# Security Review (Dec 2025) ## Goal Run a structured security review across marketing frontend + public API, Guest PWA, and Event Admin to produce prioritized findings, PoCs, and remediation tasks aligned with the Security Hardening epic. ## Deliverables - Threat model + scope notes. - Findings list with severity/likelihood, PoCs, and recommended fixes. - Follow-up tasks filed in `docs/process/todo/` or Issues (label `TODO`) mapped to existing `SEC-*` tickets where possible. ## Status (Stand 2025-12-08) - Discovery: In progress (scope mapped; marketing/API route inventory captured). - Code review: Not started. - Dynamic testing: Not started. - Reporting: Not started. ## Scope & Trust Boundaries - Marketing site + public API (web + api route groups, CORS, rate limits). - Guest PWA (resources/js/guest, service worker, background sync, offline cache, uploads). - Event Admin / Tenant Admin PWA (Filament resources, React admin, OAuth2/PKCE, Sanctum). - Payments/Webhooks (Paddle, RevenueCat), media pipeline (uploads/QR/PDF), storage visibility. - Headers/CSP/cookies, session/config defaults, logging hygiene (no PII). ## Workstreams & Checklists 1) Foundations & Threat Model - [x] Map roles/data: - Marketing visitors (no auth; optional contact form PII). - Guest attendees via join token (photos, likes, push subscriptions, optional contact/email if provided). - Tenant collaborators/admins (event config, uploads, member lists, notifications). - Super admins (platform-level controls). - Automated actors (Paddle/RevenueCat webhooks, background workers/queues). - [x] Data classes & storage/retention (baseline): - Photos/media: stored in configured filesystem disks (see `filesystems.php`/storage pipeline), variants via signed URLs; retention governed by tenant settings (per PRP 09/10). - Join tokens & gallery access: tokens (hashing planned), events, and access logs; rate-limit counters; short-lived signed share links. - Account/auth: Sanctum tokens, OAuth (Google), session cookies (`same_site=lax`, secure flag env-driven), PATs; device/browser not fingerprinted by default. - PII/contact: marketing contact form submissions (controller TBD), tenant member lists, notification preferences, billing contact details. - Billing: Paddle/Stripe/PayPal identifiers, checkout sessions, add-on purchases; webhooks queued. - Logs/metrics: structured logs (no PII mandate in PRP 09), Matomo analytics (consent-gated plan), request timing middleware. - [x] Confirm env/header defaults for review: - `.env.example` ships with `APP_DEBUG=true` and `APP_URL=http://localhost`; production must set `APP_DEBUG=false` and HTTPS URL. - Session defaults: driver `redis` (unless overridden), `SESSION_ENCRYPT=false`, `SAME_SITE=lax`, `SESSION_SECURE_COOKIE` unset (inherits HTTPS), partitioned cookies disabled. - CORS: default Laravel config (not customized) => `paths=['api/*','sanctum/csrf-cookie']`, `allowed_origins=['*']`, `allowed_methods=['*']`, credentials `false`. - CSP: web group appends `ContentSecurityPolicy` middleware; in debug/local it skips header. In prod it sets nonce-based `script-src` and broad `style-src 'unsafe-inline' https: data:`; allows Stripe/Paddle/Localize, Matomo origin if configured. - [x] Test identities / fixtures (seeded): - Super admin: `ADMIN_EMAIL`/`ADMIN_PASSWORD` (defaults `admin@example.com` / `ChangeMe123!`) via `SuperAdminSeeder`. - Tenant admin demo: `tenant-demo@fotospiel.app` / `Demo1234!` via `DemoTenantSeeder` (package assigned, verified, active). - Guest tokens: `DemoEventSeeder` seeds `demo-wedding-2025` with join token `W2E3sbt7yclzpkAwNSARHYTVN1sPLBad8hfUjLVHmjkUviPd` (stored hashed+encrypted). Use for guest/PWA/API tests; additional demo event without explicit token uses generated token. - Seed commands: `php artisan migrate --seed` (or targeted seeders: `db:seed --class=SuperAdminSeeder`, `DemoTenantSeeder`, `DemoEventSeeder`). - [ ] Env assumptions for dynamic testing: - Base URL/HTTPS: ensure `APP_URL` points to the test host with HTTPS; set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax/none` as needed for cross-origin tools. - CORS/stateful domains: configure `SANCTUM_STATEFUL_DOMAINS` to include test origins (e.g., localhost:3000/5173) for SPA/PWA flows; consider tightening CORS from `*` to allowed hosts during tests if feasible. - Storage: confirm disks (local/s3) and public assets linkage (`storage:link`) for media tests; signed URL generation in place. - Webhooks: set Paddle/RevenueCat webhook secrets and target URLs; use throttling expectations (`throttle:60,1` on revenuecat; none on paddle webhooks). - Queues: ensure queue workers running for uploads/scan jobs when exercising media pipelines. ## Role → Data/Storage/Retention Mapping (initial) - Marketing visitor: contact form PII (controller storage TBD); cookies/localStorage for locale/consent; Matomo analytics (consent-gated); no persistent account. - Guest (join token): event/gallery access via token; uploads (photo + EXIF), likes, push subscription keys; cached assets in PWA/service worker; signed share links; rate-limit counters and join-token access logs; retention tied to event/gallery expiry and tenant settings. - Tenant collaborator/admin: account profile, tenant settings, events, members, notifications, tasks, uploads; billing identifiers for purchases; OAuth/Google tokens; Sanctum PATs/session cookies; audit/logs for actions; retention per tenant policy, legal retention for billing. - Super admin: same as tenant admin plus platform-level audit/actions; impersonation logs expected; no extra PII beyond account. - Webhooks (Paddle/RevenueCat): payload identifiers, signatures, session linkage; stored in webhook logs/queue jobs; retention per ops runbook. ## Dynamic Testing Harness Outline (draft) - Identities: use seeded super admin, tenant demo, and demo guest token for auth contexts; create additional tenant collaborator if needed. - Environments: run against local HTTPS host with `APP_URL` set; configure `SANCTUM_STATEFUL_DOMAINS` and cookies for Playwright/DAST sessions; ensure queues running. - Surfaces to script: - Marketing/API: contact form abuse/rate limit, coupon preview, gift voucher flows; check CORS preflight and CSP headers. - Guest PWA: join token gallery load, photo upload (valid/invalid), like/share, push subscription register/delete, offline/cache poison checks; download/share signed URL enforcement. - Event Admin: login (email/password + Google), CRUD on events/photos/members/tasks, package purchase intents (non-payment), photobooth enable/rotate; policy/IDOR checks. - Webhooks: replay signed webhook samples (Paddle/RevenueCat) with stale timestamps to validate signature freshness and idempotency behavior. - Media pipeline: upload with EXIF/malware test samples to observe AV/EXIF handling; verify signed URL visibility and expiry. ## Dynamic Testing Checklists (actionable) - Marketing/API - [ ] Verify CSP headers present in non-debug env; confirm nonce on scripts, no stray inline scripts/styles; note `'unsafe-inline'` styles as risk. - [ ] Exercise contact form with/without JS; confirm throttling and spam validation; inspect error leakage. - [ ] Coupon preview/gift voucher endpoints: validate rate limits, auth bypass attempts, input validation, CORS preflight, and response caching headers. - [ ] Checkout wizard/login/register endpoints: session handling, CSRF, rate limits; ensure APP_DEBUG off to avoid stack traces. - [ ] Public routes return 404/redirects without leaking internal paths. - Guest PWA - [ ] Gallery load with seeded token: check caching headers, ETag, and denial for invalid/expired token. - [ ] Upload tests: valid image, oversized, wrong MIME, EXIF-laden, EICAR sample; expect AV/EXIF handling and clear errors. - [ ] Likes/share: ensure signed share links required; verify signed asset URLs enforce expiry and token scope. - [ ] Push subscription register/delete flows with bad payloads; ensure CORS/preflight and auth tied to token. - [ ] Service worker/cache: verify scope, versioning, offline fallback, and resistance to cache poisoning (stale manifest/assets). - Event Admin - [ ] Login (email/password) and Google OAuth flow happy/failure paths; session fixation/regeneration checks. - [ ] CRUD events/photos/members/tasks with tenant slug mismatch to probe IDOR; verify `tenant.isolation` + policies. - [ ] Package purchase/payment-intent endpoints without completing payment—check idempotency/validation. - [ ] Photobooth enable/rotate/disable endpoints with/without admin role. - [ ] API rate limiting (`throttle:tenant-api`) and error shape consistency; check storage visibility toggles. - Webhooks & Billing - [ ] Replay Paddle/RevenueCat payloads with valid and stale timestamps; confirm signature verification and replay protection. - [ ] Send duplicate IDs to test idempotency locks and queueing behavior; observe logs without PII leakage. - [ ] Ensure webhook routes respect expected throttles (RevenueCat 60/min; Paddle currently none—note risk). - Media Pipeline & Storage - [ ] Signed URL expiry for gallery/download/share links; attempts outside tenant/token should fail. - [ ] Verify private visibility defaults on new uploads and derivatives; public bucket exposure check. - [ ] AV/EXIF queue path fires on upload; monitor job logs for failures. - [x] Replace public URLs: gallery assets and branding/blog banners now use signed routes; tenant photo resource uses signed URLs for variants. - Cross-cutting - [ ] Headers: HSTS, X-Frame-Options/Frame-Ancestors, Referrer-Policy, Permissions-Policy; note gaps. - [ ] CSRF on web forms and SPA flows; session cookie flags (Secure/HttpOnly/SameSite) over HTTPS. - [ ] Rate limits alignment with documented policies; error messages avoid stack traces and sensitive data. ## Low-Priority Follow-ups - Signed URL hardening: shorten TTLs (gallery/branding) and bind signatures to token/event identifiers to reduce replay risk. - Guest asset throttles: add rate limiters for gallery asset/download/share routes keyed by token+IP; optional given existing monitoring. - CORS prod allowlist: env config present; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik when ready. - Logging hygiene: keep avoiding raw tokens/paths in logs; review when adding new logging. ## CSP Tightening Plan - Add style nonces everywhere inline styles exist (root blade/templates) and remove `style-src 'unsafe-inline'` outside dev. - Ensure script nonce is applied (already set via Vite); audit any inline event handlers. - Add `frame-ancestors 'self'` to CSP to align with X-Frame-Options. ## Guest Upload Gating Plan (scan-before-publish, auto-approve; optional moderation) - Goals: keep guest uploads pending until AV/EXIF scan completes; auto-approve if clean; optional moderation toggle for tenants that want manual review; serve assets via signed URLs/private storage after approval. - Storage/visibility: - Store uploads on private disk (no public `Storage::url`); serve via signed URLs scoped to event/token with short TTL. - Keep `status=pending` until scan completes; do not expose paths in API responses until approved. - Security scanning: - Dispatch `ProcessPhotoSecurityScan` on upload; mark `security_scan_status` and `security_scanned_at`. - If infected/error: mark `rejected` with reason; optionally delete/quarantine asset and log. - Approval workflow: - Default: auto-approve when scan returns clean. Optional tenant/event flag `photo_upload_requires_manual_approval` to hold after scan for manual review (default off). - Pending uploads can surface in admin (list + bulk approve/reject) only when manual flag is on. - API changes: - Guest upload response: return pending state and no direct file URLs while pending. - Gallery/photos endpoints: filter to approved only; include pending count for admin if manual flag is on. - Signed URL generation: use `Storage::temporaryUrl` or signed route; avoid raw public paths. - Rate/abuse controls: - Preserve per-token/device limits; consider stricter throttles while approval is enabled. - Log join-token usage and anomalies for audit. - Migration/rollout: - Backfill existing photos to `approved` to avoid breaking live galleries. - Feature flag to enable per-tenant/event; add config toggle and admin UI. - Testing: - Feature tests for pending upload, approval flow, rejection, and signed URL access control; scan failure path blocks approval. - [x] Trust boundaries/entrypoints: - Marketing/Inertia under `/{locale}` prefix (`de|en`) with session/Accept-Language fallback redirect; login/register guarded by `guest` middleware; contact forms throttled (`throttle:contact-form`); gift voucher print uses `signed`. - Guest PWA entry at `/event`, `/g/{token}`, `/e/{token}/{path?}`, `/share/{slug}` (views rendered by `guest` blade; tokens unauthed). - Event Admin shell under `/event-admin/*` with Google OAuth endpoints; auth enforced in controller; SPA catch-all `/{view?}`. - Checkout endpoints always exposed (`/purchase-wizard/{package}`, `/checkout/{package}`, `/checkout/*` helpers, `/paddle/webhook`); Paddle webhook lacks explicit throttle middleware. - API entry at `/api/v1` (see details below); testing-only routes gated by env check. 2) Marketing Frontend + Public API - [x] Inventory routes/middleware (auth, rate limits, CORS, cache/ETag) and note anonymous vs authenticated paths: - Marketing web routes: locale-prefixed group; auth pages gated by `guest`; contact/kontakt POST throttled; gift voucher print signed; profile/voucher-status require `auth`; marketing fallbacks render Inertia 404. Legacy unprefixed routes redirect to locale-prefixed equivalents. - Event Admin: `/event-admin` routes include auth/login/logout/dashboard and SPA catch-all; rely on controller auth checks (middleware not on route). - Guest PWA: view routes for gallery/event/share are unauthenticated; token patterns unconstrained except share slug regex. - Checkout: purchase-wizard/checkout routes toggled by `config('checkout.enabled')`; login/register/track-abandoned POSTs exposed; Paddle webhook route has no rate limit middleware. - Public API: `api/v1` marketing coupon/gift voucher endpoints throttled (`throttle:*`), RevenueCat webhook throttled `60,1`. Public event/gallery endpoints grouped under `throttle:100,1`; signed URLs for share assets/downloads; uploads exposed at `/events/{token}/upload` and `/photobooth/sparkbooth/upload`. - Tenant API: `auth:sanctum`, `tenant.collaborator`, `tenant.isolation`, `throttle:tenant-api` on `/api/v1/tenant/*`; many routes further gated by `tenant.admin`; package/credit checks on event mutations; signed download/layout routes within tenant scope. - [ ] Review controllers/resources for authz (policies/gates), FormRequest validation, mass assignment, IDOR risks. - [ ] Check response handling (error leakage, pagination limits, idempotency on mutations). - [ ] Review CSP/headers/cookies and analytics gating; verify no `unsafe-inline` without nonce/hash plan. 3) Guest PWA - [ ] Verify join token handling (hashing/migration alignment with `SEC-GT-*`), gallery/photo rate limits, throttling per token/IP. - [ ] Inspect upload validation (MIME/size/dimensions), background sync request signing, storage visibility. - [ ] Audit service worker scope, cache versioning/poisoning risk, offline fallbacks, and CSP for PWA. 4) Event Admin (Filament + React Admin) - [ ] Audit Filament resources/actions for policy checks, scoping, mass assignment guards. - [ ] Confirm OAuth2/PKCE + Sanctum session handling, role checks, impersonation/tenant boundary controls. - [ ] Review file handling inside admin (imports/exports/PDF/QR) for SSRF/path traversal. 5) Payments & Webhooks - [ ] Validate Paddle/RevenueCat webhook signature verification, timestamp/replay defense, idempotency locks, queueing. - [ ] Check linkage between webhooks and checkout/session state; ensure failures alert and redact PII. 6) Media Pipeline & Storage - [ ] Confirm AV/EXIF scanning coverage, checksum verification, and private visibility defaults. - [ ] Review signed URL usage/expiry, path traversal protections, and storage bucket separation per tenant. 7) Dynamic Testing - [ ] Set up test identities (guest token, tenant admin, super admin) and auth contexts for tooling. - [ ] Run targeted DAST/Playwright flows for each surface (authn/z, uploads, rate limiting, CORS preflight). - [ ] Fuzz uploads (images/metadata) and verify rejection paths + logging. ## Evidence & Logging - Log session notes and findings in `docs/process/changes/YYYY-MM-DD-security-review-*.md`. - Update checklist statuses here after each pass. - Open issues for remediation items, linking back to findings and relevant `SEC-*` tickets.