copper-tone-tech/web-hosts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7d6786039c731e540106d6b182756e68f237db5
web-hosts/domains/coppertone.tech/docs/audits/AUDIT-REPORT-20251121.md
Derek Williams c7d6786039 Add full web-hosts state
2025-12-26 13:38:04 +01:00

12 KiB
Raw Blame History

Copper Tone Technologies - Comprehensive Security & Code Audit Report

Date: November 21, 2025 Auditor: Claude Code Version: 1.0

Executive Summary

This audit covers the Copper Tone Technologies platform, a Vue 3 PWA frontend with Go microservices backend. The platform includes authentication, work management, payment processing, and blog services.

Overall Risk Assessment: MEDIUM

Category Status Risk Level
Dependencies PASS LOW
Authentication PASS LOW
Authorization PASS LOW
SQL Injection PASS LOW
XSS Prevention PASS LOW
CORS Configuration WARN MEDIUM
Container Security PASS LOW
Secret Management WARN MEDIUM
PWA Functionality FAIL LOW
Input Validation WARN MEDIUM
Rate Limiting FAIL MEDIUM
Security Headers WARN MEDIUM

Section 1: Dependency Vulnerabilities

1.1 Frontend (npm)

Status: PASS

npm audit --omit=dev
found 0 vulnerabilities

Dependencies:

  • Vue 3.5.22 - Current
  • Vue Router 4.6.3 - Current
  • Pinia 3.0.3 - Current
  • DOMPurify 3.2.3 - Current (XSS protection)
  • Vite 7.1.11 - Current

1.2 Backend (Go)

Status: PASS

go mod verify
all modules verified

Dependencies:

  • go-ethereum v1.14.12 - Blockchain integration
  • golang-jwt/jwt v5.3.0 - JWT handling
  • lib/pq v1.10.9 - PostgreSQL driver
  • golang.org/x/crypto v0.30.0 - Cryptography

Section 2: Authentication & Authorization

2.1 JWT Implementation

Status: PASS

Positive Findings:

  • JWT secret minimum length enforced (32 characters)
  • Warning logged for secrets < 64 characters
  • Using HS256 signing algorithm
  • Token expiration set (24 hours)

Code Reference: backend/functions/auth-service/main.go:136-146

if len(jwtSecret) < 32 {
    log.Fatal("JWT_SECRET must be at least 32 characters for security")
}

Recommendation: Consider using RS256 (asymmetric) for production environments.

2.2 Password Security

Status: PASS

Positive Findings:

  • Using bcrypt for password hashing
  • Using bcrypt.DefaultCost (10 rounds)

Code Reference: backend/functions/auth-service/main.go:261

passwordHash, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)

Recommendation: Consider bcrypt cost of 12+ for higher security.

2.3 Role-Based Access Control (RBAC)

Status: PASS

Implemented Roles:

  • ADMIN - Full system access
  • STAFF - Internal operations
  • CLIENT - Customer access

Protected Routes:

// Admin only routes
http.HandleFunc("/admin/users", authenticate(requireRole(handleGetAllUsers, "ADMIN")))
http.HandleFunc("/admin/users/promote-role", authenticate(requireRole(handlePromoteUserRole, "ADMIN")))
http.HandleFunc("/admin/users/demote-role", authenticate(requireRole(handleDemoteUserRole, "ADMIN")))

Security Features:

  • First user auto-promoted to ADMIN
  • Public registration restricted to CLIENT role
  • Self-demotion prevention for ADMIN role
  • Minimum one role requirement

2.4 Blockchain Authentication

Status: PASS

Implementation:

  • Ethereum signature verification
  • Message signing for authentication
  • Address normalization

Code Reference: backend/functions/auth-service/main.go:779-809

Section 3: SQL Injection Prevention

3.1 Parameterized Queries

Status: PASS

Finding: All database queries use parameterized statements with $1, $2, etc.

Example (Safe):

err = tx.QueryRow(
    "INSERT INTO users (name, email, created_at) VALUES ($1, $2, NOW()) RETURNING id",
    req.Name, req.Email,
).Scan(&userID)

No instances of string concatenation in SQL queries found.

Section 4: Cross-Site Scripting (XSS) Prevention

4.1 Frontend XSS Protection

Status: PASS

Measures:

  • DOMPurify v3.2.3 installed for HTML sanitization
  • Vue's default template escaping active
  • Limited use of v-html directive

v-html Usage Found:

  • ArticleDetailView.vue - Blog content (sanitized)
  • ServiceDetailView.vue - Service descriptions (sanitized)

Recommendation: Ensure all v-html content passes through DOMPurify.

Section 5: CORS Configuration

5.1 Current Configuration

Status: WARNING

Issue: CORS allows all origins by default

CORS_ALLOW_ORIGIN: ${CORS_ALLOW_ORIGIN:-*}

Risk: Cross-origin requests from any domain accepted.

Recommendation:

# Production
CORS_ALLOW_ORIGIN: https://coppertone.tech

Section 6: Container Security

6.1 Running Containers

Status: PASS

Service Port Status
frontend 8090 Running
auth-service 8082 Running
work-management-service 8083 Running
payment-service 8084 Running
blog-service 8085 Running
db (PostgreSQL) Internal Running

6.2 Container User Privileges

Status: PASS

Auth Service Container:

RUN addgroup -g 1000 appuser && adduser -D -u 1000 -G appuser appuser
USER appuser

Finding: Backend services run as non-root user.

6.3 Database Exposure

Status: PASS

Finding: PostgreSQL port (5432) not exposed externally.

# ports:
#   - "5432:5432"  # Commented out

Section 7: Secret Management

7.1 Environment Variables

Status: WARNING

Current Configuration (podman-compose.yml):

JWT_SECRET: ${JWT_SECRET:-dev_jwt_secret_key_change_me_in_production_at_least_64_characters_long}
DB_PASSWORD: ${DB_PASSWORD:-password}
STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY:-sk_test_placeholder}

Issues:

  1. Default JWT secret in compose file
  2. Default database password ("password")
  3. Placeholder Stripe keys

Recommendation:

  • Use .env file (not committed to git)
  • Use secrets management (HashiCorp Vault, Docker secrets)
  • Never use defaults in production

7.2 Git Secret Exposure

Status: PASS

Finding: No secrets found committed to repository.

  • No .env files in git
  • No private keys in repository

Section 8: HTTP Security Headers

8.1 Missing Headers

Status: WARNING

Missing Headers:

  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection (deprecated but harmless)

Recommendation: Add to nginx.conf:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Section 9: Rate Limiting

9.1 Authentication Endpoints

Status: FAIL

Finding: No rate limiting on authentication endpoints.

Risk: Brute force attacks on login endpoints.

Affected Endpoints:

  • /login-email-password
  • /login-blockchain
  • /register-email-password
  • /register-blockchain

Recommendation: Implement rate limiting:

// Using golang.org/x/time/rate
limiter := rate.NewLimiter(rate.Every(time.Second), 5) // 5 requests/second

Section 10: Input Validation

10.1 Backend Validation

Status: WARNING

Current Validation:

  • Empty field checks for registration
  • Role validation (CLIENT, STAFF, ADMIN)

Missing Validation:

  • Email format validation
  • Password complexity requirements
  • Input length limits

Recommendation:

// Email validation
emailRegex := regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
if !emailRegex.MatchString(req.Email) {
    http.Error(w, "Invalid email format", http.StatusBadRequest)
    return
}

// Password requirements
if len(req.Password) < 8 {
    http.Error(w, "Password must be at least 8 characters", http.StatusBadRequest)
    return
}

Section 11: Database Security

11.1 SSL/TLS Connection

Status: WARNING (Development)

Current Setting:

DB_SSL_MODE: ${DB_SSL_MODE:-disable}

Finding: SSL disabled for development. Code properly enforces SSL by default.

Code Reference: backend/functions/auth-service/main.go:164-184

if sslMode == "" {
    sslMode = "require"
    log.Println("WARNING: DB_SSL_MODE not set, defaulting to 'require' for security")
}

Section 12: PWA Functionality

12.1 Install Prompt

Status: FAIL

Issue: PWA install button not appearing in browser.

Root Cause: Icon files are placeholder files (203-206 bytes), not valid images.

-rw-r--r-- 203 android-chrome-192x192.png  # Too small - placeholder
-rw-r--r-- 206 android-chrome-512x512.png  # Too small - placeholder

Requirements for PWA Install:

  1. Valid manifest.json (PASS)
  2. Service worker registered (PASS)
  3. Valid icons 192x192 and 512x512 (FAIL)
  4. HTTPS or localhost (PASS)

Fix Required: Generate proper PNG icons at 192x192 and 512x512 pixels.

Section 13: Frontend Code Quality

13.1 Null Safety Issues

Status: FIXED (This Session)

Fixed Files:

  • ProjectsView.vue - Added computed with null coalescing
  • InvoicesView.vue - Added array fallbacks
  • stores/projects.ts - Array validation on API response
  • stores/tasks.ts - Array validation on API response
  • stores/invoices.ts - Array validation on API response

13.2 Service Worker Caching

Status: FIXED (This Session)

Issue: Old cached JavaScript files causing errors.

Fix Applied:

  • Updated cache version to v2
  • Implemented network-first strategy for assets
  • Added skipWaiting() and clients.claim()

Section 14: Backend Code Quality

14.1 Go Vet

Status: PASS

go vet ./...
# No issues found

14.2 Server Timeouts

Status: PASS

Implemented Timeouts:

server := &http.Server{
    ReadHeaderTimeout: 10 * time.Second,
    ReadTimeout:       15 * time.Second,
    WriteTimeout:      15 * time.Second,
    IdleTimeout:       60 * time.Second,
}

14.3 Audit Logging

Status: PASS

Finding: Role changes logged with audit trail.

log.Printf("AUDIT: Admin user %d granted %s role to user %d (%s)",
    adminUserID, req.Role, req.UserID, userName)

Section 15: Functionality Status

15.1 Implemented Features

Feature Status Notes
Email/Password Auth COMPLETE
Blockchain Auth COMPLETE Ethereum signatures
Multi-Identity COMPLETE Link multiple auth methods
Role Management COMPLETE Promote/demote users
Admin Dashboard COMPLETE User management
Staff Dashboard COMPLETE Kanban task board
Client Dashboard PARTIAL Basic stats only
Projects CRUD COMPLETE API ready
Tasks CRUD COMPLETE API ready
Invoices CRUD COMPLETE API ready
Payments (Stripe) PARTIAL Integration started
Digital Business Card COMPLETE QR, vCard, share
Blog COMPLETE Markdown rendering
PWA BROKEN Missing icons

15.2 Missing/Incomplete Features

  1. Client Dashboard - Needs project detail views
  2. Payment Processing - Stripe webhooks incomplete
  3. IPFS Integration - Planned but not implemented
  4. Matrix Messaging - Planned but not implemented
  5. Email Notifications - Not implemented

Recommendations Summary

Critical (Fix Immediately)

  1. Generate valid PWA icons (192x192 and 512x512 PNG)
  2. Set strong JWT_SECRET in production
  3. Change default database password

High Priority

  1. Implement rate limiting on auth endpoints
  2. Add security headers to nginx
  3. Restrict CORS to specific origins in production
  4. Enable database SSL in production

Medium Priority

  1. Add email format validation
  2. Implement password complexity requirements
  3. Increase bcrypt cost to 12
  4. Complete Client Dashboard
  5. Add comprehensive input validation

Low Priority

  1. Consider RS256 JWT signing
  2. Add E2E tests for critical flows
  3. Implement refresh tokens
  4. Add request logging/monitoring

Appendix A: Audit Script

An automated audit script has been created at:

scripts/audit.sh

Run with:

./scripts/audit.sh

Appendix B: Files Modified This Session

  1. frontend/src/stores/projects.ts - Null safety
  2. frontend/src/stores/tasks.ts - Null safety
  3. frontend/src/stores/invoices.ts - Null safety
  4. frontend/src/views/ProjectsView.vue - Computed property fix
  5. frontend/src/views/InvoicesView.vue - Array fallbacks
  6. frontend/public/service-worker.js - Cache strategy update
  7. backend/functions/auth-service/main.go - Admin endpoints

End of Audit Report

Reference in New Issue View Git Blame Copy Permalink