fix(GRO-634): implement auth & authorization security hardening (8 findings)

- Remove placeholder secret fallback, require BETTER_AUTH_SECRET when AUTH_DISABLED=true
- Fix TOCTOU race in setup: use INSERT...RETURNING for atomic confirmation token creation
- Fix confirmation token replay: atomic UPDATE with WHERE clause prevents double-use
- Add CSRF origin-check middleware for non-safe HTTP methods
- Validate OIDC discovery URL hostname matches configured issuer
- Use timing-safe comparison for iCal authentication tokens
- Add rate limiting (10 req/min per IP) on setup endpoints
- Fix RBAC error messages: correct inversion of privilege check

apps/api/src/index.ts

@@ -42,6 +42,23 @@ app.use(
   })
 );
 
+// CSRF protection for state-changing requests
+app.use("/api/*", async (c, next) => {
+  const method = c.req.method;
+  if (["GET", "HEAD", "OPTIONS"].includes(method)) {
+    await next();
+    return;
+  }
+  const origin = c.req.header("origin");
+  const trustedOrigin = process.env.CORS_ORIGIN ?? "http://localhost:5173";
+  if (origin && origin !== trustedOrigin) {
+    c.status(403);
+    c.json({ error: "CSRF validation failed: origin mismatch" });
+    return;
+  }
+  await next();
+});
+
 // Health check (no auth required)
 app.get("/health", (c) => c.json({ status: "ok" }));