torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): implement Android refresh token handling and session management
Some checks failed
Code Analysis and Production Deploy / analyze (push) Failing after 5m7s
Details
Code Analysis and Production Deploy / deploy-production (push) Has been skipped
Details
Code Analysis and Production Deploy / deploy-test (push) Has been skipped
Details

Browse Source 
- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints.
- Implemented new tests for login, logout, and refresh functionalities specific to Android clients.
- Enhanced password reset logging with normalization and masking of email addresses.
- Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs.
- Introduced a new utility for managing password reset logs with retention policies.
- Added tests for password reset log utilities to ensure proper functionality and privacy compliance.
- Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.
This commit is contained in:
Torsten Schulz (local)
2026-05-27 19:34:32 +02:00
parent 755442fb70
commit 58fd7fa5c6
32 changed files with 1477 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
server/api/auth/login.post.js
View File

@@ -1,4 +1,4 @@
import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
import { readUsers, writeUsers, verifyPassword, generateToken, generateAndroidAccessToken, createSession, createRefreshSession, migrateUserRoles } from '../../utils/auth.js'
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
import { getAuthCookieOptions } from '../../utils/cookies.js'
import { writeAuditLog } from '../../utils/audit-log.js'
@@ -7,6 +7,7 @@ export default defineEventHandler(async (event) => {
try {
const body = await readBody(event)
const { email, password } = body
const isAndroidClient = body.client === 'android'
if (!email || !password) {
throw createError({
@@ -72,11 +73,15 @@ export default defineEventHandler(async (event) => {
registerRateLimitSuccess(event, { name: 'auth:login:ip', keyParts: [ip] })
registerRateLimitSuccess(event, { name: 'auth:login:account', keyParts: [emailKey] })
// Generate token
const token = generateToken(user)
// Create session
await createSession(user.id, token)
let token
let refreshSession = null
if (isAndroidClient) {
refreshSession = await createRefreshSession(user.id, body.deviceName)
token = generateAndroidAccessToken(user, refreshSession.session.id)
} else {
token = generateToken(user)
await createSession(user.id, token)
}
await writeAuditLog('auth.login.success', { ip, email: emailKey, userId: user.id })
@@ -85,10 +90,13 @@ export default defineEventHandler(async (event) => {
const updatedUsers = users.map(u => u.id === user.id ? user : u)
await writeUsers(updatedUsers)
// Set cookie
setCookie(event, 'auth_token', token, {
...getAuthCookieOptions()
})
if (isAndroidClient) {
deleteCookie(event, 'auth_token')
} else {
setCookie(event, 'auth_token', token, {
...getAuthCookieOptions()
})
}
// Migriere Rollen falls nötig
const migratedUser = migrateUserRoles({ ...user })
@@ -98,6 +106,9 @@ export default defineEventHandler(async (event) => {
return {
success: true,
token: token, // Token auch im Body für externe API-Clients
accessToken: isAndroidClient ? token : undefined,
refreshToken: refreshSession?.refreshToken,
sessionId: refreshSession?.session.id,
user: {
id: user.id,
email: user.email,
@@ -112,4 +123,3 @@ export default defineEventHandler(async (event) => {
throw error
}
})

7
server/api/auth/logout.post.js
View File

@@ -1,12 +1,17 @@
import { deleteSession } from '../../utils/auth.js'
import { deleteSession, revokeRefreshSession } from '../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace(/^Bearer\s+/i, '')
const body = await readBody(event)
const refreshToken = body?.refreshToken
if (token) {
await deleteSession(token)
}
if (refreshToken) {
await revokeRefreshSession(refreshToken)
}
// Delete cookie
deleteCookie(event, 'auth_token')

25
server/api/auth/passkeys/login.post.js
View File

@@ -65,7 +65,7 @@ export default defineEventHandler(async (event) => {
})
}
const { origin, rpId, requireUV } = getWebAuthnConfig()
const { origins, rpId, requireUV } = getWebAuthnConfig()
const authenticator = {
credentialID: fromBase64Url(passkey.credentialId),
@@ -74,14 +74,20 @@ export default defineEventHandler(async (event) => {
transports: passkey.transports || undefined
}
const verification = await verifyAuthenticationResponse({
response,
expectedChallenge: challenge,
expectedOrigin: origin,
expectedRPID: rpId,
authenticator,
requireUserVerification: requireUV
})
let verification
try {
verification = await verifyAuthenticationResponse({
response,
expectedChallenge: challenge,
expectedOrigin: origins,
expectedRPID: rpId,
authenticator,
requireUserVerification: requireUV
})
} catch {
await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_error' })
throw createError({ statusCode: 401, statusMessage: 'Passkey-Login fehlgeschlagen' })
}
if (!verification.verified) {
await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_failed' })
@@ -118,4 +124,3 @@ export default defineEventHandler(async (event) => {
}
})

23
server/api/auth/passkeys/recovery/complete.post.js
View File

@@ -62,15 +62,21 @@ export default defineEventHandler(async (event) => {
throw createError({ statusCode: 400, statusMessage: 'Ungültiger oder abgelaufener Token' })
}
const { origin, rpId, requireUV } = getWebAuthnConfig()
const { origins, rpId, requireUV } = getWebAuthnConfig()
const verification = await verifyRegistrationResponse({
response,
expectedChallenge: challenge,
expectedOrigin: origin,
expectedRPID: rpId,
requireUserVerification: requireUV
})
let verification
try {
verification = await verifyRegistrationResponse({
response,
expectedChallenge: challenge,
expectedOrigin: origins,
expectedRPID: rpId,
requireUserVerification: requireUV
})
} catch {
await writeAuditLog('auth.passkey.recovery.complete.failed', { ip, reason: 'verification_error', userId })
throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
}
const { verified, registrationInfo } = verification
if (!verified || !registrationInfo) {
@@ -117,4 +123,3 @@ export default defineEventHandler(async (event) => {
await writeAuditLog('auth.passkey.recovery.complete.success', { ip, userId: user.id })
return { success: true, message: 'Passkey hinzugefügt. Sie können sich jetzt mit dem neuen Passkey anmelden.' }
})

8
server/api/auth/passkeys/register.post.js
View File

@@ -37,17 +37,20 @@ export default defineEventHandler(async (event) => {
throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
}
const { origin, rpId, requireUV } = getWebAuthnConfig()
const { origins, rpId, requireUV } = getWebAuthnConfig()
let verification
try {
verification = await verifyRegistrationResponse({
response,
expectedChallenge,
expectedOrigin: origin,
expectedOrigin: origins,
expectedRPID: rpId,
requireUserVerification: requireUV
})
} catch {
await writeAuditLog('auth.passkey.registration.failed', { userId: user.id, reason: 'verification_error' })
throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
} finally {
clearRegistrationChallenge(user.id)
}
@@ -103,4 +106,3 @@ export default defineEventHandler(async (event) => {
return { success: true, message: 'Passkey hinzugefügt.' }
})

47
server/api/auth/refresh.post.js Normal file
View File

@@ -0,0 +1,47 @@
import { generateAndroidAccessToken, getUserById, revokeRefreshSession, rotateRefreshSession } from '../../utils/auth.js'
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
import { writeAuditLog } from '../../utils/audit-log.js'
export default defineEventHandler(async (event) => {
const ip = getClientIp(event)
const body = await readBody(event)
const refreshToken = body?.refreshToken
if (!refreshToken) {
throw createError({ statusCode: 400, message: 'Refresh-Token fehlt' })
}
assertRateLimit(event, {
name: 'auth:refresh:ip',
keyParts: [ip],
windowMs: 10 * 60 * 1000,
maxAttempts: 60,
lockoutMs: 15 * 60 * 1000
})
const rotated = await rotateRefreshSession(refreshToken)
if (rotated.status !== 'rotated') {
await registerRateLimitFailure(event, { name: 'auth:refresh:ip', keyParts: [ip], delayBaseMs: 100 })
await writeAuditLog('auth.refresh.failed', { ip, reason: rotated.status })
throw createError({ statusCode: 401, message: 'Sitzung ist nicht mehr gültig' })
}
const user = await getUserById(rotated.session.userId)
if (!user || user.active === false) {
await revokeRefreshSession(rotated.refreshToken, 'inactive_or_missing_user')
await writeAuditLog('auth.refresh.failed', { ip, userId: rotated.session.userId, reason: 'inactive_or_missing_user' })
throw createError({ statusCode: 401, message: 'Sitzung ist nicht mehr gültig' })
}
const accessToken = generateAndroidAccessToken(user, rotated.session.id)
registerRateLimitSuccess(event, { name: 'auth:refresh:ip', keyParts: [ip] })
await writeAuditLog('auth.refresh.success', { ip, userId: user.id, sessionId: rotated.session.id })
return {
success: true,
token: accessToken,
accessToken,
refreshToken: rotated.refreshToken,
sessionId: rotated.session.id
}
})

18
server/api/auth/register-passkey.post.js
View File

@@ -96,7 +96,7 @@ export default defineEventHandler(async (event) => {
throw createError({ statusCode: 409, message: 'Ein Benutzer mit dieser E-Mail-Adresse existiert bereits' })
}
const { origin, rpId, requireUV } = getWebAuthnConfig()
const { origin, origins, rpId, requireUV } = getWebAuthnConfig()
// Debug: Prüfe die tatsächliche Origin aus der Response
const clientData = response?.response?.clientDataJSON
@@ -117,13 +117,11 @@ export default defineEventHandler(async (event) => {
}
console.log('[DEBUG] WebAuthn config for verification', {
expectedOrigin: origin,
expectedOriginType: typeof origin,
expectedOriginLength: origin?.length,
expectedOrigins: origins,
actualOriginFromResponse: actualOrigin,
rpId,
requireUV,
originMatch: origin === actualOrigin,
originMatch: origins.includes(actualOrigin),
webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
})
@@ -140,7 +138,7 @@ export default defineEventHandler(async (event) => {
console.log('[DEBUG] Verifying registration response...')
console.log('[DEBUG] Verification parameters', {
expectedOrigin: origin,
expectedOrigins: origins,
expectedRPID: rpId,
hasChallenge: !!challenge,
challengeLength: challenge?.length,
@@ -155,7 +153,7 @@ export default defineEventHandler(async (event) => {
verification = await verifyRegistrationResponse({
response,
expectedChallenge: challenge,
expectedOrigin: origin,
expectedOrigin: origins,
expectedRPID: rpId,
requireUserVerification: requireUV
})
@@ -165,11 +163,12 @@ export default defineEventHandler(async (event) => {
error: verifyError,
message: verifyError?.message,
cause: verifyError?.cause?.message,
expectedOrigin: origin,
expectedOrigins: origins,
actualOriginFromResponse: actualOrigin,
stack: verifyError?.stack
})
throw verifyError
await writeAuditLog('auth.passkey.prereg.failed', { email, reason: 'verification_error' })
throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
}
const verifyDuration = Date.now() - verifyStart
@@ -308,4 +307,3 @@ export default defineEventHandler(async (event) => {
message: 'Registrierung erfolgreich. Sie erhalten eine E-Mail, sobald Ihr Zugang freigeschaltet wurde.'
}
})

129
server/api/auth/reset-password.post.js
View File

@@ -1,77 +1,102 @@
import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
import { readUsers, hashPassword, writeUsers, revokeRefreshSessionsForUser } from '../../utils/auth.js'
import nodemailer from 'nodemailer'
import crypto from 'crypto'
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
import { writeAuditLog } from '../../utils/audit-log.js'
import { maskResetEmail, normalizeResetEmail, writePasswordResetLog } from '../../utils/password-reset-log.js'
export default defineEventHandler(async (event) => {
const requestId = crypto.randomUUID()
let emailKey = ''
let ip = ''
const logStep = async (step, status, detail = {}) => {
try {
await writePasswordResetLog({ requestId, email: emailKey, ip, step, status, ...detail })
} catch (logError) {
console.error('Password-Reset-Diagnoselog-Fehler:', logError)
}
}
try {
const body = await readBody(event)
const { email } = body
if (!email) {
emailKey = normalizeResetEmail(email)
ip = getClientIp(event)
await logStep('request_received', 'started')
if (!emailKey) {
await logStep('request_validation', 'failed', { reason: 'email_missing' })
throw createError({
statusCode: 400,
message: 'E-Mail-Adresse ist erforderlich'
})
}
const ip = getClientIp(event)
const emailKey = String(email || '').trim().toLowerCase()
// Rate Limiting (IP + Account)
assertRateLimit(event, {
name: 'auth:reset:ip',
keyParts: [ip],
windowMs: 60 * 60 * 1000,
maxAttempts: 20,
lockoutMs: 30 * 60 * 1000
})
assertRateLimit(event, {
name: 'auth:reset:account',
keyParts: [emailKey],
windowMs: 60 * 60 * 1000,
maxAttempts: 5,
lockoutMs: 60 * 60 * 1000
})
await logStep('rate_limit', 'checking')
try {
assertRateLimit(event, {
name: 'auth:reset:ip',
keyParts: [ip],
windowMs: 60 * 60 * 1000,
maxAttempts: 20,
lockoutMs: 30 * 60 * 1000
})
assertRateLimit(event, {
name: 'auth:reset:account',
keyParts: [emailKey],
windowMs: 60 * 60 * 1000,
maxAttempts: 5,
lockoutMs: 60 * 60 * 1000
})
} catch (error) {
await logStep('rate_limit', 'failed', { error })
throw error
}
await logStep('rate_limit', 'passed')
// Find user
const users = await readUsers()
const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
let users
try {
users = await readUsers()
} catch (error) {
await logStep('user_lookup', 'failed', { error })
throw error
}
const user = users.find(u => normalizeResetEmail(u.email) === emailKey)
// Always return success (security: don't reveal if email exists)
if (!user) {
await logStep('user_lookup', 'not_found')
await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: false, requestId })
await logStep('request_completed', 'no_account')
return {
success: true,
message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
}
}
await logStep('user_lookup', 'found', { userId: user.id })
// Generate temporary password
const tempPassword = crypto.randomBytes(8).toString('hex')
const hashedPassword = await hashPassword(tempPassword)
// Update user password
user.password = hashedPassword
user.passwordResetRequired = true
const updatedUsers = users.map(u => u.id === user.id ? user : u)
await writeUsers(updatedUsers)
registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
await logStep('temporary_password', 'generated', { userId: user.id })
// Send email with temporary password
const smtpUser = process.env.SMTP_USER
const smtpPass = process.env.SMTP_PASS
if (!smtpUser || !smtpPass) {
await logStep('mail_configuration', 'failed', { userId: user.id, reason: 'smtp_credentials_missing' })
console.warn('SMTP-Credentials fehlen! E-Mail-Versand wird übersprungen.')
console.warn(`SMTP_USER=${smtpUser ? 'gesetzt' : 'FEHLT'}, SMTP_PASS=${smtpPass ? 'gesetzt' : 'FEHLT'}`)
// Continue without sending email - security: don't reveal if email exists
throw new Error('SMTP-Konfiguration fuer Passwort-Reset fehlt')
} else {
await logStep('mail_configuration', 'passed', { userId: user.id })
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST || 'smtp.gmail.com',
port: process.env.SMTP_PORT || 587,
@@ -99,15 +124,50 @@ export default defineEventHandler(async (event) => {
`
}
await transporter.sendMail(mailOptions)
await logStep('mail_send', 'started', { userId: user.id })
try {
await transporter.sendMail(mailOptions)
} catch (error) {
await logStep('mail_send', 'failed', { userId: user.id, error })
throw error
}
await logStep('mail_send', 'completed', { userId: user.id })
}
// Erst nach erfolgreichem Versand das zugesandte Passwort aktivieren.
user.password = hashedPassword
user.passwordResetRequired = true
const updatedUsers = users.map(u => u.id === user.id ? user : u)
let passwordStored = false
try {
passwordStored = await writeUsers(updatedUsers)
} catch (error) {
await logStep('password_storage', 'failed', { userId: user.id, error })
throw error
}
if (!passwordStored) {
await logStep('password_storage', 'failed', { userId: user.id, reason: 'write_failed' })
throw new Error('Passwort konnte nach E-Mail-Versand nicht gespeichert werden')
}
await logStep('password_storage', 'completed', { userId: user.id })
try {
await revokeRefreshSessionsForUser(user.id, 'password_reset')
} catch (error) {
await logStep('session_revocation', 'failed', { userId: user.id, error })
throw error
}
await logStep('session_revocation', 'completed', { userId: user.id })
registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: true, userId: user.id, requestId })
await logStep('request_completed', 'success', { userId: user.id })
return {
success: true,
message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
}
} catch (error) {
console.error('Password-Reset-Fehler:', error)
await logStep('request_completed', 'failed', { error })
console.error('Password-Reset-Fehler:', { requestId, code: error?.code || error?.name || 'Error' })
// Don't reveal errors to prevent email enumeration
return {
success: true,
@@ -115,4 +175,3 @@ export default defineEventHandler(async (event) => {
}
}
})

94
server/api/cms/password-reset-diagnostics.get.js Normal file
View File

@@ -0,0 +1,94 @@
import { getUserFromToken, hasRole, readUsers } from '../../utils/auth.js'
import {
fingerprintResetEmail,
normalizeResetEmail,
PASSWORD_RESET_LOG_RETENTION_HOURS,
readPasswordResetLogs
} from '../../utils/password-reset-log.js'
function summarizeAttempts(entries) {
const attemptsById = new Map()
for (const entry of [...entries].reverse()) {
const attempt = attemptsById.get(entry.requestId) || {
requestId: entry.requestId,
startedAt: entry.ts,
emailMasked: entry.emailMasked,
ip: entry.ip,
userId: entry.userId || null,
steps: [],
failed: false
}
attempt.startedAt = attempt.startedAt || entry.ts
attempt.userId = attempt.userId || entry.userId || null
attempt.steps.push({
ts: entry.ts,
step: entry.step,
status: entry.status,
reason: entry.reason || null,
errorCode: entry.errorCode || entry.error || null,
errorMessage: entry.errorMessage || null
})
if (
entry.status === 'failed' ||
entry.status === 'not_found' ||
entry.status === 'no_account' ||
entry.reason === 'smtp_credentials_missing'
) {
attempt.failed = true
}
attemptsById.set(entry.requestId, attempt)
}
return [...attemptsById.values()]
.sort((a, b) => String(b.startedAt).localeCompare(String(a.startedAt)))
}
export default defineEventHandler(async (event) => {
const token = getCookie(event, 'auth_token')
const currentUser = token ? await getUserFromToken(token) : null
if (!currentUser || !hasRole(currentUser, 'admin')) {
throw createError({ statusCode: 403, message: 'Zugriff verweigert' })
}
const query = getQuery(event)
const email = normalizeResetEmail(query.email)
const failedOnly = query.failedOnly !== 'false'
const users = await readUsers()
const logs = await readPasswordResetLogs()
const filteredLogs = email
? logs.filter(entry => entry.emailFingerprint === fingerprintResetEmail(email))
: logs
const attempts = summarizeAttempts(filteredLogs)
.filter(attempt => !failedOnly || attempt.failed)
let matchingUsers = []
if (email) {
const term = email.toLowerCase()
matchingUsers = users
.filter(user => {
const userEmail = normalizeResetEmail(user.email)
const name = String(user.name || '').toLowerCase()
return userEmail.includes(term) || name.includes(term)
})
.slice(0, 20)
.map(user => ({
id: user.id,
name: user.name,
email: user.email,
active: user.active !== false,
lastLogin: user.lastLogin || null
}))
}
return {
retentionHours: PASSWORD_RESET_LOG_RETENTION_HOURS,
searchedEmail: email,
matchingUsers,
attempts
}
})

4
server/api/cms/users/deactivate.post.js
View File

@@ -1,4 +1,4 @@
import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
import { getUserFromToken, readUsers, writeUsers, hasAnyRole, revokeRefreshSessionsForUser } from '../../../utils/auth.js'
import { writeAuditLog } from '../../../utils/audit-log.js'
export default defineEventHandler(async (event) => {
@@ -36,6 +36,7 @@ export default defineEventHandler(async (event) => {
user.active = false
const updatedUsers = users.map(u => u.id === userId ? user : u)
await writeUsers(updatedUsers)
await revokeRefreshSessionsForUser(userId, 'account_deactivated')
await writeAuditLog('cms.user.deactivated', {
actorUserId: currentUser.id,
@@ -51,4 +52,3 @@ export default defineEventHandler(async (event) => {
throw error
}
})

8
server/api/profile.put.js
View File

@@ -1,4 +1,4 @@
import { verifyToken, readUsers, writeUsers, verifyPassword, hashPassword, migrateUserRoles } from '../utils/auth.js'
import { verifyToken, readUsers, writeUsers, verifyPassword, hashPassword, migrateUserRoles, revokeRefreshSessionsForUser } from '../utils/auth.js'
import { assertPasswordNotPwned } from '../utils/hibp.js'
export default defineEventHandler(async (event) => {
@@ -42,6 +42,7 @@ export default defineEventHandler(async (event) => {
}
const user = users[userIndex]
let passwordChanged = false
// Check if email is already taken by another user
if (email !== user.email) {
@@ -91,9 +92,13 @@ export default defineEventHandler(async (event) => {
await assertPasswordNotPwned(newPassword)
user.password = await hashPassword(newPassword)
passwordChanged = true
}
await writeUsers(users)
if (passwordChanged) {
await revokeRefreshSessionsForUser(user.id, 'password_changed')
}
const migratedUser = migrateUserRoles({ ...user })
const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
@@ -117,4 +122,3 @@ export default defineEventHandler(async (event) => {
throw error
}
})

30
server/plugins/spielplan-import-scheduler.js
View File

@@ -2,6 +2,7 @@ import { importSpielplan } from '../utils/spielplan-import.js'
import { importLeagueTables } from '../utils/spielklassen-tables-import.js'
import { publishImportedSpielplan } from '../utils/spielplan-publish.js'
import { info as loggerInfo, error as loggerError } from '../utils/logger.js'
import { cleanupPasswordResetLogs } from '../utils/password-reset-log.js'
const TIME_ZONE = 'Europe/Berlin'
const RUN_HOUR = 7
@@ -65,11 +66,22 @@ function nextRunAt(now = new Date()) {
return candidate
}
async function runImport(reason) {
async function runDailyJobs(reason, skipSpielplanImport = false) {
if (running) return
running = true
try {
try {
const cleanup = await cleanupPasswordResetLogs()
loggerInfo(`[password-reset-log] ${reason}: Bereinigung abgeschlossen`, cleanup)
} catch (error) {
loggerError('[password-reset-log] Bereinigung fehlgeschlagen:', { error })
}
if (skipSpielplanImport) {
return
}
const spielplan = await importSpielplan()
loggerInfo(`[spielplan-import] ${reason}: ${spielplan.matchCount} Spiele importiert`, { range: `${spielplan.source.season.dateStart} - ${spielplan.source.season.dateEnd}` })
@@ -96,13 +108,13 @@ async function runImport(reason) {
}
}
function scheduleNext() {
function scheduleNext(skipSpielplanImport = false) {
const runAt = nextRunAt()
const delay = Math.min(Math.max(runAt.getTime() - Date.now(), 1_000), MAX_TIMEOUT)
timer = setTimeout(async () => {
await runImport('taeglicher Lauf')
scheduleNext()
await runDailyJobs('taeglicher Lauf', skipSpielplanImport)
scheduleNext(skipSpielplanImport)
}, delay)
timer.unref?.()
@@ -110,15 +122,15 @@ function scheduleNext() {
}
export default defineNitroPlugin((nitroApp) => {
if (process.env.SPIELPLAN_IMPORT_DISABLED === 'true') {
loggerInfo('[spielplan-import] Scheduler deaktiviert')
return
const skipSpielplanImport = process.env.SPIELPLAN_IMPORT_DISABLED === 'true'
if (skipSpielplanImport) {
loggerInfo('[spielplan-import] Import deaktiviert; Passwort-Reset-Log-Bereinigung bleibt aktiv')
}
scheduleNext()
scheduleNext(skipSpielplanImport)
if (process.env.SPIELPLAN_IMPORT_RUN_ON_START === 'true') {
runImport('Startlauf')
runDailyJobs('Startlauf', skipSpielplanImport)
}
nitroApp.hooks.hookOnce('close', () => {

169
server/utils/auth.js
View File

@@ -1,5 +1,6 @@
import bcrypt from 'bcryptjs'
import jwt from 'jsonwebtoken'
import crypto from 'crypto'
import { promises as fs } from 'fs'
import path from 'path'
import { encryptObject, decryptObject } from './encryption.js'
@@ -46,6 +47,10 @@ const getDataPath = (filename) => {
const USERS_FILE = getDataPath('users.json')
const SESSIONS_FILE = getDataPath('sessions.json')
const ANDROID_ACCESS_TOKEN_TTL = '15m'
const REFRESH_SESSION_TTL_MS = 90 * 24 * 60 * 60 * 1000
const refreshMutationState = globalThis.__HTC_REFRESH_MUTATION_STATE__ || { tail: Promise.resolve() }
globalThis.__HTC_REFRESH_MUTATION_STATE__ = refreshMutationState
// Get encryption key from environment
function getEncryptionKey() {
@@ -146,7 +151,7 @@ export async function readUsers() {
try {
users = JSON.parse(data)
console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
} catch (_parseError) {
} catch {
console.error('Konnte Benutzerdaten weder entschlüsseln noch als JSON lesen')
return []
}
@@ -210,7 +215,7 @@ function isSessionsEncrypted(data) {
return false
}
return false
} catch (e) {
} catch {
return true
}
}
@@ -231,7 +236,7 @@ export async function readSessions() {
const plainData = JSON.parse(data)
console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
return plainData
} catch (_parseError) {
} catch {
console.error('Konnte Sessions weder entschlüsseln noch als JSON lesen')
return []
}
@@ -277,27 +282,36 @@ export async function verifyPassword(password, hash) {
}
// Generate JWT token
export function generateToken(user) {
export function generateToken(user, { expiresIn = '7d', sessionId = null } = {}) {
// Stelle sicher, dass Rollen migriert sind
const migratedUser = migrateUserRoles({ ...user })
const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
const claims = {
id: user.id,
email: user.email,
roles: roles
}
if (sessionId) {
claims.sid = sessionId
}
return jwt.sign(
{
id: user.id,
email: user.email,
roles: roles
},
claims,
JWT_SECRET,
{ expiresIn: '7d' }
{ expiresIn }
)
}
export function generateAndroidAccessToken(user, sessionId) {
return generateToken(user, { expiresIn: ANDROID_ACCESS_TOKEN_TTL, sessionId })
}
// Verify JWT token
export function verifyToken(token) {
try {
return jwt.verify(token, JWT_SECRET)
} catch (_error) {
} catch {
return null
}
}
@@ -343,6 +357,14 @@ export async function getUserFromToken(token) {
const decoded = verifyToken(token)
if (!decoded) return null
if (decoded.sid) {
const sessions = await readSessions()
const session = sessions.find(s => s.id === decoded.sid && s.userId === decoded.id)
if (!session || session.revokedAt || new Date(session.expiresAt).getTime() <= Date.now()) {
return null
}
}
const users = await readUsers()
const user = users.find(u => u.id === decoded.id)
@@ -376,6 +398,130 @@ export async function deleteSession(token) {
await writeSessions(filtered)
}
function hashRefreshToken(token) {
return crypto.createHash('sha256').update(String(token), 'utf8').digest('hex')
}
function issueRefreshToken() {
return crypto.randomBytes(48).toString('base64url')
}
function serializeRefreshMutation(operation) {
const result = refreshMutationState.tail.then(operation, operation)
refreshMutationState.tail = result.then(() => undefined, () => undefined)
return result
}
export async function createRefreshSession(userId, deviceName = 'Android') {
return serializeRefreshMutation(async () => {
const sessions = await readSessions()
const refreshToken = issueRefreshToken()
const createdAt = new Date().toISOString()
const session = {
id: crypto.randomUUID(),
familyId: crypto.randomUUID(),
type: 'android_refresh',
userId,
deviceName: String(deviceName || 'Android').slice(0, 100),
refreshTokenHash: hashRefreshToken(refreshToken),
createdAt,
lastUsedAt: createdAt,
expiresAt: new Date(Date.now() + REFRESH_SESSION_TTL_MS).toISOString(),
revokedAt: null
}
sessions.push(session)
await writeSessions(sessions)
return { session, refreshToken }
})
}
export async function rotateRefreshSession(refreshToken) {
return serializeRefreshMutation(async () => {
const sessions = await readSessions()
const tokenHash = hashRefreshToken(refreshToken)
const session = sessions.find(s => s.type === 'android_refresh' && s.refreshTokenHash === tokenHash)
const now = new Date()
const nowIso = now.toISOString()
if (!session) return { status: 'invalid' }
if (session.revokedAt) {
if (session.rotatedAt) {
for (const related of sessions) {
if (related.familyId === session.familyId && !related.revokedAt) {
related.revokedAt = nowIso
related.revokeReason = 'refresh_token_reuse'
}
}
await writeSessions(sessions)
return { status: 'reused', session }
}
return { status: 'revoked', session }
}
if (new Date(session.expiresAt).getTime() <= now.getTime()) {
session.revokedAt = nowIso
session.revokeReason = 'expired'
await writeSessions(sessions)
return { status: 'expired', session }
}
const nextRefreshToken = issueRefreshToken()
const nextSession = {
...session,
id: crypto.randomUUID(),
refreshTokenHash: hashRefreshToken(nextRefreshToken),
createdAt: nowIso,
lastUsedAt: nowIso,
expiresAt: new Date(Date.now() + REFRESH_SESSION_TTL_MS).toISOString(),
revokedAt: null
}
session.lastUsedAt = nowIso
session.revokedAt = nowIso
session.rotatedAt = nowIso
session.replacedBy = nextSession.id
session.revokeReason = 'rotated'
sessions.push(nextSession)
await writeSessions(sessions)
return { status: 'rotated', session: nextSession, refreshToken: nextRefreshToken }
})
}
export async function revokeRefreshSession(refreshToken, reason = 'logout') {
return serializeRefreshMutation(async () => {
const sessions = await readSessions()
const tokenHash = hashRefreshToken(refreshToken)
const session = sessions.find(s => s.type === 'android_refresh' && s.refreshTokenHash === tokenHash)
if (!session) return false
const revokedAt = new Date().toISOString()
for (const related of sessions) {
if (related.familyId === session.familyId && !related.revokedAt) {
related.revokedAt = revokedAt
related.revokeReason = reason
}
}
await writeSessions(sessions)
return true
})
}
export async function revokeRefreshSessionsForUser(userId, reason) {
return serializeRefreshMutation(async () => {
const sessions = await readSessions()
const revokedAt = new Date().toISOString()
let changed = false
for (const session of sessions) {
if (session.type === 'android_refresh' && session.userId === userId && !session.revokedAt) {
session.revokedAt = revokedAt
session.revokeReason = reason
changed = true
}
}
if (changed) await writeSessions(sessions)
})
}
// Clean expired sessions
export async function cleanExpiredSessions() {
const sessions = await readSessions()
@@ -383,4 +529,3 @@ export async function cleanExpiredSessions() {
const valid = sessions.filter(s => new Date(s.expiresAt) > now)
await writeSessions(valid)
}

136
server/utils/password-reset-log.js Normal file
View File

@@ -0,0 +1,136 @@
import crypto from 'crypto'
import fs from 'fs/promises'
import path from 'path'
const RETENTION_MS = 72 * 60 * 60 * 1000
function getDataPath(filename) {
const cwd = process.cwd()
if (cwd.endsWith('.output')) {
return path.join(cwd, '../server/data', filename)
}
return path.join(cwd, 'server/data', filename)
}
const LOG_FILE = getDataPath('password-reset.log.jsonl')
export function normalizeResetEmail(email) {
return String(email || '').trim().toLowerCase()
}
export function maskResetEmail(email) {
const normalized = normalizeResetEmail(email)
const [localPart = '', domain = ''] = normalized.split('@')
if (!domain) return normalized ? `${localPart.slice(0, 2)}***` : ''
const localVisible = localPart.slice(0, Math.min(2, localPart.length))
const domainParts = domain.split('.')
const domainName = domainParts.shift() || ''
const suffix = domainParts.length ? `.${domainParts.join('.')}` : ''
return `${localVisible}***@${domainName.slice(0, 2)}***${suffix}`
}
export function fingerprintResetEmail(email) {
return crypto.createHash('sha256').update(normalizeResetEmail(email)).digest('hex')
}
function safeText(value, max = 160) {
return String(value == null ? '' : value).slice(0, max)
}
function errorLabel(error) {
return safeText(error?.code || error?.name || 'Error', 80)
}
function sanitizedErrorMessage(error) {
return safeText(error?.message || error || '')
.replace(/[^\s<>"']+@[^\s<>"']+/gi, email => maskResetEmail(email))
.replace(/((?:pass(?:word)?|token|secret|authorization|auth)\s*[=:]\s*)[^\s,;]+/gi, '$1[redacted]')
.replace(/(smtp:\/\/[^:\s/]+:)[^@\s/]+@/gi, '$1[redacted]@')
}
export async function writePasswordResetLog({
requestId,
email,
ip,
step,
status,
userId,
reason,
error
}) {
const normalizedEmail = normalizeResetEmail(email)
const entry = {
ts: new Date().toISOString(),
requestId: safeText(requestId, 80),
emailMasked: maskResetEmail(normalizedEmail),
emailFingerprint: fingerprintResetEmail(normalizedEmail),
ip: safeText(ip, 80),
step: safeText(step, 80),
status: safeText(status, 40)
}
if (userId) entry.userId = safeText(userId, 80)
if (reason) entry.reason = safeText(reason, 100)
if (error) {
entry.errorCode = errorLabel(error)
entry.errorMessage = sanitizedErrorMessage(error)
}
await fs.mkdir(path.dirname(LOG_FILE), { recursive: true })
await fs.appendFile(LOG_FILE, `${JSON.stringify(entry)}\n`, 'utf8')
}
export async function cleanupPasswordResetLogs(now = Date.now()) {
let contents
try {
contents = await fs.readFile(LOG_FILE, 'utf8')
} catch (error) {
if (error.code === 'ENOENT') return { retained: 0, removed: 0 }
throw error
}
const threshold = now - RETENTION_MS
const entries = contents
.split('\n')
.filter(Boolean)
.flatMap(line => {
try {
return [JSON.parse(line)]
} catch {
return []
}
})
const retained = entries.filter(entry => new Date(entry.ts).getTime() >= threshold)
const removed = entries.length - retained.length
if (removed > 0) {
const serialized = retained.map(entry => JSON.stringify(entry)).join('\n')
await fs.writeFile(LOG_FILE, serialized ? `${serialized}\n` : '', 'utf8')
}
return { retained: retained.length, removed }
}
export async function readPasswordResetLogs() {
await cleanupPasswordResetLogs()
try {
const contents = await fs.readFile(LOG_FILE, 'utf8')
return contents
.split('\n')
.filter(Boolean)
.flatMap(line => {
try {
return [JSON.parse(line)]
} catch {
return []
}
})
.sort((a, b) => String(b.ts).localeCompare(String(a.ts)))
} catch (error) {
if (error.code === 'ENOENT') return []
throw error
}
}
export const PASSWORD_RESET_LOG_RETENTION_HOURS = RETENTION_MS / (60 * 60 * 1000)

54
server/utils/webauthn-config.js
View File

@@ -26,6 +26,36 @@ function deriveFromBaseUrl() {
}
}
function normalizeOrigin(value) {
try {
const u = new URL(value)
if (u.protocol === 'https:') {
return `https://${u.hostname}`
}
if (u.protocol === 'http:' && u.hostname === 'localhost') {
return `${u.protocol}//${u.host}`
}
return u.port === '80' ? `http://${u.hostname}` : `${u.protocol}//${u.host}`
} catch {
return value
}
}
function getAllowedOrigins(origin) {
const configured = String(process.env.WEBAUTHN_ALLOWED_ORIGINS || '')
.split(',')
.map(candidate => normalizeOrigin(candidate.trim()))
.filter(Boolean)
const origins = [origin, ...configured]
// Beide produktiven Hostnamen werden im Browser verwendet und gehoeren zur selben RP-ID.
if (origin === 'https://harheimertc.de' || origin === 'https://www.harheimertc.de') {
origins.push('https://harheimertc.de', 'https://www.harheimertc.de')
}
return [...new Set(origins)]
}
export function getWebAuthnConfig() {
const derived = deriveFromBaseUrl()
@@ -33,23 +63,8 @@ export function getWebAuthnConfig() {
const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
// WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
let origin = process.env.WEBAUTHN_ORIGIN || derived.origin
// Sicherstellen, dass HTTPS-Origins KEINEN Port haben (auch wenn in ENV gesetzt)
if (origin.startsWith('https://')) {
try {
const u = new URL(origin)
// Port 443 oder kein Port = Standard, also Port weglassen
if (u.port === '443' || !u.port) {
origin = `https://${u.hostname}`
} else {
// Auch andere Ports bei HTTPS entfernen (nicht Standard für WebAuthn)
origin = `https://${u.hostname}`
}
} catch {
// Ignore
}
}
const origin = normalizeOrigin(process.env.WEBAUTHN_ORIGIN || derived.origin)
const origins = getAllowedOrigins(origin)
const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
@@ -57,13 +72,14 @@ export function getWebAuthnConfig() {
rpId,
rpName,
origin,
origins,
requireUV,
webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
webauthnAllowedOriginsEnv: process.env.WEBAUTHN_ALLOWED_ORIGINS,
baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL,
derivedOrigin: derived.origin
})
return { rpId, rpName, origin, requireUV }
return { rpId, rpName, origin, origins, requireUV }
}