aa79a71357
All checks were successful
Deploy to Production / deploy (push) Successful in 54s
Six confirmed findings closed (3 MEDIUM, 3 LOW). Tier-1 surfaces from
Pass-1 re-verified non-regressed; this pass deepened the audit on the
auth library, OAuth issuer, and template marketplace.
Za-002 MEDIUM (scrypt cost) — bump SCRYPT_N from 2^14 → 2^17 (131072)
matching current OWASP guidance for password hashing in 2026. Hash
format embeds N (`scrypt$N$salt$hash`), so the existing admin
password at the old cost still verifies — backward-compatible. Also
added explicit maxmem ceilings since Node's default (~32MiB) is
insufficient for the new N.
Za-003 MEDIUM (single-use race) — consumeMagicLink was SELECT-then-
UPDATE; two parallel redemptions could both win and mint two
sessions from the same token. Now uses the same atomic
`UPDATE … WHERE id = ? AND consumedAt IS NULL RETURNING id` pattern
/oauth/token already had — loser of the race gets
invalid_or_expired_token.
Za-004 LOW (membership ordering) — `.orderBy(memberships.createdAt)`
added so when org-invites eventually let a user belong to multiple
orgs, the same one wins every login instead of insertion-order
roulette. Latent-bug pre-empt.
Zb-002 LOW (OAuth register spam) — /oauth/register now per-IP daily
rate-limited at 20/day (well above any legitimate MCP-client
bootstrap pattern). Prevents DB-row spam.
Zc-001 MEDIUM (banned-pattern drift) — three separate copies of
BANNED_PATTERNS had drifted apart. The publish-time scanner in
templates.ts was MISSING the 7 new patterns added in Pass-1
(process.binding, dlopen, .constructor.constructor, vm.runIn*,
globalThis['..']). Single source of truth in @bmm/llm now exports
SHARED_BANNED_PATTERNS; templates.ts composes PUBLISH_BANNED_PATTERNS
= SHARED ∪ code-only-extras (dynamic import, fs.rm, setTimeout-with-
string, process.kill, jailbreak markers).
Zc-002 LOW (N+1) — /v1/templates list was issuing one COUNT(*) per
template (101 queries for a 100-row page). Now one grouped query
with templateId GROUP BY, merged in JS. p95 doesn't degrade with
marketplace growth.
DEFERRED (documented, scoped for next sprint):
Za-001 HIGH — Account takeover via cross-provider email lookup.
Requires schema change (users.primaryProvider). Mitigation in
/settings/account banner planned.
Zb-001 MEDIUM — /oauth/token refresh_token grant: advertised in
AS metadata but unsupported_grant_type. Either implement (~40
LOC) or strip from metadata.
Zc-003 LOW — Admin takedown partial-failure consistency.
Zd-001 IMPROVE — DEK cache invalidation across replicas (single-
instance today).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
488 lines
16 KiB
TypeScript
488 lines
16 KiB
TypeScript
import crypto from 'node:crypto';
|
|
import {
|
|
type Database,
|
|
and,
|
|
createDb,
|
|
desc,
|
|
eq,
|
|
gt,
|
|
isNull,
|
|
magicLinks,
|
|
memberships,
|
|
organizations,
|
|
sessions,
|
|
smsCodes,
|
|
users,
|
|
} from '@bmm/db';
|
|
|
|
const MAGIC_LINK_TTL_MS = 15 * 60 * 1000; // 15 min
|
|
const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
|
|
const SCRYPT_KEYLEN = 64;
|
|
// OWASP 2024+ recommends scrypt N≥2^17 for password hashing. Hash format
|
|
// embeds N (`scrypt$N$salt$hash`), so verifyPassword auto-handles old hashes
|
|
// at lower N — backward-compatible cost bump. (Za-002.)
|
|
const SCRYPT_N = 131_072;
|
|
// scrypt with high N also needs maxmem ceiling raised — Node defaults to
|
|
// ~32MiB which is below what N=131072 requires. (~128MiB needed per op.)
|
|
const SCRYPT_MAXMEM = 256 * 1024 * 1024;
|
|
|
|
function sha256(input: string): string {
|
|
return crypto.createHash('sha256').update(input).digest('hex');
|
|
}
|
|
|
|
function randomToken(bytes = 32): string {
|
|
return crypto.randomBytes(bytes).toString('base64url');
|
|
}
|
|
|
|
export function hashPassword(password: string): string {
|
|
const salt = crypto.randomBytes(16).toString('hex');
|
|
const derived = crypto
|
|
.scryptSync(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N, maxmem: SCRYPT_MAXMEM })
|
|
.toString('hex');
|
|
return `scrypt$${SCRYPT_N}$${salt}$${derived}`;
|
|
}
|
|
|
|
export function verifyPassword(password: string, stored: string): boolean {
|
|
const parts = stored.split('$');
|
|
if (parts.length !== 4 || parts[0] !== 'scrypt') return false;
|
|
const N = Number.parseInt(parts[1] ?? '', 10);
|
|
const salt = parts[2];
|
|
const expectedHex = parts[3];
|
|
if (!Number.isFinite(N) || !salt || !expectedHex) return false;
|
|
const expected = Buffer.from(expectedHex, 'hex');
|
|
// Use the N embedded in the hash so old (lower-N) hashes still verify.
|
|
// maxmem scales with N — 128 * N * r bytes minimum, doubled for headroom.
|
|
const maxmem = Math.max(64 * 1024 * 1024, N * 256);
|
|
const actual = crypto.scryptSync(password, salt, expected.length, { N, maxmem });
|
|
if (actual.length !== expected.length) return false;
|
|
return crypto.timingSafeEqual(actual, expected);
|
|
}
|
|
|
|
function slugify(input: string): string {
|
|
return (
|
|
input
|
|
.toLowerCase()
|
|
.replace(/[^a-z0-9]+/g, '-')
|
|
.replace(/(^-|-$)/g, '')
|
|
.slice(0, 48) || 'org'
|
|
);
|
|
}
|
|
|
|
export interface MagicLinkIssued {
|
|
token: string;
|
|
expiresAt: Date;
|
|
}
|
|
|
|
export async function issueMagicLink(
|
|
email: string,
|
|
db: Database = createDb(),
|
|
): Promise<MagicLinkIssued> {
|
|
const lower = email.trim().toLowerCase();
|
|
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(lower)) {
|
|
throw new Error('invalid_email');
|
|
}
|
|
const token = randomToken(32);
|
|
const tokenHash = sha256(token);
|
|
const expiresAt = new Date(Date.now() + MAGIC_LINK_TTL_MS);
|
|
await db.insert(magicLinks).values({ email: lower, tokenHash, expiresAt });
|
|
return { token, expiresAt };
|
|
}
|
|
|
|
export interface ConsumedSession {
|
|
sessionToken: string;
|
|
userId: string;
|
|
orgId: string;
|
|
email: string | null;
|
|
}
|
|
|
|
export async function consumeMagicLink(
|
|
token: string,
|
|
meta: { ipAddress?: string; userAgent?: string } = {},
|
|
db: Database = createDb(),
|
|
): Promise<ConsumedSession> {
|
|
const tokenHash = sha256(token);
|
|
const [row] = await db
|
|
.select()
|
|
.from(magicLinks)
|
|
.where(and(eq(magicLinks.tokenHash, tokenHash), gt(magicLinks.expiresAt, new Date())))
|
|
.limit(1);
|
|
if (!row || row.consumedAt) {
|
|
throw new Error('invalid_or_expired_token');
|
|
}
|
|
// Atomic single-use: only the request whose UPDATE actually flips
|
|
// consumedAt from NULL → now() is allowed to mint a session. Two concurrent
|
|
// requests with the same token can't both win — the loser sees rows = 0.
|
|
// (Za-003.)
|
|
const claimed = await db
|
|
.update(magicLinks)
|
|
.set({ consumedAt: new Date() })
|
|
.where(and(eq(magicLinks.id, row.id), isNull(magicLinks.consumedAt)))
|
|
.returning({ id: magicLinks.id });
|
|
if (claimed.length === 0) {
|
|
throw new Error('invalid_or_expired_token');
|
|
}
|
|
|
|
// Get or create user + default org
|
|
let user = (await db.select().from(users).where(eq(users.email, row.email)).limit(1))[0];
|
|
if (!user) {
|
|
[user] = await db.insert(users).values({ email: row.email, emailVerified: true }).returning();
|
|
const orgSlug = `${slugify(row.email.split('@')[0] ?? 'me')}-${randomToken(3).toLowerCase()}`;
|
|
const [org] = await db
|
|
.insert(organizations)
|
|
.values({ slug: orgSlug, name: `${row.email.split('@')[0]}'s workspace` })
|
|
.returning();
|
|
if (!org) throw new Error('org_create_failed');
|
|
await db.insert(memberships).values({ orgId: org.id, userId: user!.id, role: 'owner' });
|
|
} else if (!user.emailVerified) {
|
|
await db.update(users).set({ emailVerified: true }).where(eq(users.id, user.id));
|
|
}
|
|
|
|
if (!user) throw new Error('user_resolve_failed');
|
|
|
|
// Deterministic ordering — when org-invites eventually let one user have
|
|
// multiple memberships, we want the same "primary org" to win every login,
|
|
// not a random one. Oldest membership = the org the user originally signed
|
|
// up for. (Za-004.)
|
|
const [membership] = await db
|
|
.select()
|
|
.from(memberships)
|
|
.where(eq(memberships.userId, user.id))
|
|
.orderBy(memberships.createdAt)
|
|
.limit(1);
|
|
if (!membership) throw new Error('no_org_membership');
|
|
|
|
const sessionToken = randomToken(32);
|
|
const sessionHash = sha256(sessionToken);
|
|
await db.insert(sessions).values({
|
|
userId: user.id,
|
|
tokenHash: sessionHash,
|
|
expiresAt: new Date(Date.now() + SESSION_TTL_MS),
|
|
ipAddress: meta.ipAddress,
|
|
userAgent: meta.userAgent,
|
|
});
|
|
|
|
return { sessionToken, userId: user.id, orgId: membership.orgId, email: user.email };
|
|
}
|
|
|
|
/**
|
|
* Get-or-create a user from a verified third-party identity (Google, etc.) and
|
|
* mint a session. The caller is responsible for verifying the identity provider's
|
|
* token BEFORE calling this — `email` must already be proven to belong to the user.
|
|
*/
|
|
export async function upsertOAuthLogin(
|
|
input: { email: string; name?: string | null },
|
|
meta: { ipAddress?: string; userAgent?: string } = {},
|
|
db: Database = createDb(),
|
|
): Promise<ConsumedSession> {
|
|
const email = input.email.trim().toLowerCase();
|
|
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
|
|
throw new Error('invalid_email');
|
|
}
|
|
|
|
let user = (await db.select().from(users).where(eq(users.email, email)).limit(1))[0];
|
|
if (!user) {
|
|
[user] = await db
|
|
.insert(users)
|
|
.values({ email, emailVerified: true, name: input.name ?? undefined })
|
|
.returning();
|
|
if (!user) throw new Error('user_create_failed');
|
|
const orgSlug = `${slugify(email.split('@')[0] ?? 'me')}-${randomToken(3).toLowerCase()}`;
|
|
const [org] = await db
|
|
.insert(organizations)
|
|
.values({ slug: orgSlug, name: `${email.split('@')[0]}'s workspace` })
|
|
.returning();
|
|
if (!org) throw new Error('org_create_failed');
|
|
await db.insert(memberships).values({ orgId: org.id, userId: user.id, role: 'owner' });
|
|
} else if (!user.emailVerified) {
|
|
await db.update(users).set({ emailVerified: true }).where(eq(users.id, user.id));
|
|
}
|
|
|
|
const resolved = user;
|
|
const [membership] = await db
|
|
.select()
|
|
.from(memberships)
|
|
.where(eq(memberships.userId, resolved.id))
|
|
.limit(1);
|
|
if (!membership) throw new Error('no_org_membership');
|
|
|
|
const sessionToken = randomToken(32);
|
|
await db.insert(sessions).values({
|
|
userId: resolved.id,
|
|
tokenHash: sha256(sessionToken),
|
|
expiresAt: new Date(Date.now() + SESSION_TTL_MS),
|
|
ipAddress: meta.ipAddress,
|
|
userAgent: meta.userAgent,
|
|
});
|
|
await db.update(users).set({ lastLoginAt: new Date() }).where(eq(users.id, resolved.id));
|
|
|
|
return { sessionToken, userId: resolved.id, orgId: membership.orgId, email: resolved.email };
|
|
}
|
|
|
|
// ---- SMS one-time-code login ----
|
|
|
|
const SMS_CODE_TTL_MS = 10 * 60 * 1000; // 10 min
|
|
const SMS_RATE_WINDOW_MS = 15 * 60 * 1000;
|
|
const SMS_MAX_PER_WINDOW = 3; // codes issued per phone per window
|
|
const SMS_MAX_ATTEMPTS = 5; // wrong-code guesses per code
|
|
|
|
/** Normalise to strict E.164 (+ and 8-15 digits). Throws on anything else. */
|
|
function normalizePhone(raw: string): string {
|
|
const p = raw.replace(/[\s\-().]/g, '');
|
|
if (!/^\+[1-9]\d{7,14}$/.test(p)) throw new Error('invalid_phone');
|
|
return p;
|
|
}
|
|
|
|
export interface SmsCodeIssued {
|
|
phone: string;
|
|
code: string;
|
|
expiresAt: Date;
|
|
}
|
|
|
|
/** Generate a 6-digit code for a phone number, store it hashed, rate-limited. */
|
|
export async function issueSmsCode(
|
|
phoneRaw: string,
|
|
db: Database = createDb(),
|
|
): Promise<SmsCodeIssued> {
|
|
const phone = normalizePhone(phoneRaw);
|
|
const since = new Date(Date.now() - SMS_RATE_WINDOW_MS);
|
|
const recent = await db
|
|
.select({ id: smsCodes.id })
|
|
.from(smsCodes)
|
|
.where(and(eq(smsCodes.phone, phone), gt(smsCodes.createdAt, since)));
|
|
if (recent.length >= SMS_MAX_PER_WINDOW) throw new Error('rate_limited');
|
|
|
|
const code = String(crypto.randomInt(0, 1_000_000)).padStart(6, '0');
|
|
const expiresAt = new Date(Date.now() + SMS_CODE_TTL_MS);
|
|
await db.insert(smsCodes).values({ phone, codeHash: sha256(`${phone}:${code}`), expiresAt });
|
|
return { phone, code, expiresAt };
|
|
}
|
|
|
|
/** Verify a code, then get-or-create the phone's user and mint a session. */
|
|
export async function consumeSmsCode(
|
|
phoneRaw: string,
|
|
code: string,
|
|
meta: { ipAddress?: string; userAgent?: string } = {},
|
|
db: Database = createDb(),
|
|
): Promise<ConsumedSession> {
|
|
const phone = normalizePhone(phoneRaw);
|
|
const [row] = await db
|
|
.select()
|
|
.from(smsCodes)
|
|
.where(and(eq(smsCodes.phone, phone), gt(smsCodes.expiresAt, new Date())))
|
|
.orderBy(desc(smsCodes.createdAt))
|
|
.limit(1);
|
|
if (!row || row.consumedAt) throw new Error('invalid_or_expired_code');
|
|
if (row.attempts >= SMS_MAX_ATTEMPTS) throw new Error('too_many_attempts');
|
|
if (sha256(`${phone}:${code}`) !== row.codeHash) {
|
|
await db
|
|
.update(smsCodes)
|
|
.set({ attempts: row.attempts + 1 })
|
|
.where(eq(smsCodes.id, row.id));
|
|
throw new Error('invalid_code');
|
|
}
|
|
await db.update(smsCodes).set({ consumedAt: new Date() }).where(eq(smsCodes.id, row.id));
|
|
|
|
let user = (await db.select().from(users).where(eq(users.phone, phone)).limit(1))[0];
|
|
if (!user) {
|
|
[user] = await db.insert(users).values({ phone }).returning();
|
|
if (!user) throw new Error('user_create_failed');
|
|
const orgSlug = `phone-${randomToken(4).toLowerCase()}`;
|
|
const [org] = await db
|
|
.insert(organizations)
|
|
.values({ slug: orgSlug, name: 'My workspace' })
|
|
.returning();
|
|
if (!org) throw new Error('org_create_failed');
|
|
await db.insert(memberships).values({ orgId: org.id, userId: user.id, role: 'owner' });
|
|
}
|
|
const resolved = user;
|
|
|
|
const [membership] = await db
|
|
.select()
|
|
.from(memberships)
|
|
.where(eq(memberships.userId, resolved.id))
|
|
.limit(1);
|
|
if (!membership) throw new Error('no_org_membership');
|
|
|
|
const sessionToken = randomToken(32);
|
|
await db.insert(sessions).values({
|
|
userId: resolved.id,
|
|
tokenHash: sha256(sessionToken),
|
|
expiresAt: new Date(Date.now() + SESSION_TTL_MS),
|
|
ipAddress: meta.ipAddress,
|
|
userAgent: meta.userAgent,
|
|
});
|
|
await db.update(users).set({ lastLoginAt: new Date() }).where(eq(users.id, resolved.id));
|
|
|
|
return { sessionToken, userId: resolved.id, orgId: membership.orgId, email: resolved.email };
|
|
}
|
|
|
|
export interface AuthedUser {
|
|
userId: string;
|
|
orgId: string;
|
|
email: string | null;
|
|
phone: string | null;
|
|
role: string;
|
|
isAdmin: boolean;
|
|
}
|
|
|
|
export async function getSession(
|
|
sessionToken: string | null | undefined,
|
|
db: Database = createDb(),
|
|
): Promise<AuthedUser | null> {
|
|
if (!sessionToken) return null;
|
|
const hash = sha256(sessionToken);
|
|
const [row] = await db
|
|
.select({
|
|
userId: sessions.userId,
|
|
expiresAt: sessions.expiresAt,
|
|
email: users.email,
|
|
phone: users.phone,
|
|
isAdmin: users.isAdmin,
|
|
})
|
|
.from(sessions)
|
|
.innerJoin(users, eq(users.id, sessions.userId))
|
|
.where(eq(sessions.tokenHash, hash))
|
|
.limit(1);
|
|
if (!row || row.expiresAt < new Date()) return null;
|
|
const [membership] = await db
|
|
.select({ orgId: memberships.orgId, role: memberships.role })
|
|
.from(memberships)
|
|
.where(eq(memberships.userId, row.userId))
|
|
.limit(1);
|
|
if (!membership) return null;
|
|
return {
|
|
userId: row.userId,
|
|
orgId: membership.orgId,
|
|
email: row.email,
|
|
phone: row.phone,
|
|
role: membership.role,
|
|
isAdmin: row.isAdmin,
|
|
};
|
|
}
|
|
|
|
export async function destroySession(
|
|
sessionToken: string,
|
|
db: Database = createDb(),
|
|
): Promise<void> {
|
|
const hash = sha256(sessionToken);
|
|
await db.delete(sessions).where(eq(sessions.tokenHash, hash));
|
|
}
|
|
|
|
export interface PasswordLoginResult {
|
|
sessionToken: string;
|
|
userId: string;
|
|
orgId: string;
|
|
email: string | null;
|
|
isAdmin: boolean;
|
|
}
|
|
|
|
export async function loginWithPassword(
|
|
emailRaw: string,
|
|
password: string,
|
|
meta: { ipAddress?: string; userAgent?: string } = {},
|
|
db: Database = createDb(),
|
|
): Promise<PasswordLoginResult> {
|
|
const email = emailRaw.trim().toLowerCase();
|
|
const [user] = await db.select().from(users).where(eq(users.email, email)).limit(1);
|
|
if (!user || !user.passwordHash) {
|
|
throw new Error('invalid_credentials');
|
|
}
|
|
if (!verifyPassword(password, user.passwordHash)) {
|
|
throw new Error('invalid_credentials');
|
|
}
|
|
// Deterministic ordering — when org-invites eventually let one user have
|
|
// multiple memberships, we want the same "primary org" to win every login,
|
|
// not a random one. Oldest membership = the org the user originally signed
|
|
// up for. (Za-004.)
|
|
const [membership] = await db
|
|
.select()
|
|
.from(memberships)
|
|
.where(eq(memberships.userId, user.id))
|
|
.orderBy(memberships.createdAt)
|
|
.limit(1);
|
|
if (!membership) throw new Error('no_org_membership');
|
|
|
|
const sessionToken = randomToken(32);
|
|
await db.insert(sessions).values({
|
|
userId: user.id,
|
|
tokenHash: sha256(sessionToken),
|
|
expiresAt: new Date(Date.now() + SESSION_TTL_MS),
|
|
ipAddress: meta.ipAddress,
|
|
userAgent: meta.userAgent,
|
|
});
|
|
await db.update(users).set({ lastLoginAt: new Date() }).where(eq(users.id, user.id));
|
|
|
|
return {
|
|
sessionToken,
|
|
userId: user.id,
|
|
orgId: membership.orgId,
|
|
email: user.email,
|
|
isAdmin: user.isAdmin,
|
|
};
|
|
}
|
|
|
|
export interface SeedAdminInput {
|
|
email: string;
|
|
password: string;
|
|
name?: string;
|
|
}
|
|
|
|
export async function seedAdmin(
|
|
input: SeedAdminInput,
|
|
db: Database = createDb(),
|
|
): Promise<{ created: boolean; userId: string; orgId: string }> {
|
|
const email = input.email.trim().toLowerCase();
|
|
const existing = (await db.select().from(users).where(eq(users.email, email)).limit(1))[0];
|
|
|
|
if (existing) {
|
|
const updates: Partial<typeof users.$inferInsert> = {};
|
|
if (!existing.isAdmin) updates.isAdmin = true;
|
|
if (!existing.passwordHash) updates.passwordHash = hashPassword(input.password);
|
|
if (!existing.emailVerified) updates.emailVerified = true;
|
|
if (input.name && !existing.name) updates.name = input.name;
|
|
if (Object.keys(updates).length > 0) {
|
|
await db.update(users).set(updates).where(eq(users.id, existing.id));
|
|
}
|
|
const [m] = await db
|
|
.select()
|
|
.from(memberships)
|
|
.where(eq(memberships.userId, existing.id))
|
|
.limit(1);
|
|
if (!m) {
|
|
// Has a user but no org — bootstrap one
|
|
const orgSlug = `admin-${randomToken(3).toLowerCase()}`;
|
|
const [org] = await db
|
|
.insert(organizations)
|
|
.values({ slug: orgSlug, name: `${input.name ?? 'Admin'} workspace`, plan: 'enterprise' })
|
|
.returning();
|
|
if (!org) throw new Error('org_create_failed');
|
|
await db.insert(memberships).values({ orgId: org.id, userId: existing.id, role: 'owner' });
|
|
return { created: false, userId: existing.id, orgId: org.id };
|
|
}
|
|
return { created: false, userId: existing.id, orgId: m.orgId };
|
|
}
|
|
|
|
const [user] = await db
|
|
.insert(users)
|
|
.values({
|
|
email,
|
|
emailVerified: true,
|
|
isAdmin: true,
|
|
name: input.name,
|
|
passwordHash: hashPassword(input.password),
|
|
})
|
|
.returning();
|
|
if (!user) throw new Error('user_create_failed');
|
|
|
|
const orgSlug = `admin-${randomToken(3).toLowerCase()}`;
|
|
const [org] = await db
|
|
.insert(organizations)
|
|
.values({ slug: orgSlug, name: `${input.name ?? 'Admin'} workspace`, plan: 'enterprise' })
|
|
.returning();
|
|
if (!org) throw new Error('org_create_failed');
|
|
await db.insert(memberships).values({ orgId: org.id, userId: user.id, role: 'owner' });
|
|
return { created: true, userId: user.id, orgId: org.id };
|
|
}
|
|
|
|
export const __test = { sha256, randomToken, slugify };
|