duffyduck
0cf3dd6a7b
Defense-in-Depth für alles, was in den ersten 9 Runden nicht durch Code verhindert wurde: zumindest gesehen + alarmiert werden. 📊 SecurityEvent-Tabelle (Prisma) - Type/Severity/IP/User/Endpoint + Indexen für Filter+Threshold-Detection - Trennt sich vom AuditLog: AuditLog ist forensisch + hash-gekettet, SecurityEvent ist optimiert für Realtime-Alerting + Aggregation. 🪝 Hooks an kritischen Stellen - Login (Success/Failed) – auth.controller - Logout, Password-Reset (Request + Confirm) – auth.controller - Rate-Limit-Hit – middleware/rateLimit - IDOR-403 – utils/accessControl (canAccessCustomer / canAccessContract) - SSRF-Block – emailProvider.controller (test-connection + test-mail-access) - JWT-Reject (alg=none, expired, manipuliert) – middleware/auth 🚨 Threshold-Detection + Alerting (securityAlert.service.ts) - Cron jede Minute: prüft Brute-Force-Patterns je IP - 10× LOGIN_FAILED in 60 min → CRITICAL Brute-Force-Verdacht - 5× ACCESS_DENIED in 5 min → CRITICAL IDOR-Probing-Verdacht - 3× SSRF_BLOCKED in 60 min → CRITICAL SSRF-Probing - 3× TOKEN_REJECTED HIGH in 5 min → CRITICAL JWT-Manipulation - CRITICAL-Events: Sofort-Alert per E-Mail (debounced) - Cron stündlich: Digest mit HIGH+MEDIUM-Events (wenn aktiviert) - Sofort-Alert + Digest laufen über System-E-Mail-Provider (gleicher Pfad wie Geburtstagsgrüße, Passwort-Reset) 🖥 Frontend: Settings → "Sicherheits-Monitoring" - Alert-E-Mail-Adresse + Digest-Toggle - Test-Alert-Button + Digest-jetzt-Button - Stats-Cards pro Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO) - Filter (Type/Severity/Search/IP) + Pagination - Auto-Refresh alle 30 s - Verlinkt aus Settings-Übersicht (settings:read Permission) 🧪 Live-verifiziert - Login-Fehlversuch → LOGIN_FAILED Event - Portal probt 4× fremde Customer-IDs → 4× ACCESS_DENIED - SSRF-Probe (169.254.169.254) → SSRF_BLOCKED Event - 12× LOGIN_FAILED simuliert → Cron erzeugt CRITICAL nach ≤60s - CRITICAL-Sofort-Alert binnen 30s zugestellt - Test-Alert-Button: E-Mail zugestellt - Hourly-Digest mit 5 Events: E-Mail mit Tabelle zugestellt Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
164 lines
5.0 KiB
TypeScript
164 lines
5.0 KiB
TypeScript
import { Response, NextFunction } from 'express';
|
|
import jwt from 'jsonwebtoken';
|
|
import prisma from '../lib/prisma.js';
|
|
import { AuthRequest, JwtPayload } from '../types/index.js';
|
|
import { emit as emitSecurityEvent } from '../services/securityMonitor.service.js';
|
|
|
|
export async function authenticate(
|
|
req: AuthRequest,
|
|
res: Response,
|
|
next: NextFunction
|
|
): Promise<void> {
|
|
const authHeader = req.headers.authorization;
|
|
|
|
// Token aus Header oder Query-Parameter (für Downloads)
|
|
let token: string | null = null;
|
|
|
|
if (authHeader && authHeader.startsWith('Bearer ')) {
|
|
token = authHeader.split(' ')[1];
|
|
} else if (req.query.token && typeof req.query.token === 'string') {
|
|
// Fallback für Downloads: Token als Query-Parameter
|
|
token = req.query.token;
|
|
}
|
|
|
|
if (!token) {
|
|
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
|
|
return;
|
|
}
|
|
|
|
try {
|
|
// JWT_SECRET wird beim Server-Start geprüft (Fail-Fast in index.ts)
|
|
// Algorithmus explizit auf HS256 festlegen (Defense-in-Depth gegen alg-confusion).
|
|
const decoded = jwt.verify(token, process.env.JWT_SECRET as string, {
|
|
algorithms: ['HS256'],
|
|
}) as JwtPayload;
|
|
|
|
// Prüfen ob Token durch Rechteänderung/Passwort-Reset invalidiert wurde
|
|
if (decoded.userId && decoded.iat) {
|
|
// Mitarbeiter-Login
|
|
const user = await prisma.user.findUnique({
|
|
where: { id: decoded.userId },
|
|
select: { tokenInvalidatedAt: true, isActive: true },
|
|
});
|
|
|
|
if (!user || !user.isActive) {
|
|
res.status(401).json({ success: false, error: 'Benutzer nicht mehr aktiv' });
|
|
return;
|
|
}
|
|
|
|
if (user.tokenInvalidatedAt) {
|
|
const tokenIssuedAt = decoded.iat * 1000;
|
|
if (tokenIssuedAt < user.tokenInvalidatedAt.getTime()) {
|
|
res.status(401).json({
|
|
success: false,
|
|
error: 'Ihre Berechtigungen wurden geändert. Bitte melden Sie sich erneut an.',
|
|
});
|
|
return;
|
|
}
|
|
}
|
|
} else if (decoded.isCustomerPortal && decoded.customerId && decoded.iat) {
|
|
// Portal-Kunden-Login: gleiche Prüfung
|
|
const customer = await prisma.customer.findUnique({
|
|
where: { id: decoded.customerId },
|
|
select: { portalTokenInvalidatedAt: true, portalEnabled: true },
|
|
});
|
|
|
|
if (!customer || !customer.portalEnabled) {
|
|
res.status(401).json({ success: false, error: 'Portal-Zugang nicht mehr aktiv' });
|
|
return;
|
|
}
|
|
|
|
if (customer.portalTokenInvalidatedAt) {
|
|
const tokenIssuedAt = decoded.iat * 1000;
|
|
if (tokenIssuedAt < customer.portalTokenInvalidatedAt.getTime()) {
|
|
res.status(401).json({
|
|
success: false,
|
|
error: 'Ihre Sitzung ist ungültig. Bitte melden Sie sich erneut an.',
|
|
});
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
req.user = decoded;
|
|
next();
|
|
} catch (err) {
|
|
// JWT-Failures sind interessant: alg=none, manipulierte Signature,
|
|
// expired Token. Emit SecurityEvent (asynchron, blockt nicht).
|
|
emitSecurityEvent({
|
|
type: 'TOKEN_REJECTED',
|
|
severity: err instanceof jwt.TokenExpiredError ? 'LOW' : 'HIGH',
|
|
message: err instanceof Error ? `JWT abgelehnt: ${err.message}` : 'JWT abgelehnt',
|
|
ipAddress: req.ip || (req.socket as any)?.remoteAddress || 'unknown',
|
|
endpoint: `${req.method} ${req.path}`,
|
|
});
|
|
res.status(401).json({ success: false, error: 'Ungültiger Token' });
|
|
}
|
|
}
|
|
|
|
export function requirePermission(...requiredPermissions: string[]) {
|
|
return (req: AuthRequest, res: Response, next: NextFunction): void => {
|
|
if (!req.user) {
|
|
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
|
|
return;
|
|
}
|
|
|
|
const userPermissions = req.user.permissions || [];
|
|
|
|
// Check if user has any of the required permissions
|
|
const hasPermission = requiredPermissions.some((perm) =>
|
|
userPermissions.includes(perm)
|
|
);
|
|
|
|
if (!hasPermission) {
|
|
res.status(403).json({
|
|
success: false,
|
|
error: 'Keine Berechtigung für diese Aktion',
|
|
});
|
|
return;
|
|
}
|
|
|
|
next();
|
|
};
|
|
}
|
|
|
|
// Middleware to check if user can access specific customer data
|
|
export function requireCustomerAccess(
|
|
req: AuthRequest,
|
|
res: Response,
|
|
next: NextFunction
|
|
): void {
|
|
if (!req.user) {
|
|
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
|
|
return;
|
|
}
|
|
|
|
const userPermissions = req.user.permissions || [];
|
|
|
|
// Admins and employees can access all customers
|
|
if (
|
|
userPermissions.includes('customers:read') ||
|
|
userPermissions.includes('customers:update')
|
|
) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
// Customers can only access their own data + represented customers
|
|
const customerId = parseInt(req.params.customerId || req.params.id);
|
|
const allowedIds = [
|
|
req.user.customerId,
|
|
...((req.user as any).representedCustomerIds || []),
|
|
].filter(Boolean);
|
|
|
|
if (allowedIds.includes(customerId)) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
res.status(403).json({
|
|
success: false,
|
|
error: 'Kein Zugriff auf diese Kundendaten',
|
|
});
|
|
}
|