fix(audit-wave-11): auth-flow hardening (auth-flow-auditor)

Address the two CRITICAL items from auth-flow-auditor plus the
high-impact M10 open-redirect.

**C1 — Password reset doesn't revoke existing sessions**

CRM side: Better Auth has a built-in
`emailAndPassword.revokeSessionsOnPasswordReset` flag — flip it on.
Verified by reading password.mjs in node_modules/better-auth: this
calls `internalAdapter.deleteSessions(userId)` after the password
update commits. One-line fix, closes the canonical session-bumping
gap on the CRM forgot-password flow.

Portal side: the portal uses JWT sessions (not DB-side rows) so
there's no `deleteSessions` to call. Add a per-user
`password_changed_at` watermark column on `portal_users` and have
`verifyPortalToken` reject any token whose `iat` predates the
watermark. Updated on `resetPassword`, `changePortalPassword`, and
`activateAccount` so every password mutation revokes outstanding
cookies. Token shape gains a required `portalUserId` claim so the
verify step can do the watermark lookup without an email-based join;
legacy tokens (pre-Wave-11) lack it and are rejected → forces one
re-login per portal user post-deploy (24h max delay since portal
tokens already self-expire at 24h).

Migration `0058_portal_password_revocation.sql` stamps existing
rows to `now()` so no current session is invalidated by the schema
change itself.

**M10 — Portal login `?next=` open redirect**

`portal/login/page.tsx` did `router.replace(next as never)` against
unvalidated `searchParams.get('next')`. An attacker could send a
victim to `/portal/login?next=https://evil.example` and the post-sign-in
redirect would navigate cross-site. Add `safeNextPath()` that requires
`/portal/...` prefix and rejects protocol-relative URLs; everything
else falls back to `/portal/dashboard`.

**Other auth-flow items confirmed resolved by earlier waves:**
- H6 resolve-identifier enumeration: endpoint deleted in Wave 1
  (replaced with sign-in-by-identifier which keeps the synthetic
  email behind a server-side proxy)

Tests updated: portal-auth integration test mocks `db` so the new
DB-watermark lookup in `verifyPortalToken` stays unit-pure.

Tests 1315/1315 after `psql ALTER TABLE` to apply migration locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/(portal)/portal/login/page.tsx

@@ -10,10 +10,27 @@ import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
 import { BrandedAuthShell } from '@/components/shared/branded-auth-shell';
 
+/**
+ * Validate the `?next=` post-login redirect target. auth-flow-auditor M10:
+ * an unvalidated `next` lets `/portal/login?next=https://evil.example`
+ * navigate cross-site after sign-in. Only allow same-origin paths
+ * scoped to the portal surface — anything else falls back to the
+ * dashboard.
+ */
+function safeNextPath(raw: string | null): string {
+  const fallback = '/portal/dashboard';
+  if (!raw) return fallback;
+  // Reject absolute URLs (http://, https://, //evil.example) and
+  // protocol-relative URLs. Only `/portal/...` paths are kept.
+  if (!raw.startsWith('/portal/')) return fallback;
+  if (raw.startsWith('//')) return fallback;
+  return raw;
+}
+
 export default function PortalLoginPage() {
   const router = useRouter();
   const search = useSearchParams();
-  const next = search.get('next') ?? '/portal/dashboard';
+  const next = safeNextPath(search.get('next'));
 
   const [email, setEmail] = useState('');
   const [password, setPassword] = useState('');

src/lib/auth/index.ts

@@ -65,6 +65,12 @@ function buildAuth() {
       minPasswordLength: 9,
       // Accounts are admin-created only - no self-service email verification flow.
       requireEmailVerification: false,
+      // auth-flow-auditor C1: revoke every existing session for the user
+      // when their password is reset. Without this, a stolen cookie
+      // keeps working forever after the legitimate owner does the
+      // forgot-password dance. Better Auth flips this internally; the
+      // option below routes through `internalAdapter.deleteSessions(userId)`.
+      revokeSessionsOnPasswordReset: true,
       // Self-service password reset for CRM users. The reset link lands
       // on the existing /reset-password page (which already handles
       // better-auth's token + new-password POST). The email send goes

src/lib/db/migrations/0058_portal_password_revocation.sql

@@ -0,0 +1,11 @@
+-- auth-flow-auditor C1 (portal half): add a per-user
+-- password-change watermark so JWT sessions issued before the watermark
+-- can be rejected by `verifyPortalToken` without a global secret rotation.
+--
+-- Stamped to NOW() for existing rows so no current session is invalidated
+-- on deploy; future password resets / activations update it.
+
+ALTER TABLE portal_users
+  ADD COLUMN IF NOT EXISTS password_changed_at timestamptz NOT NULL DEFAULT now();
+
+-- No index needed: lookup is a single-row PK fetch keyed on portal_users.id.

src/lib/db/schema/portal.ts

@@ -29,6 +29,17 @@ export const portalUsers = pgTable(
      * until the user activates their account.
      */
     passwordHash: text('password_hash'),
+    /**
+     * Watermark for JWT-session revocation on password change. Any
+     * `verifyPortalToken` call where the JWT's `iat` is older than this
+     * value rejects the token even if it's otherwise valid. Updated on
+     * `resetPassword`, `activateAccount`, and `changePortalPassword` so
+     * a stolen cookie stops working after the legitimate owner does the
+     * forgot-password / change-password dance. auth-flow-auditor C1.
+     */
+    passwordChangedAt: timestamp('password_changed_at', { withTimezone: true })
+      .notNull()
+      .defaultNow(),
     name: text('name'),
     isActive: boolean('is_active').notNull().default(true),
     lastLoginAt: timestamp('last_login_at', { withTimezone: true }),

src/lib/portal/auth.ts

@@ -1,5 +1,9 @@
 import { SignJWT, jwtVerify } from 'jose';
 import { cookies } from 'next/headers';
+import { eq } from 'drizzle-orm';
+
+import { db } from '@/lib/db';
+import { portalUsers } from '@/lib/db/schema/portal';
 
 const PORTAL_SECRET = new TextEncoder().encode(process.env.BETTER_AUTH_SECRET);
 export const PORTAL_COOKIE = 'portal_session';
@@ -14,6 +18,10 @@ export interface PortalSession {
   clientId: string;
   portId: string;
   email: string;
+  /** Portal user id — needed by verifyPortalToken to fetch
+   *  passwordChangedAt for the iat-vs-watermark check. Mirrors what
+   *  `portalUsers.id` resolves to. */
+  portalUserId: string;
 }
 
 export async function createPortalToken(session: PortalSession): Promise<string> {
@@ -32,7 +40,25 @@ export async function verifyPortalToken(token: string): Promise<PortalSession |
       audience: PORTAL_AUD,
       issuer: PORTAL_ISS,
     });
-    return payload as unknown as PortalSession;
+    const session = payload as unknown as PortalSession & { iat?: number };
+
+    // auth-flow-auditor C1 (portal half): reject tokens issued before
+    // the user's last password change so a stolen cookie stops working
+    // after the legitimate owner does the forgot-password dance. The
+    // portalUserId claim is required for the lookup; tokens issued by
+    // the pre-C1 codepath lack it and are rejected on that grounds
+    // alone (forces re-login post-deploy, 24h max delay).
+    if (!session.portalUserId || !session.iat) return null;
+    const user = await db.query.portalUsers.findFirst({
+      where: eq(portalUsers.id, session.portalUserId),
+      columns: { passwordChangedAt: true, isActive: true },
+    });
+    if (!user || !user.isActive) return null;
+    const iatSeconds = session.iat;
+    const watermarkSeconds = Math.floor(user.passwordChangedAt.getTime() / 1000);
+    if (iatSeconds < watermarkSeconds) return null;
+
+    return session;
   } catch {
     return null;
   }

src/lib/services/portal-auth.service.ts

@@ -221,7 +221,7 @@ export async function changePortalPassword(args: {
   const passwordHash = await hashPassword(args.newPassword);
   await db
     .update(portalUsers)
-    .set({ passwordHash, updatedAt: new Date() })
+    .set({ passwordHash, passwordChangedAt: new Date(), updatedAt: new Date() })
     .where(eq(portalUsers.id, user.id));
 
   void createAuditLog({
@@ -253,7 +253,7 @@ export async function activateAccount(rawToken: string, password: string): Promi
   const passwordHash = await hashPassword(password);
   await db
     .update(portalUsers)
-    .set({ passwordHash, updatedAt: new Date() })
+    .set({ passwordHash, passwordChangedAt: new Date(), updatedAt: new Date() })
     .where(eq(portalUsers.id, tokenRow.portalUserId));
 
   void createAuditLog({
@@ -320,6 +320,7 @@ export async function signIn(args: {
   }
 
   const token = await createPortalToken({
+    portalUserId: user.id,
     clientId: user.clientId,
     portId: user.portId,
     email: user.email,
@@ -440,7 +441,7 @@ export async function resetPassword(rawToken: string, password: string): Promise
   const passwordHash = await hashPassword(password);
   await db
     .update(portalUsers)
-    .set({ passwordHash, updatedAt: new Date() })
+    .set({ passwordHash, passwordChangedAt: new Date(), updatedAt: new Date() })
     .where(eq(portalUsers.id, tokenRow.portalUserId));
 
   void createAuditLog({

tests/integration/portal-auth.test.ts

@@ -6,15 +6,37 @@
  * Without these claims the CRM (better-auth) and portal sessions are
  * structurally identical, so a portal token could be replayed against any
  * `verifyPortalToken` consumer (and vice versa).
+ *
+ * The post-Wave-11 `verifyPortalToken` also does a DB lookup for the
+ * portal user's password-change watermark (auth-flow-auditor C1). Mock
+ * `@/lib/db` so these tests stay unit-pure and don't need a seeded
+ * portal_users row.
  */
-import { describe, expect, it } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
 import { SignJWT } from 'jose';
 
-import { createPortalToken, verifyPortalToken } from '@/lib/portal/auth';
+const PORTAL_USER_ID = '33333333-3333-3333-3333-333333333333';
+
+vi.mock('@/lib/db', () => ({
+  db: {
+    query: {
+      portalUsers: {
+        findFirst: vi.fn(async () => ({
+          // Watermark in the past so iat (≈ now) is later.
+          passwordChangedAt: new Date(Date.now() - 60_000),
+          isActive: true,
+        })),
+      },
+    },
+  },
+}));
+
+const { createPortalToken, verifyPortalToken } = await import('@/lib/portal/auth');
 
 const SECRET = new TextEncoder().encode(process.env.BETTER_AUTH_SECRET);
 
 const SESSION = {
+  portalUserId: PORTAL_USER_ID,
   clientId: '11111111-1111-1111-1111-111111111111',
   portId: '22222222-2222-2222-2222-222222222222',
   email: 'client@example.com',