LivingAi
/
auth
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
auth/Documentaion/security/REMAINING_SECURITY_GAPS.md

11 KiB
Raw Blame History

Remaining Security Gaps Analysis

Fully Resolved Issues

1. Rate Limiting / OTP Throttling

Status: RESOLVED

  • Rate limiting implemented per phone and per IP
  • OTP request throttling (3 per 10 min, 10 per 24h per phone)
  • OTP verification attempt limits (5 per OTP, 10 failed per hour)
  • Location: src/middleware/rateLimitMiddleware.js

2. OTP Exposure in Logs

Status: RESOLVED

  • Safe OTP logging helper created (src/utils/otpLogger.js)
  • Only logs in development mode
  • Never logs to production
  • Location: src/services/smsService.js uses logOtpForDebug()

3. IP/Device Risk Controls

Status: RESOLVED

  • IP blocking for configured CIDR ranges
  • Risk scoring based on IP/device/user-agent changes
  • Suspicious refresh detection
  • Location: src/services/riskScoring.js, integrated in src/routes/authRoutes.js

4. Refresh Token Theft Mitigation

Status: RESOLVED

  • Environment fingerprinting (IP, user-agent, device ID)
  • Suspicious refresh detection with risk scoring
  • Optional OTP re-verification for suspicious refreshes
  • Enhanced logging of suspicious events
  • Location: src/routes/authRoutes.js (refresh endpoint)

5. JWT Claims Validation

Status: RESOLVED

  • Strict validation of iss, aud, exp, iat, nbf
  • Centralized validation function
  • Used in all token verification paths
  • Location: src/services/jwtKeys.js - validateTokenClaims()

6. CORS Hardening

Status: RESOLVED

  • Strict origin whitelisting
  • No wildcard support when credentials involved
  • Production requirement for explicit origins
  • Location: src/index.js

7. CSRF Protection (Documented)

Status: RESOLVED (Not needed - using Bearer tokens)

  • Comprehensive documentation provided
  • Guidance for future cookie-based implementation
  • Location: CSRF_NOTES.md

⚠️ Partially Resolved Issues

8. ⚠️ Access Token Replay Mitigation

Status: PARTIALLY RESOLVED

What's Done:

  • Step-up authentication middleware created (src/middleware/stepUpAuth.js)
  • Access tokens include high_assurance claim after OTP verification
  • Middleware checks for recent OTP or high assurance token

What's Missing:

  • Step-up auth NOT applied to sensitive routes
  • Sensitive operations in src/routes/userRoutes.js don't use requireRecentOtpOrReauth:
    • PUT /users/me - Profile updates (could change phone number)
    • DELETE /users/me/devices/:device_id - Device revocation
    • POST /users/me/logout-all-other-devices - Mass device logout

Risk Level: 🟡 MEDIUM

  • Stolen access token can be used for sensitive operations within 15-minute window
  • Attacker could revoke devices, update profile, etc.

Recommendation:

// Apply to sensitive routes:
router.put('/me', auth, requireRecentOtpOrReauth, async (req, res) => { ... });
router.delete('/me/devices/:device_id', auth, requireRecentOtpOrReauth, async (req, res) => { ... });
router.post('/me/logout-all-other-devices', auth, requireRecentOtpOrReauth, async (req, res) => { ... });

9. ⚠️ Secrets Management & Rotation

Status: PARTIALLY RESOLVED

What's Done:

  • JWT key rotation structure implemented
  • Support for multiple keys with kid (key ID)
  • Graceful rotation without breaking existing tokens
  • Code structure ready for secrets manager integration

What's Missing:

  • Still reads secrets from .env file
  • No integration with secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Manual key rotation process (no automation)
  • Twilio credentials still in .env

Risk Level: 🟡 MEDIUM-HIGH

  • If .env leaks or is committed to git, attacker can:
    • Forge JWTs
    • Send SMS via Twilio
    • Access database

Recommendation:

  1. Immediate: Ensure .env is in .gitignore and never committed
  2. Short-term: Use environment variables from secure deployment platform
  3. Long-term: Integrate with secrets manager (see TODOs in src/services/jwtKeys.js)

TODO in Code:

  • src/services/jwtKeys.js line 169: Example implementation for AWS Secrets Manager
  • Need to implement loadKeysFromSecretsManager() function

10. ⚠️ Audit Logs Active Monitoring

Status: PARTIALLY RESOLVED

What's Done:

  • Enhanced audit logging with risk levels (INFO, SUSPICIOUS, HIGH_RISK)
  • Structured logging with metadata
  • Anomaly detection helper function (checkAnomalies())
  • Suspicious events logged (failed OTPs, suspicious refreshes, blocked IPs)

What's Missing:

  • No active alerting/monitoring integration
  • No automated alerts for HIGH_RISK events
  • No integration with PagerDuty, Slack, email, etc.
  • Anomaly detection only logs to console (line 183 in auditLogger.js)

Risk Level: 🟡 MEDIUM

  • Attacks happen silently until manual log inspection
  • No real-time notification of security events

Recommendation:

  1. Immediate: Set up log aggregation (CloudWatch, Datadog, etc.)
  2. Short-term: Implement alerting for HIGH_RISK events
  3. Long-term: Integrate with SIEM system

TODO in Code:

  • src/services/auditLogger.js line 183: // TODO: Trigger alert (email, webhook, etc.)
  • src/services/auditLogger.js line 193: Example implementation for external alerting

11. ⚠️ Input Validation

Status: PARTIALLY RESOLVED

What's Done:

  • Input validation middleware created (src/middleware/validation.js)
  • Validation applied to all auth routes:
    • /auth/request-otp
    • /auth/verify-otp
    • /auth/refresh
    • /auth/logout

What's Missing:

  • Validation NOT applied to user routes (src/routes/userRoutes.js):
    • PUT /users/me - No validation for name, user_type
    • DELETE /users/me/devices/:device_id - No validation for device_id param
    • POST /users/me/logout-all-other-devices - No validation for current_device_id

Risk Level: 🟢 LOW-MEDIUM

  • Less critical than auth endpoints, but still important
  • Could allow unexpected payloads or edge-case bugs

Recommendation:

// Add validation middleware to user routes:
const { validateUpdateProfileBody, validateDeviceIdParam } = require('../middleware/validation');

router.put('/me', auth, validateUpdateProfileBody, async (req, res) => { ... });
router.delete('/me/devices/:device_id', auth, validateDeviceIdParam, async (req, res) => { ... });

Unaddressed Attack Scenarios

12. Database Compromise

Status: NOT ADDRESSED

Risk:

  • If database is compromised, attacker can:
    • See phone numbers, device metadata, audit logs
    • Correlate patterns for phishing/SIM-swap attacks
    • Access user data

Mitigation Needed:

  • Already using parameterized queries (good)
  • No encryption at rest for sensitive fields
  • No field-level encryption for PII
  • No database access logging/auditing

Recommendation:

  • Encrypt sensitive fields (phone numbers) at rest
  • Implement database access logging
  • Use database encryption (TDE, etc.)
  • Regular security audits

13. Man-in-the-Middle (Non-HTTPS)

Status: NOT ADDRESSED (Infrastructure concern)

Risk:

  • If client app talks to service over HTTP (no TLS):
    • Attacker can intercept access/refresh tokens
    • Attacker can intercept OTPs
    • Full account compromise

Mitigation:

  • Server assumes TLS termination in front (reverse proxy)
  • No enforcement of HTTPS-only connections
  • No HSTS headers
  • No certificate pinning guidance

Recommendation:

  • Enforce HTTPS at reverse proxy/load balancer
  • Add HSTS headers
  • Document TLS requirements
  • Consider certificate pinning for mobile apps

14. Misconfigured CORS + XSS

Status: PARTIALLY ADDRESSED

What's Done:

  • CORS hardened with strict origin whitelisting
  • Documentation warns about misconfiguration

What's Missing:

  • No validation that CORS is properly configured in production
  • No runtime checks for CORS misconfiguration
  • No guidance for XSS prevention in frontend

Risk Level: 🟡 MEDIUM

  • If frontend has XSS and CORS is misconfigured:
    • Attacker can use victim's tokens from malicious page
    • Account takeover possible

Recommendation:

  • Add startup validation that CORS origins are configured in production
  • Document XSS prevention best practices
  • Consider Content Security Policy (CSP) headers

Summary Table

Issue Status Risk Level Priority
1. Rate Limiting Resolved - -
2. OTP Logging Resolved - -
3. IP/Device Risk Resolved - -
4. Refresh Token Theft Resolved - -
5. JWT Claims Resolved - -
6. CORS Resolved - -
7. CSRF Documented - -
8. Access Token Replay ⚠️ Partial 🟡 Medium HIGH
9. Secrets Management ⚠️ Partial 🟡 Medium-High HIGH
10. Audit Monitoring ⚠️ Partial 🟡 Medium MEDIUM
11. Input Validation ⚠️ Partial 🟢 Low-Medium MEDIUM
12. Database Compromise Not Addressed 🔴 High MEDIUM
13. MITM (HTTP) Not Addressed 🔴 High LOW (Infra)
14. CORS + XSS ⚠️ Partial 🟡 Medium LOW

Immediate Action Items (Priority Order)

🔴 HIGH PRIORITY

  1. Apply Step-Up Auth to Sensitive Routes

    • Add requireRecentOtpOrReauth to user routes
    • Prevents access token replay attacks

  2. Secrets Management

    • Move secrets to environment variables (not .env file)
    • Plan integration with secrets manager
    • Ensure .env is never committed

🟡 MEDIUM PRIORITY

  1. Active Monitoring/Alerting

    • Set up alerts for HIGH_RISK audit events
    • Integrate with monitoring system (CloudWatch, Datadog, etc.)

  2. Complete Input Validation

    • Add validation middleware to user routes
    • Validate all request parameters

🟢 LOW PRIORITY

  1. Database Security

    • Plan encryption at rest
    • Implement database access logging

  2. Infrastructure Security

    • Document TLS/HTTPS requirements
    • Add HSTS headers
    • Validate CORS configuration at startup

Code Locations for Fixes

Step-Up Auth Application

File: src/routes/userRoutes.js

  • Line 99: PUT /users/me - Add requireRecentOtpOrReauth
  • Line 160: DELETE /users/me/devices/:device_id - Add requireRecentOtpOrReauth
  • Line 203: POST /users/me/logout-all-other-devices - Add requireRecentOtpOrReauth

Input Validation

File: src/routes/userRoutes.js

  • Add validation middleware imports
  • Apply to all routes

Secrets Manager Integration

File: src/services/jwtKeys.js

  • Line 169: Implement loadKeysFromSecretsManager() function
  • Replace .env reads with secrets manager calls

Alerting Integration

File: src/services/auditLogger.js

  • Line 183: Implement alert triggering
  • Line 193: Add external alerting integration

Conclusion

7 out of 14 issues are fully resolved 4 issues are partially resolved ⚠️ (need completion) 3 issues are not addressed (infrastructure/planning)

Overall Security Posture: 🟡 GOOD (with room for improvement)

The most critical remaining gaps are:

  1. Step-up auth not applied to sensitive routes
  2. Secrets still in .env file
  3. No active monitoring/alerting

These should be addressed before production deployment.