torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 51s
Details

Browse Source
This commit is contained in:
Torsten Schulz (local)
2026-01-05 11:50:57 +01:00
parent 8bd7ed76cd
commit 673c34ac9d
47 changed files with 1738 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
server/api/newsletter/check-subscription.get.js
View File

@@ -1,4 +1,5 @@
import { readSubscribers } from '../../utils/newsletter.js'
import { assertRateLimit, getClientIp } from '../../utils/rate-limit.js'
export default defineEventHandler(async (event) => {
try {
@@ -12,6 +13,23 @@ export default defineEventHandler(async (event) => {
})
}
const ip = getClientIp(event)
const emailKey = String(email || '').trim().toLowerCase()
assertRateLimit(event, {
name: 'newsletter:check:ip',
keyParts: [ip],
windowMs: 10 * 60 * 1000,
maxAttempts: 60,
lockoutMs: 10 * 60 * 1000
})
assertRateLimit(event, {
name: 'newsletter:check:email',
keyParts: [emailKey],
windowMs: 10 * 60 * 1000,
maxAttempts: 30,
lockoutMs: 10 * 60 * 1000
})
const subscribers = await readSubscribers()
const emailLower = email.toLowerCase()

27
server/api/newsletter/subscribe.post.js
View File

@@ -4,6 +4,7 @@ import nodemailer from 'nodemailer'
import crypto from 'crypto'
import fs from 'fs/promises'
import path from 'path'
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is always a hardcoded constant (e.g., 'newsletter-subscribers.json'), never user input
@@ -43,6 +44,23 @@ export default defineEventHandler(async (event) => {
})
}
const ip = getClientIp(event)
const emailKey = String(email || '').trim().toLowerCase()
assertRateLimit(event, {
name: 'newsletter:subscribe:ip',
keyParts: [ip],
windowMs: 10 * 60 * 1000,
maxAttempts: 30,
lockoutMs: 15 * 60 * 1000
})
assertRateLimit(event, {
name: 'newsletter:subscribe:email',
keyParts: [emailKey],
windowMs: 10 * 60 * 1000,
maxAttempts: 8,
lockoutMs: 30 * 60 * 1000
})
if (!groupId) {
throw createError({
statusCode: 400,
@@ -79,6 +97,8 @@ export default defineEventHandler(async (event) => {
if (existing) {
if (existing.confirmed) {
await registerRateLimitFailure(event, { name: 'newsletter:subscribe:ip', keyParts: [ip] })
await registerRateLimitFailure(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
throw createError({
statusCode: 409,
statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
@@ -86,6 +106,7 @@ export default defineEventHandler(async (event) => {
} else {
// Bestätigungsmail erneut senden
await sendConfirmationEmail(existing.email, existing.name || name, existing.confirmationToken, group.name)
registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
@@ -105,6 +126,8 @@ export default defineEventHandler(async (event) => {
if (existingEmail.groupIds.includes(groupId)) {
// Bereits für diese Gruppe angemeldet
if (existingEmail.confirmed) {
await registerRateLimitFailure(event, { name: 'newsletter:subscribe:ip', keyParts: [ip] })
await registerRateLimitFailure(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
throw createError({
statusCode: 409,
statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
@@ -112,6 +135,7 @@ export default defineEventHandler(async (event) => {
} else {
// Bestätigungsmail erneut senden
await sendConfirmationEmail(existingEmail.email, existingEmail.name || name, existingEmail.confirmationToken, group.name)
registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
@@ -131,6 +155,7 @@ export default defineEventHandler(async (event) => {
if (existingEmail.confirmed) {
// Bereits bestätigt - sofort aktiviert
registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
return {
success: true,
message: `Sie wurden erfolgreich für den Newsletter "${group.name}" angemeldet`
@@ -138,6 +163,7 @@ export default defineEventHandler(async (event) => {
} else {
// Bestätigungsmail senden
await sendConfirmationEmail(existingEmail.email, existingEmail.name, existingEmail.confirmationToken, group.name)
registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'
@@ -167,6 +193,7 @@ export default defineEventHandler(async (event) => {
// Bestätigungsmail senden
await sendConfirmationEmail(email, name, confirmationToken, group.name)
registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'

23
server/api/newsletter/unsubscribe-by-email.post.js
View File

@@ -1,6 +1,7 @@
import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
import fs from 'fs/promises'
import path from 'path'
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is always a hardcoded constant (e.g., 'newsletter-subscribers.json'), never user input
@@ -40,6 +41,23 @@ export default defineEventHandler(async (event) => {
})
}
const ip = getClientIp(event)
const emailKey = String(email || '').trim().toLowerCase()
assertRateLimit(event, {
name: 'newsletter:unsubscribe:ip',
keyParts: [ip],
windowMs: 10 * 60 * 1000,
maxAttempts: 30,
lockoutMs: 15 * 60 * 1000
})
assertRateLimit(event, {
name: 'newsletter:unsubscribe:email',
keyParts: [emailKey],
windowMs: 10 * 60 * 1000,
maxAttempts: 8,
lockoutMs: 30 * 60 * 1000
})
if (!groupId) {
throw createError({
statusCode: 400,
@@ -75,6 +93,8 @@ export default defineEventHandler(async (event) => {
if (!subscriber) {
// Nicht gefunden - aber trotzdem Erfolg zurückgeben (keine Information preisgeben)
await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:ip', keyParts: [ip] })
await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
@@ -89,6 +109,8 @@ export default defineEventHandler(async (event) => {
// Prüfe ob für diese Gruppe angemeldet
if (!subscriber.groupIds.includes(groupId)) {
// Nicht für diese Gruppe angemeldet - aber trotzdem Erfolg zurückgeben
await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:ip', keyParts: [ip] })
await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
@@ -107,6 +129,7 @@ export default defineEventHandler(async (event) => {
await writeSubscribers(subscribers)
registerRateLimitSuccess(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
return {
success: true,
message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'

20
server/api/newsletter/unsubscribe.get.js
View File

@@ -1,4 +1,5 @@
import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
export default defineEventHandler(async (event) => {
try {
@@ -12,10 +13,28 @@ export default defineEventHandler(async (event) => {
})
}
const ip = getClientIp(event)
const tokenKey = String(token || '').trim()
assertRateLimit(event, {
name: 'newsletter:unsubscribe-token:ip',
keyParts: [ip],
windowMs: 10 * 60 * 1000,
maxAttempts: 60,
lockoutMs: 10 * 60 * 1000
})
assertRateLimit(event, {
name: 'newsletter:unsubscribe-token:token',
keyParts: [tokenKey],
windowMs: 10 * 60 * 1000,
maxAttempts: 10,
lockoutMs: 30 * 60 * 1000
})
const subscribers = await readSubscribers()
const subscriber = subscribers.find(s => s.unsubscribeToken === token)
if (!subscriber) {
await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe-token:token', keyParts: [tokenKey] })
throw createError({
statusCode: 404,
statusMessage: 'Ungültiger Abmeldetoken'
@@ -40,6 +59,7 @@ export default defineEventHandler(async (event) => {
await writeSubscribers(subscribers)
registerRateLimitSuccess(event, { name: 'newsletter:unsubscribe-token:token', keyParts: [tokenKey] })
// Weiterleitung zur Abmelde-Bestätigungsseite
return sendRedirect(event, '/newsletter/unsubscribed')
} catch (error) {