diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc24903..463577f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,3 +26,5 @@ jobs: JWT_SECRET: "ci-placeholder-jwt-secret-min-32-chars" DATABASE_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder" DIRECT_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder" + ADMIN_USERNAME: "ci-admin-user" + ADMIN_PASSWORD: "ci-placeholder-admin-password-min-8-chars" diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..fe20748 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,5 @@ + +## 2024-05-24 - [CRITICAL] Fix Hardcoded Admin Credentials in Authentication Logic +**Vulnerability:** Found hardcoded `ADMIN_USERNAME` and `ADMIN_PASSWORD` in `packages/web/src/lib/server/admin-auth.ts`. +**Learning:** Hardcoding credentials in source code exposes them to anyone with read access to the repository and makes it impossible to securely manage or rotate these secrets across different environments. +**Prevention:** Always use environment variables for secrets and credentials. Use tools like `zod` to validate their presence at runtime (e.g., in `env.ts`) and ensure proper placeholder values are added to `.env.example` and CI workflows to prevent build regressions. diff --git a/packages/web/.env.example b/packages/web/.env.example index e99d51e..c139f14 100644 --- a/packages/web/.env.example +++ b/packages/web/.env.example @@ -4,3 +4,7 @@ AUTH_SECRET=replace-with-min-32-char-random-string DATABASE_URL="postgresql://postgres.[project]:[password]@aws-0-ap-northeast-1.pooler.supabase.com:6543/postgres?pgbouncer=true" DIRECT_URL="postgresql://postgres.[project]:[password]@db.uwxfseowdzuuepeeudrx.supabase.co:5432/postgres" JWT_SECRET="replace-with-32-char-minimum-random-string" + +# Admin credentials +ADMIN_USERNAME=admin +ADMIN_PASSWORD=replace-with-secure-admin-password diff --git a/packages/web/src/app/api/admin/login/route.ts b/packages/web/src/app/api/admin/login/route.ts index dbf5d2e..24fabdb 100644 --- a/packages/web/src/app/api/admin/login/route.ts +++ b/packages/web/src/app/api/admin/login/route.ts @@ -20,7 +20,7 @@ const AdminLoginSchema = z.object({ export async function POST(req: Request) { try { const input = AdminLoginSchema.parse(await req.json()) - if (!verifyAdminCredentials(input)) { + if (!(await verifyAdminCredentials(input))) { return NextResponse.json({ error: 'Invalid username or password' }, { status: 401 }) } diff --git a/packages/web/src/lib/server/admin-auth.ts b/packages/web/src/lib/server/admin-auth.ts index 5390fa4..4658ef9 100644 --- a/packages/web/src/lib/server/admin-auth.ts +++ b/packages/web/src/lib/server/admin-auth.ts @@ -1,19 +1,37 @@ import 'server-only' -import { createHmac, randomBytes, timingSafeEqual } from 'crypto' +import { createHmac, randomBytes, timingSafeEqual, pbkdf2Sync, pbkdf2 } from 'crypto' +import { promisify } from 'util' import { cookies } from 'next/headers' import { NextRequest, NextResponse } from 'next/server' import { env } from './env' -export const ADMIN_USERNAME = 'admin' -export const ADMIN_PASSWORD = 'og9oRajx7h88v1RIj3eDgdrh9jgLYVV3' +export const ADMIN_USERNAME = env.ADMIN_USERNAME +export const ADMIN_PASSWORD = env.ADMIN_PASSWORD const ADMIN_SESSION_COOKIE = 'argos_admin_session' const ADMIN_SESSION_TTL_MS = 12 * 60 * 60 * 1000 const ADMIN_IMPERSONATION_TTL_MS = 60 * 1000 const ADMIN_IMPERSONATION_PREFIX = 'argos_imp' +const pbkdf2Async = promisify(pbkdf2) + +// PBKDF2 parameters for secure password hashing +const HASH_SALT = 'argos_admin_salt' +const HASH_ITERATIONS = 100000 +const HASH_KEYLEN = 64 +const HASH_DIGEST = 'sha512' + +// Pre-compute the target hash of the admin password at module initialization +const TARGET_PASSWORD_HASH = pbkdf2Sync( + ADMIN_PASSWORD, + HASH_SALT, + HASH_ITERATIONS, + HASH_KEYLEN, + HASH_DIGEST +) + function safeEqual(a: string, b: string): boolean { const aHash = createHmac('sha256', env.JWT_SECRET).update(a).digest() const bHash = createHmac('sha256', env.JWT_SECRET).update(b).digest() @@ -24,14 +42,24 @@ function sign(payload: string): string { return createHmac('sha256', env.JWT_SECRET).update(payload).digest('base64url') } -export function verifyAdminCredentials(input: { +export async function verifyAdminCredentials(input: { username: string password: string -}): boolean { - return ( - safeEqual(input.username, ADMIN_USERNAME) && - safeEqual(input.password, ADMIN_PASSWORD) +}): Promise { + if (!safeEqual(input.username, ADMIN_USERNAME)) { + return false + } + + // Hash the incoming password asynchronously to avoid blocking the event loop + const inputPasswordHash = await pbkdf2Async( + input.password, + HASH_SALT, + HASH_ITERATIONS, + HASH_KEYLEN, + HASH_DIGEST ) + + return timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH) } export function createAdminSessionCookieValue(): string { diff --git a/packages/web/src/lib/server/env.ts b/packages/web/src/lib/server/env.ts index 86ed9a3..6bdf299 100644 --- a/packages/web/src/lib/server/env.ts +++ b/packages/web/src/lib/server/env.ts @@ -5,6 +5,8 @@ const EnvSchema = z.object({ DATABASE_URL: z.string().min(1), DIRECT_URL: z.string().min(1), JWT_SECRET: z.string().min(32), + ADMIN_USERNAME: z.string().trim().min(1), + ADMIN_PASSWORD: z.string().trim().min(8), }) export const env = EnvSchema.parse(process.env)