v0.12 — Sessies + TOTP volledig hardened (8 sub-fixes) #106

New issue

Closed

opened 2026-05-26 18:23:39 +00:00 by jesse-a · 1 comment

jesse-a commented 2026-05-26 18:23:39 +00:00

Owner

Copy link

Severity: HIGH (v0.12 — pentest-rapport)

Cluster van 8 sessie/2FA-bevindingen uit het pentest-rapport v0.12, allen opgelost in commit aa68ac1:

1. Sessie DB-revalidatie — getSession() doet per-request lookup op User.active/role/sessionVersion. Role-change/deactivatie/wachtwoord-wijziging werkt nu meteen door op alle bestaande cookies.
2. TOTP-secret encrypted at-rest — AES-256-GCM, HKDF-SHA256-key uit AUTH_SECRET.
3. Recovery-codes bcrypt-gehashed (cost 12) + atomic-consume via updateMany-guard.
4. TOTP replay-prevention — nieuwe kolom User.lastTotpStep voorkomt hergebruik binnen 30s-step.
5. Step-up authenticatie — disableTotp, startTotpEnrollment, e-mail-wijziging eisen huidig wachtwoord.
6. bcrypt cost 10 → 12; wachtwoord-minimum 8 → 12 chars.
7. AUTH_SECRET minimum 16 → 32 chars (vereiste voor HKDF-SHA256).
8. JWT-verifier pint expliciet algorithms: ["HS256"] + typ: "JWT" (anti-algorithm-confusion).

**Severity: HIGH** (v0.12 — pentest-rapport) Cluster van 8 sessie/2FA-bevindingen uit het pentest-rapport v0.12, allen opgelost in commit aa68ac1: 1. **Sessie DB-revalidatie** — `getSession()` doet per-request lookup op `User.active`/`role`/`sessionVersion`. Role-change/deactivatie/wachtwoord-wijziging werkt nu meteen door op alle bestaande cookies. 2. **TOTP-secret encrypted at-rest** — AES-256-GCM, HKDF-SHA256-key uit `AUTH_SECRET`. 3. **Recovery-codes bcrypt-gehashed** (cost 12) + atomic-consume via `updateMany`-guard. 4. **TOTP replay-prevention** — nieuwe kolom `User.lastTotpStep` voorkomt hergebruik binnen 30s-step. 5. **Step-up authenticatie** — `disableTotp`, `startTotpEnrollment`, e-mail-wijziging eisen huidig wachtwoord. 6. **bcrypt cost** 10 → 12; **wachtwoord-minimum** 8 → 12 chars. 7. **AUTH_SECRET** minimum 16 → 32 chars (vereiste voor HKDF-SHA256). 8. **JWT-verifier** pint expliciet `algorithms: ["HS256"]` + `typ: "JWT"` (anti-algorithm-confusion).

jesse-a added the

fixed

security

severity-high

labels 2026-05-26 18:23:39 +00:00

jesse-a commented 2026-05-26 18:23:40 +00:00

Author

Owner

Copy link

Opgelost in commit aa68ac1.

Opgelost in commit aa68ac1.

jesse-a closed this issue 2026-05-26 18:23:40 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v1.0.0

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

Labels

Clear labels   

deferred

Known issue, deferred

  

fixed

Resolved

  

security

Security review finding

  

severity-high

High severity

  

severity-low

Low severity

  

severity-medium

Medium severity

No labels

deferred

fixed

security

severity-high

severity-low

severity-medium

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

jesse-a/OpenCRM#106

No description provided.