feat(auth): implement Android refresh token handling and session management

- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints. - Implemented new tests for login, logout, and refresh functionalities specific to Android clients. - Enhanced password reset logging with normalization and masking of email addresses. - Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs. - Introduced a new utility for managing password reset logs with retention policies. - Added tests for password reset log utilities to ensure proper functionality and privacy compliance. - Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.
2026-05-27 19:34:32 +02:00
parent 755442fb70
commit 58fd7fa5c6
32 changed files with 1477 additions and 180 deletions
--- a/server/api/auth/reset-password.post.js
+++ b/server/api/auth/reset-password.post.js
@@ -1,77 +1,102 @@
-import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
+import { readUsers, hashPassword, writeUsers, revokeRefreshSessionsForUser } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
 import crypto from 'crypto'
 import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 import { writeAuditLog } from '../../utils/audit-log.js'
+import { maskResetEmail, normalizeResetEmail, writePasswordResetLog } from '../../utils/password-reset-log.js'

 export default defineEventHandler(async (event) => {
+  const requestId = crypto.randomUUID()
+  let emailKey = ''
+  let ip = ''
+
+  const logStep = async (step, status, detail = {}) => {
+    try {
+      await writePasswordResetLog({ requestId, email: emailKey, ip, step, status, ...detail })
+    } catch (logError) {
+      console.error('Password-Reset-Diagnoselog-Fehler:', logError)
+    }
+  }
+
  try {
    const body = await readBody(event)
    const { email } = body

-    if (!email) {
+    emailKey = normalizeResetEmail(email)
+    ip = getClientIp(event)
+    await logStep('request_received', 'started')
+
+    if (!emailKey) {
+      await logStep('request_validation', 'failed', { reason: 'email_missing' })
      throw createError({
        statusCode: 400,
        message: 'E-Mail-Adresse ist erforderlich'
      })
    }

-    const ip = getClientIp(event)
-    const emailKey = String(email || '').trim().toLowerCase()
-
    // Rate Limiting (IP + Account)
-    assertRateLimit(event, {
-      name: 'auth:reset:ip',
-      keyParts: [ip],
-      windowMs: 60 * 60 * 1000,
-      maxAttempts: 20,
-      lockoutMs: 30 * 60 * 1000
-    })
-    assertRateLimit(event, {
-      name: 'auth:reset:account',
-      keyParts: [emailKey],
-      windowMs: 60 * 60 * 1000,
-      maxAttempts: 5,
-      lockoutMs: 60 * 60 * 1000
-    })
+    await logStep('rate_limit', 'checking')
+    try {
+      assertRateLimit(event, {
+        name: 'auth:reset:ip',
+        keyParts: [ip],
+        windowMs: 60 * 60 * 1000,
+        maxAttempts: 20,
+        lockoutMs: 30 * 60 * 1000
+      })
+      assertRateLimit(event, {
+        name: 'auth:reset:account',
+        keyParts: [emailKey],
+        windowMs: 60 * 60 * 1000,
+        maxAttempts: 5,
+        lockoutMs: 60 * 60 * 1000
+      })
+    } catch (error) {
+      await logStep('rate_limit', 'failed', { error })
+      throw error
+    }
+    await logStep('rate_limit', 'passed')

    // Find user
-    const users = await readUsers()
-    const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
+    let users
+    try {
+      users = await readUsers()
+    } catch (error) {
+      await logStep('user_lookup', 'failed', { error })
+      throw error
+    }
+    const user = users.find(u => normalizeResetEmail(u.email) === emailKey)

    // Always return success (security: don't reveal if email exists)
    if (!user) {
+      await logStep('user_lookup', 'not_found')
      await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
      await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
-      await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
+      await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: false, requestId })
+      await logStep('request_completed', 'no_account')
      return {
        success: true,
        message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
      }
    }
+    await logStep('user_lookup', 'found', { userId: user.id })

    // Generate temporary password
    const tempPassword = crypto.randomBytes(8).toString('hex')
    const hashedPassword = await hashPassword(tempPassword)
-
-    // Update user password
-    user.password = hashedPassword
-    user.passwordResetRequired = true
-    const updatedUsers = users.map(u => u.id === user.id ? user : u)
-    await writeUsers(updatedUsers)
-
-    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
-    await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
+    await logStep('temporary_password', 'generated', { userId: user.id })

    // Send email with temporary password
    const smtpUser = process.env.SMTP_USER
    const smtpPass = process.env.SMTP_PASS
    
    if (!smtpUser || !smtpPass) {
+      await logStep('mail_configuration', 'failed', { userId: user.id, reason: 'smtp_credentials_missing' })
      console.warn('SMTP-Credentials fehlen! E-Mail-Versand wird übersprungen.')
      console.warn(`SMTP_USER=${smtpUser ? 'gesetzt' : 'FEHLT'}, SMTP_PASS=${smtpPass ? 'gesetzt' : 'FEHLT'}`)
-      // Continue without sending email - security: don't reveal if email exists
+      throw new Error('SMTP-Konfiguration fuer Passwort-Reset fehlt')
    } else {
+      await logStep('mail_configuration', 'passed', { userId: user.id })
      const transporter = nodemailer.createTransport({
        host: process.env.SMTP_HOST || 'smtp.gmail.com',
        port: process.env.SMTP_PORT || 587,
@@ -99,15 +124,50 @@ export default defineEventHandler(async (event) => {
        `
      }

-      await transporter.sendMail(mailOptions)
+      await logStep('mail_send', 'started', { userId: user.id })
+      try {
+        await transporter.sendMail(mailOptions)
+      } catch (error) {
+        await logStep('mail_send', 'failed', { userId: user.id, error })
+        throw error
+      }
+      await logStep('mail_send', 'completed', { userId: user.id })
    }

+    // Erst nach erfolgreichem Versand das zugesandte Passwort aktivieren.
+    user.password = hashedPassword
+    user.passwordResetRequired = true
+    const updatedUsers = users.map(u => u.id === user.id ? user : u)
+    let passwordStored = false
+    try {
+      passwordStored = await writeUsers(updatedUsers)
+    } catch (error) {
+      await logStep('password_storage', 'failed', { userId: user.id, error })
+      throw error
+    }
+    if (!passwordStored) {
+      await logStep('password_storage', 'failed', { userId: user.id, reason: 'write_failed' })
+      throw new Error('Passwort konnte nach E-Mail-Versand nicht gespeichert werden')
+    }
+    await logStep('password_storage', 'completed', { userId: user.id })
+    try {
+      await revokeRefreshSessionsForUser(user.id, 'password_reset')
+    } catch (error) {
+      await logStep('session_revocation', 'failed', { userId: user.id, error })
+      throw error
+    }
+    await logStep('session_revocation', 'completed', { userId: user.id })
+
+    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+    await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: true, userId: user.id, requestId })
+    await logStep('request_completed', 'success', { userId: user.id })
    return {
      success: true,
      message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
    }
  } catch (error) {
-    console.error('Password-Reset-Fehler:', error)
+    await logStep('request_completed', 'failed', { error })
+    console.error('Password-Reset-Fehler:', { requestId, code: error?.code || error?.name || 'Error' })
    // Don't reveal errors to prevent email enumeration
    return {
      success: true,
@@ -115,4 +175,3 @@ export default defineEventHandler(async (event) => {
    }
  }
 })
-