audit: Tier 1/3/4/5/7 batch — SSE, gates, dedup, URL escape, FK constraints

Tier 1.6: S3Backend.put now sets ServerSideEncryption=AES256 — closes the cleartext-at-rest gap for signed contracts, GDPR exports, pg_dumps. Tier 3.7: New safeUrl() helper in lib/email/shell.ts. Scheme allow-list (http/https/mailto/tel/relative only — javascript:/data:/vbscript:/file: rewritten to about:blank) + HTML-attribute escape. Retrofitted across all 7 transactional templates (crm-invite, portal-auth, document-signing, notification-digest, residential-inquiry, admin-email-change). Tier 4.2: /api/v1/alerts GET now gated on admin.view_audit_log. Tier 4.3: Documenso webhook handler emits captureErrorEvent on catch. Admin/errors no longer silent on webhook crashes. Tier 4.6: Inquiry-funnel email dedup is now case-insensitive (LOWER(value)) and stores normalized email on insert. Capital-letter resubmissions no longer spawn duplicate client+yacht+interest rows. Tier 5.6 + data-model H1: migration 0056 adds FK user_permission_overrides.user_id → user(id) cascade, same for user_port_roles.userId, plus partial unique index on user_email_changes pending rows. Tier 7.6: @types/node bumped from ^25 to ^20.19.0 — matches the runtime. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 17:09:14 +02:00
parent 0baca41693
commit 16ef609e1b
16 changed files with 266 additions and 149 deletions
--- a/src/lib/db/migrations/0056_audit_hardening.sql
+++ b/src/lib/db/migrations/0056_audit_hardening.sql
@@ -0,0 +1,51 @@
+-- 0056_audit_hardening.sql
+-- ----------------------------------------------------------------------------
+-- Address several Tier-4/5 audit findings in one migration:
+--
+-- 1. user_permission_overrides.user_id had no FK at all (data-model H1).
+--    Add an explicit reference to user(id) with onDelete='cascade' so a
+--    deleted user can't leave dangling override rows.
+--
+-- 2. user_email_changes lacked a partial unique index on pending rows
+--    (concurrency H + GDPR follow-up). Without this, a malicious or
+--    confused admin can spam the email-change endpoint to generate
+--    multiple pending tokens, each emailing the operator's inbox.
+--
+-- 3. user_port_roles.userId previously had no FK either — see data-model
+--    H1. Add the same cascade.
+--
+-- Each statement is wrapped in DO blocks so the migration is replayable
+-- (idempotent) and tolerant of being run more than once.
+
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM information_schema.table_constraints
+    WHERE constraint_name = 'fk_user_permission_overrides_user'
+      AND table_name = 'user_permission_overrides'
+  ) THEN
+    ALTER TABLE user_permission_overrides
+      ADD CONSTRAINT fk_user_permission_overrides_user
+      FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE;
+  END IF;
+END $$;
+
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM information_schema.table_constraints
+    WHERE constraint_name = 'fk_user_port_roles_user'
+      AND table_name = 'user_port_roles'
+  ) THEN
+    ALTER TABLE user_port_roles
+      ADD CONSTRAINT fk_user_port_roles_user
+      FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE;
+  END IF;
+END $$;
+
+-- Partial unique index: at most one pending row per user. Pending = both
+-- `applied_at` and `cancelled_at` are NULL. Lets old / completed rows
+-- accumulate as history without ever blocking a fresh change.
+CREATE UNIQUE INDEX IF NOT EXISTS idx_user_email_changes_one_pending
+  ON user_email_changes (user_id)
+  WHERE applied_at IS NULL AND cancelled_at IS NULL;