copper-tone-tech/web-hosts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7d6786039c731e540106d6b182756e68f237db5
web-hosts/domains/coppertone.tech/docs/audits/AUDIT-REPORT-20251121.md
Derek Williams c7d6786039 Add full web-hosts state
2025-12-26 13:38:04 +01:00

524 lines
12 KiB
Markdown
Raw Blame History

# Copper Tone Technologies - Comprehensive Security & Code Audit Report
**Date:** November 21, 2025
**Auditor:** Claude Code
**Version:** 1.0
---
## Executive Summary
This audit covers the Copper Tone Technologies platform, a Vue 3 PWA frontend with Go microservices backend. The platform includes authentication, work management, payment processing, and blog services.
### Overall Risk Assessment: **MEDIUM**
| Category | Status | Risk Level |
|----------|--------|------------|
| Dependencies | PASS | LOW |
| Authentication | PASS | LOW |
| Authorization | PASS | LOW |
| SQL Injection | PASS | LOW |
| XSS Prevention | PASS | LOW |
| CORS Configuration | WARN | MEDIUM |
| Container Security | PASS | LOW |
| Secret Management | WARN | MEDIUM |
| PWA Functionality | FAIL | LOW |
| Input Validation | WARN | MEDIUM |
| Rate Limiting | FAIL | MEDIUM |
| Security Headers | WARN | MEDIUM |
---
## Section 1: Dependency Vulnerabilities
### 1.1 Frontend (npm)
**Status:** PASS
```
npm audit --omit=dev
found 0 vulnerabilities
```
**Dependencies:**
- Vue 3.5.22 - Current
- Vue Router 4.6.3 - Current
- Pinia 3.0.3 - Current
- DOMPurify 3.2.3 - Current (XSS protection)
- Vite 7.1.11 - Current
### 1.2 Backend (Go)
**Status:** PASS
```
go mod verify
all modules verified
```
**Dependencies:**
- go-ethereum v1.14.12 - Blockchain integration
- golang-jwt/jwt v5.3.0 - JWT handling
- lib/pq v1.10.9 - PostgreSQL driver
- golang.org/x/crypto v0.30.0 - Cryptography
---
## Section 2: Authentication & Authorization
### 2.1 JWT Implementation
**Status:** PASS
**Positive Findings:**
- JWT secret minimum length enforced (32 characters)
- Warning logged for secrets < 64 characters
- Using HS256 signing algorithm
- Token expiration set (24 hours)
**Code Reference:** `backend/functions/auth-service/main.go:136-146`
```go
if len(jwtSecret) < 32 {
log.Fatal("JWT_SECRET must be at least 32 characters for security")
}
```
**Recommendation:** Consider using RS256 (asymmetric) for production environments.
### 2.2 Password Security
**Status:** PASS
**Positive Findings:**
- Using bcrypt for password hashing
- Using bcrypt.DefaultCost (10 rounds)
**Code Reference:** `backend/functions/auth-service/main.go:261`
```go
passwordHash, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
```
**Recommendation:** Consider bcrypt cost of 12+ for higher security.
### 2.3 Role-Based Access Control (RBAC)
**Status:** PASS
**Implemented Roles:**
- `ADMIN` - Full system access
- `STAFF` - Internal operations
- `CLIENT` - Customer access
**Protected Routes:**
```go
// Admin only routes
http.HandleFunc("/admin/users", authenticate(requireRole(handleGetAllUsers, "ADMIN")))
http.HandleFunc("/admin/users/promote-role", authenticate(requireRole(handlePromoteUserRole, "ADMIN")))
http.HandleFunc("/admin/users/demote-role", authenticate(requireRole(handleDemoteUserRole, "ADMIN")))
```
**Security Features:**
- First user auto-promoted to ADMIN
- Public registration restricted to CLIENT role
- Self-demotion prevention for ADMIN role
- Minimum one role requirement
### 2.4 Blockchain Authentication
**Status:** PASS
**Implementation:**
- Ethereum signature verification
- Message signing for authentication
- Address normalization
**Code Reference:** `backend/functions/auth-service/main.go:779-809`
---
## Section 3: SQL Injection Prevention
### 3.1 Parameterized Queries
**Status:** PASS
**Finding:** All database queries use parameterized statements with `$1`, `$2`, etc.
**Example (Safe):**
```go
err = tx.QueryRow(
"INSERT INTO users (name, email, created_at) VALUES ($1, $2, NOW()) RETURNING id",
req.Name, req.Email,
).Scan(&userID)
```
**No instances of string concatenation in SQL queries found.**
---
## Section 4: Cross-Site Scripting (XSS) Prevention
### 4.1 Frontend XSS Protection
**Status:** PASS
**Measures:**
- DOMPurify v3.2.3 installed for HTML sanitization
- Vue's default template escaping active
- Limited use of `v-html` directive
**v-html Usage Found:**
- `ArticleDetailView.vue` - Blog content (sanitized)
- `ServiceDetailView.vue` - Service descriptions (sanitized)
**Recommendation:** Ensure all `v-html` content passes through DOMPurify.
---
## Section 5: CORS Configuration
### 5.1 Current Configuration
**Status:** WARNING
**Issue:** CORS allows all origins by default
```yaml
CORS_ALLOW_ORIGIN: ${CORS_ALLOW_ORIGIN:-*}
```
**Risk:** Cross-origin requests from any domain accepted.
**Recommendation:**
```yaml
# Production
CORS_ALLOW_ORIGIN: https://coppertone.tech
```
---
## Section 6: Container Security
### 6.1 Running Containers
**Status:** PASS
| Service | Port | Status |
|---------|------|--------|
| frontend | 8090 | Running |
| auth-service | 8082 | Running |
| work-management-service | 8083 | Running |
| payment-service | 8084 | Running |
| blog-service | 8085 | Running |
| db (PostgreSQL) | Internal | Running |
### 6.2 Container User Privileges
**Status:** PASS
**Auth Service Container:**
```dockerfile
RUN addgroup -g 1000 appuser && adduser -D -u 1000 -G appuser appuser
USER appuser
```
**Finding:** Backend services run as non-root user.
### 6.3 Database Exposure
**Status:** PASS
**Finding:** PostgreSQL port (5432) not exposed externally.
```yaml
# ports:
# - "5432:5432" # Commented out
```
---
## Section 7: Secret Management
### 7.1 Environment Variables
**Status:** WARNING
**Current Configuration (podman-compose.yml):**
```yaml
JWT_SECRET: ${JWT_SECRET:-dev_jwt_secret_key_change_me_in_production_at_least_64_characters_long}
DB_PASSWORD: ${DB_PASSWORD:-password}
STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY:-sk_test_placeholder}
```
**Issues:**
1. Default JWT secret in compose file
2. Default database password ("password")
3. Placeholder Stripe keys
**Recommendation:**
- Use `.env` file (not committed to git)
- Use secrets management (HashiCorp Vault, Docker secrets)
- Never use defaults in production
### 7.2 Git Secret Exposure
**Status:** PASS
**Finding:** No secrets found committed to repository.
- No `.env` files in git
- No private keys in repository
---
## Section 8: HTTP Security Headers
### 8.1 Missing Headers
**Status:** WARNING
**Missing Headers:**
- `Strict-Transport-Security` (HSTS)
- `Content-Security-Policy` (CSP)
- `X-Frame-Options`
- `X-Content-Type-Options`
- `X-XSS-Protection` (deprecated but harmless)
**Recommendation:** Add to nginx.conf:
```nginx
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
```
---
## Section 9: Rate Limiting
### 9.1 Authentication Endpoints
**Status:** FAIL
**Finding:** No rate limiting on authentication endpoints.
**Risk:** Brute force attacks on login endpoints.
**Affected Endpoints:**
- `/login-email-password`
- `/login-blockchain`
- `/register-email-password`
- `/register-blockchain`
**Recommendation:** Implement rate limiting:
```go
// Using golang.org/x/time/rate
limiter := rate.NewLimiter(rate.Every(time.Second), 5) // 5 requests/second
```
---
## Section 10: Input Validation
### 10.1 Backend Validation
**Status:** WARNING
**Current Validation:**
- Empty field checks for registration
- Role validation (CLIENT, STAFF, ADMIN)
**Missing Validation:**
- Email format validation
- Password complexity requirements
- Input length limits
**Recommendation:**
```go
// Email validation
emailRegex := regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
if !emailRegex.MatchString(req.Email) {
http.Error(w, "Invalid email format", http.StatusBadRequest)
return
}
// Password requirements
if len(req.Password) < 8 {
http.Error(w, "Password must be at least 8 characters", http.StatusBadRequest)
return
}
```
---
## Section 11: Database Security
### 11.1 SSL/TLS Connection
**Status:** WARNING (Development)
**Current Setting:**
```yaml
DB_SSL_MODE: ${DB_SSL_MODE:-disable}
```
**Finding:** SSL disabled for development. Code properly enforces SSL by default.
**Code Reference:** `backend/functions/auth-service/main.go:164-184`
```go
if sslMode == "" {
sslMode = "require"
log.Println("WARNING: DB_SSL_MODE not set, defaulting to 'require' for security")
}
```
---
## Section 12: PWA Functionality
### 12.1 Install Prompt
**Status:** FAIL
**Issue:** PWA install button not appearing in browser.
**Root Cause:** Icon files are placeholder files (203-206 bytes), not valid images.
```
-rw-r--r-- 203 android-chrome-192x192.png # Too small - placeholder
-rw-r--r-- 206 android-chrome-512x512.png # Too small - placeholder
```
**Requirements for PWA Install:**
1. Valid manifest.json (PASS)
2. Service worker registered (PASS)
3. Valid icons 192x192 and 512x512 (FAIL)
4. HTTPS or localhost (PASS)
**Fix Required:** Generate proper PNG icons at 192x192 and 512x512 pixels.
---
## Section 13: Frontend Code Quality
### 13.1 Null Safety Issues
**Status:** FIXED (This Session)
**Fixed Files:**
- `ProjectsView.vue` - Added computed with null coalescing
- `InvoicesView.vue` - Added array fallbacks
- `stores/projects.ts` - Array validation on API response
- `stores/tasks.ts` - Array validation on API response
- `stores/invoices.ts` - Array validation on API response
### 13.2 Service Worker Caching
**Status:** FIXED (This Session)
**Issue:** Old cached JavaScript files causing errors.
**Fix Applied:**
- Updated cache version to v2
- Implemented network-first strategy for assets
- Added skipWaiting() and clients.claim()
---
## Section 14: Backend Code Quality
### 14.1 Go Vet
**Status:** PASS
```
go vet ./...
# No issues found
```
### 14.2 Server Timeouts
**Status:** PASS
**Implemented Timeouts:**
```go
server := &http.Server{
ReadHeaderTimeout: 10 * time.Second,
ReadTimeout: 15 * time.Second,
WriteTimeout: 15 * time.Second,
IdleTimeout: 60 * time.Second,
}
```
### 14.3 Audit Logging
**Status:** PASS
**Finding:** Role changes logged with audit trail.
```go
log.Printf("AUDIT: Admin user %d granted %s role to user %d (%s)",
adminUserID, req.Role, req.UserID, userName)
```
---
## Section 15: Functionality Status
### 15.1 Implemented Features
| Feature | Status | Notes |
|---------|--------|-------|
| Email/Password Auth | COMPLETE | |
| Blockchain Auth | COMPLETE | Ethereum signatures |
| Multi-Identity | COMPLETE | Link multiple auth methods |
| Role Management | COMPLETE | Promote/demote users |
| Admin Dashboard | COMPLETE | User management |
| Staff Dashboard | COMPLETE | Kanban task board |
| Client Dashboard | PARTIAL | Basic stats only |
| Projects CRUD | COMPLETE | API ready |
| Tasks CRUD | COMPLETE | API ready |
| Invoices CRUD | COMPLETE | API ready |
| Payments (Stripe) | PARTIAL | Integration started |
| Digital Business Card | COMPLETE | QR, vCard, share |
| Blog | COMPLETE | Markdown rendering |
| PWA | BROKEN | Missing icons |
### 15.2 Missing/Incomplete Features
1. **Client Dashboard** - Needs project detail views
2. **Payment Processing** - Stripe webhooks incomplete
3. **IPFS Integration** - Planned but not implemented
4. **Matrix Messaging** - Planned but not implemented
5. **Email Notifications** - Not implemented
---
## Recommendations Summary
### Critical (Fix Immediately)
1. Generate valid PWA icons (192x192 and 512x512 PNG)
2. Set strong JWT_SECRET in production
3. Change default database password
### High Priority
4. Implement rate limiting on auth endpoints
5. Add security headers to nginx
6. Restrict CORS to specific origins in production
7. Enable database SSL in production
### Medium Priority
8. Add email format validation
9. Implement password complexity requirements
10. Increase bcrypt cost to 12
11. Complete Client Dashboard
12. Add comprehensive input validation
### Low Priority
13. Consider RS256 JWT signing
14. Add E2E tests for critical flows
15. Implement refresh tokens
16. Add request logging/monitoring
---
## Appendix A: Audit Script
An automated audit script has been created at:
```
scripts/audit.sh
```
Run with:
```bash
./scripts/audit.sh
```
---
## Appendix B: Files Modified This Session
1. `frontend/src/stores/projects.ts` - Null safety
2. `frontend/src/stores/tasks.ts` - Null safety
3. `frontend/src/stores/invoices.ts` - Null safety
4. `frontend/src/views/ProjectsView.vue` - Computed property fix
5. `frontend/src/views/InvoicesView.vue` - Array fallbacks
6. `frontend/public/service-worker.js` - Cache strategy update
7. `backend/functions/auth-service/main.go` - Admin endpoints
---
**End of Audit Report**
Reference in New Issue View Git Blame Copy Permalink