cm_whatsapp_bot_v1

yiekheng/cm_whatsapp_bot_v1

Fork 0

Commit Graph

Author	SHA1	Message	Date
yiekheng	f69652d43b	feat(web): AES-GCM cookies + per-username/global rate limit + origin check Three layers of login hardening pulled together — addresses the "don't let middleman / robot easily log in by mimicking headers" follow-up. 1. AES-256-GCM session cookie (apps/web/src/lib/auth-cookie.ts) The old format was base64-encoded JSON + HMAC-SHA256 signature, so anyone with the cookie could read userId/role straight off the bytes. Switched to AES-GCM authenticated encryption: the payload is encrypted with a 256-bit key derived from AUTH_SECRET via SHA-256, a fresh 12-byte nonce is drawn per encryption (never reused — locked in by test), and tampering with either the IV or ciphertext fails the GCM auth tag → decrypt throws → null. Cookie format: <base64url(iv)>.<base64url(ciphertext+tag)> Existing cookies become invalid on deploy because the IV portion doesn't decode to 12 bytes — middleware bounces them to /login. No env bump needed; users just sign in once with the new secret. 2. Three-layer rate limit on loginAction Old: per-IP only. An attacker with a residential-proxy pool or spoofed X-Forwarded-For could hop IPs and brute one account. New: Promise.all of three checkRateLimit calls - per-IP login:<ip> 10 / 5 min - per-username login-user:<lower> 5 / 15 min - global login-global 100 / min (backstop) First-hit wins; logger captures which limit tripped (ip / username / global) without telling the attacker which one. 3. Action-level Origin/Host check serverActions.allowedOrigins already does this at the framework layer; running it inside loginAction lets us log the mismatch and reject before bcrypt + DB. Missing Origin treated as same-origin (RFC: same-origin POSTs may omit it). Malformed Origin → reject. Tests: - auth-cookie.test.ts updated to AES-GCM (15 tests, +4 vs HMAC): fresh IV per encryption, ciphertext doesn't leak userId/role, IV-swap rejected, ciphertext-tamper rejected, wrong-length IV rejected, malformed b64 doesn't throw. - auth.test.ts adds 7 new cases: three-layer key shape, per-username limit alone trips, global limit alone trips, cross-origin rejected, same-origin accepted, missing-Origin treated as same-origin, malformed-Origin rejected. Web suite 453 → 463 tests, all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-10 20:41:49 +08:00
yiekheng	27b7a3df1f	feat(web): edge-safe HMAC-signed session cookie signSession + verifySession run on Edge runtime (Web Crypto only). Verifier checks signature (constant-time compare), expiry, clock-skew on iat (60s tolerance), token version vs OPERATOR_TOKEN_VERSION env, and role-shape sanity. 11 unit tests cover round-trip plus every rejection path attackers could probe.	2026-05-10 17:43:01 +08:00

Author

SHA1

Message

Date

yiekheng

f69652d43b

feat(web): AES-GCM cookies + per-username/global rate limit + origin check

Three layers of login hardening pulled together — addresses the
"don't let middleman / robot easily log in by mimicking headers"
follow-up.

1. AES-256-GCM session cookie (apps/web/src/lib/auth-cookie.ts)

   The old format was base64-encoded JSON + HMAC-SHA256 signature, so
   anyone with the cookie could read userId/role straight off the
   bytes. Switched to AES-GCM authenticated encryption: the payload
   is encrypted with a 256-bit key derived from AUTH_SECRET via
   SHA-256, a fresh 12-byte nonce is drawn per encryption (never
   reused — locked in by test), and tampering with either the IV or
   ciphertext fails the GCM auth tag → decrypt throws → null.

   Cookie format: <base64url(iv)>.<base64url(ciphertext+tag)>

   Existing cookies become invalid on deploy because the IV portion
   doesn't decode to 12 bytes — middleware bounces them to /login.
   No env bump needed; users just sign in once with the new secret.

2. Three-layer rate limit on loginAction

   Old: per-IP only. An attacker with a residential-proxy pool or
   spoofed X-Forwarded-For could hop IPs and brute one account.
   New: Promise.all of three checkRateLimit calls
     - per-IP        login:<ip>          10 / 5 min
     - per-username  login-user:<lower>  5 / 15 min
     - global        login-global        100 / min (backstop)
   First-hit wins; logger captures which limit tripped (ip / username
   / global) without telling the attacker which one.

3. Action-level Origin/Host check

   serverActions.allowedOrigins already does this at the framework
   layer; running it inside loginAction lets us log the mismatch and
   reject before bcrypt + DB. Missing Origin treated as same-origin
   (RFC: same-origin POSTs may omit it). Malformed Origin → reject.

Tests:
  - auth-cookie.test.ts updated to AES-GCM (15 tests, +4 vs HMAC):
    fresh IV per encryption, ciphertext doesn't leak userId/role,
    IV-swap rejected, ciphertext-tamper rejected, wrong-length IV
    rejected, malformed b64 doesn't throw.
  - auth.test.ts adds 7 new cases: three-layer key shape, per-username
    limit alone trips, global limit alone trips, cross-origin rejected,
    same-origin accepted, missing-Origin treated as same-origin,
    malformed-Origin rejected.

Web suite 453 → 463 tests, all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-10 20:41:49 +08:00

yiekheng

27b7a3df1f

feat(web): edge-safe HMAC-signed session cookie

signSession + verifySession run on Edge runtime (Web Crypto only).
Verifier checks signature (constant-time compare), expiry, clock-skew
on iat (60s tolerance), token version vs OPERATOR_TOKEN_VERSION env,
and role-shape sanity. 11 unit tests cover round-trip plus every
rejection path attackers could probe.

2026-05-10 17:43:01 +08:00

2 Commits