FormRequest validation, mass assignment, IDOR risks.
- [ ] Check response handling (error leakage, pagination limits, idempotency on mutations).
- [ ] Review CSP/headers/cookies and analytics gating; verify no `unsafe-inline` without nonce/hash plan.
3) Guest PWA
- [ ] Verify join token handling (hashing/migration alignment with `SEC-GT-*`), gallery/photo rate limits, throttling per token/IP.
- [ ] Inspect upload validation (MIME/size/dimensions), background sync request signing, storage visibility.
- [ ] Audit service worker scope, cache versioning/poisoning risk, offline fallbacks, and CSP for PWA.
4) Event Admin (Filament + React Admin)
- [ ] Audit Filament resources/actions for policy checks, scoping, mass assignment guards.
- [ ] Confirm OAuth2/PKCE + Sanctum session handling, role checks, impersonation/tenant boundary controls.
- [ ] Review file handling inside admin (imports/exports/PDF/QR) for SSRF/path traversal.
5) Payments & Webhooks
- [ ] Validate Paddle/RevenueCat webhook signature verification, timestamp/replay defense, idempotency locks, queueing.
- [ ] Check linkage between webhooks and checkout/session state; ensure failures alert and redact PII.
6) Media Pipeline & Storage
- [ ] Confirm AV/EXIF scanning coverage, checksum verification, and private visibility defaults.
- [ ] Review signed URL usage/expiry, path traversal protections, and storage bucket separation per tenant.
7) Dynamic Testing
- [ ] Set up test identities (guest token, tenant admin, super admin) and auth contexts for tooling.
- [ ] Run targeted DAST/Playwright flows for each surface (authn/z, uploads, rate limiting, CORS preflight).
- [ ] Fuzz uploads (images/metadata) and verify rejection paths + logging.
## Evidence & Logging
- Log session notes and findings in `docs/process/changes/YYYY-MM-DD-security-review-*.md`.
- Update checklist statuses here after each pass.
- Open issues for remediation items, linking back to findings and relevant `SEC-*` tickets.