MFA-enforcement ontbrak in route-handlers (alleen requireRole/assertCanWrite was MFA-aware) #98

New issue

Closed

opened 2026-05-26 18:23:32 +00:00 by jesse-a · 1 comment

jesse-a commented 2026-05-26 18:23:32 +00:00

Owner

Copy link

Severity: HIGH

Mijn ronde-1 MFA-fix updateerde requireRole() en assertCanWrite() in src/lib/auth.ts om server-side TOTP af te dwingen. Maar veel route-handlers (app/api/**/route.ts en app/(app)/**/route.ts) doen direct getSession() zonder session.totpEnabled-check. Een ingelogde manager/admin zonder afgeronde TOTP-setup kon dus via directe API-calls toch acties uitvoeren.

Concrete kwetsbare routes:

• api/search/route.ts
• api/ai/{customer-summary,quote-draft,ocr-expense}/route.ts
• api/kvk/search/route.ts
• api/travel/quote/route.ts
• api/attachments/[id]/route.ts
• api/wordpress/[id]/stats-report/route.ts
• (app)/data/{export,ubl}/route.ts
• (app)/expenses/{export,[id]/receipt}/route.ts
• (app)/boekhouding/externe-facturen/[id]/file/route.ts
• (app)/{invoices,quotes,contracts}/[id]/{pdf,file}/route.ts

Fix: nieuwe helper requireApiSession({minRole?}) in src/lib/auth.ts voor route-handlers. Doet session + role + MFA-check, retourneert NextResponse-error i.p.v. te redirecten. 16 routes overgezet. Elke route kreeg een passende rol-eis: MANAGER voor write/AI, ADMIN voor bulk-exports, any-met-MFA voor read-only PDF/file-downloads.

Files: src/lib/auth.ts + 16 route-files

**Severity: HIGH** Mijn ronde-1 MFA-fix updateerde `requireRole()` en `assertCanWrite()` in `src/lib/auth.ts` om server-side TOTP af te dwingen. Maar veel route-handlers (`app/api/**/route.ts` en `app/(app)/**/route.ts`) doen direct `getSession()` zonder `session.totpEnabled`-check. Een ingelogde manager/admin zonder afgeronde TOTP-setup kon dus via directe API-calls toch acties uitvoeren. Concrete kwetsbare routes: - `api/search/route.ts` - `api/ai/{customer-summary,quote-draft,ocr-expense}/route.ts` - `api/kvk/search/route.ts` - `api/travel/quote/route.ts` - `api/attachments/[id]/route.ts` - `api/wordpress/[id]/stats-report/route.ts` - `(app)/data/{export,ubl}/route.ts` - `(app)/expenses/{export,[id]/receipt}/route.ts` - `(app)/boekhouding/externe-facturen/[id]/file/route.ts` - `(app)/{invoices,quotes,contracts}/[id]/{pdf,file}/route.ts` **Fix**: nieuwe helper `requireApiSession({minRole?})` in `src/lib/auth.ts` voor route-handlers. Doet session + role + MFA-check, retourneert NextResponse-error i.p.v. te redirecten. 16 routes overgezet. Elke route kreeg een passende rol-eis: MANAGER voor write/AI, ADMIN voor bulk-exports, any-met-MFA voor read-only PDF/file-downloads. **Files**: src/lib/auth.ts + 16 route-files

jesse-a added the

fixed

security

severity-high

labels 2026-05-26 18:23:32 +00:00

jesse-a commented 2026-05-26 18:23:32 +00:00

Author

Owner

Copy link

Opgelost in commit 8e18add.

Opgelost in commit 8e18add.

jesse-a closed this issue 2026-05-26 18:23:32 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v1.0.0

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

Labels

Clear labels   

deferred

Known issue, deferred

  

fixed

Resolved

  

security

Security review finding

  

severity-high

High severity

  

severity-low

Low severity

  

severity-medium

Medium severity

No labels

deferred

fixed

security

severity-high

severity-low

severity-medium

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

jesse-a/OpenCRM#98

No description provided.