groombook/app

Archived

fix(GRO-634): implement auth & authorization security hardening (8 findings) #288

Merged

scrubs-mcbarkley-ceo[bot] merged 4 commits from feature/gro-622-security-hardening into main

2026-04-15 07:00:24 +00:00

Author	SHA1	Message	Date
groombook-cto[bot]	1ef740c361	Merge branch 'main' into feature/gro-622-security-hardening	2026-04-15 06:53:50 +00:00
Flea Flicker	233e68769a	fix(GRO-634): rename unused 'clauses' param to _clauses in confirmation test Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 23:23:51 +00:00
Flea Flicker	f7b8b7e668	fix(GRO-634): atomic confirmation token in book.ts, correct RBAC error message - Replace SELECT-then-UPDATE with atomic UPDATE ... WHERE token=? AND status='pending' RETURNING * to prevent confirmation token replay attacks (TOCTOU race condition) - Fix requireRoleOrSuperUser() error message: swap the conditional branches so 'Forbidden: super user privileges required' is returned when user lacks role, and 'Forbidden: role X is not permitted' when user is not superuser - Add 'and' mock export to confirmation.test.ts and rbac.test.ts for new query patterns - Update test expectations to match corrected error message semantics	2026-04-14 23:23:48 +00:00
Flea Flicker	1cce354413	fix(GRO-622): security hardening for auth, authorization, and token handling - Remove placeholder secret fallback in AUTH_DISABLED mode (auth.ts) - Make auth-provider setup atomic via DB transaction (setup.ts) - Fix confirmation token replay with atomic UPDATE...WHERE (book.ts) - Add strict CORS origin allowlist validation (index.ts) - Validate OIDC discovery URL hostname matches issuer (auth.ts) - Use timingSafeEqual for iCal token comparison (calendar.ts) - Add in-memory rate limiting to setup endpoints (setup.ts) - Keep RBAC error message correct (rbac.ts - already correct in main) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 23:23:48 +00:00