fix(security): verify JWT signatures + plug 4 other critical gaps (t-paliad-016)

m/paliad

C-1. Session JWT signature verification (authZ bypass fix)
- Add SUPABASE_JWT_SECRET env var; fail-fast at startup if unset.
- auth.Client.VerifyToken uses github.com/golang-jwt/jwt/v5 to verify
  HS256 signatures, reject alg=none, enforce exp/nbf/iat.
- Middleware stores verified claims in request context; WithUserID
  reads only verified claims (no more raw-cookie sub decoding).
- API requests get 401 on missing/invalid token (was 302 redirect).
- Refresh flow only runs on expiry; other signature failures reject
  outright and clear cookies.

C-2. Dashboard Termine cross-user privacy leak
- dashboard_service.loadUpcomingAppointments now mirrors
  TerminService.canSee: personal Termine (akte_id IS NULL) are
  creator-only; admins do NOT see other users' personal Termine.

C-3. Role gate on Parteien + Termine mutations
- ParteienService.Delete now partner/admin only (matches FristService).
- TerminService.Update / Delete on Akte-linked Termine now require
  partner/admin (or the original creator). Personal Termine stay
  creator-only.

C-4. Email gate → ALLOWED_EMAIL_DOMAINS whitelist
- isHoganLovellsEmail → isAllowedEmailDomain reading the env var
  (default: hoganlovells.com,hlc.com,hlc.de). Case-insensitive,
  whitespace-tolerant.
- login.tsx placeholder: name@hoganlovells.com → name@hlc.com
- Error strings + login.hint (de/en) rewritten for HLC branding.

C-5. Docker compose env wiring
- docker-compose.yml gains SUPABASE_JWT_SECRET, CALDAV_ENCRYPTION_KEY,
  and ALLOWED_EMAIL_DOMAINS passthrough; commented-out
  ANTHROPIC_API_KEY line for Phase H readiness.

Tests
- auth_test.go: valid/wrong-secret/expired/alg-none/missing-sub/garbage
  token cases for VerifyToken.
- handlers/auth_test.go: default + env-override cases for the email
  whitelist.
- go build ./..., go vet ./..., go test ./... all clean.

This commit is contained in:

2026-04-18 02:23:50 +02:00

parent 3e14171808

commit 3e20806aee

15 changed files with 454 additions and 143 deletions

									
										7

cmd/server/main.go
									
												View File
												
				@@ -26,7 +26,12 @@ func main() {

						log.Fatal("SUPABASE_URL and SUPABASE_ANON_KEY must be set")

					}

					client := auth.NewClient(supabaseURL, supabaseAnonKey)

					jwtSecret := os.Getenv("SUPABASE_JWT_SECRET")

					if jwtSecret == "" {

						log.Fatal("SUPABASE_JWT_SECRET must be set — session cookies cannot be trusted without signature verification")

					}

					client := auth.NewClient(supabaseURL, supabaseAnonKey, []byte(jwtSecret))

					giteaToken := os.Getenv("GITEA_TOKEN")

					if giteaToken == "" {

fix(security): verify JWT signatures + plug 4 other critical gaps (t-paliad-016)

7 cmd/server/main.go Unescape Escape View File

7

cmd/server/main.go

View File