fix(audit-wave-11): auth-flow hardening (auth-flow-auditor)

Address the two CRITICAL items from auth-flow-auditor plus the high-impact M10 open-redirect. **C1 — Password reset doesn't revoke existing sessions** CRM side: Better Auth has a built-in `emailAndPassword.revokeSessionsOnPasswordReset` flag — flip it on. Verified by reading password.mjs in node_modules/better-auth: this calls `internalAdapter.deleteSessions(userId)` after the password update commits. One-line fix, closes the canonical session-bumping gap on the CRM forgot-password flow. Portal side: the portal uses JWT sessions (not DB-side rows) so there's no `deleteSessions` to call. Add a per-user `password_changed_at` watermark column on `portal_users` and have `verifyPortalToken` reject any token whose `iat` predates the watermark. Updated on `resetPassword`, `changePortalPassword`, and `activateAccount` so every password mutation revokes outstanding cookies. Token shape gains a required `portalUserId` claim so the verify step can do the watermark lookup without an email-based join; legacy tokens (pre-Wave-11) lack it and are rejected → forces one re-login per portal user post-deploy (24h max delay since portal tokens already self-expire at 24h). Migration `0058_portal_password_revocation.sql` stamps existing rows to `now()` so no current session is invalidated by the schema change itself. **M10 — Portal login `?next=` open redirect** `portal/login/page.tsx` did `router.replace(next as never)` against unvalidated `searchParams.get('next')`. An attacker could send a victim to `/portal/login?next=https://evil.example` and the post-sign-in redirect would navigate cross-site. Add `safeNextPath()` that requires `/portal/...` prefix and rejects protocol-relative URLs; everything else falls back to `/portal/dashboard`. **Other auth-flow items confirmed resolved by earlier waves:** - H6 resolve-identifier enumeration: endpoint deleted in Wave 1 (replaced with sign-in-by-identifier which keeps the synthetic email behind a server-side proxy) Tests updated: portal-auth integration test mocks `db` so the new DB-watermark lookup in `verifyPortalToken` stays unit-pure. Tests 1315/1315 after `psql ALTER TABLE` to apply migration locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:52:17 +02:00
parent bc54ea2c3e
commit b2c8ed2ff1
7 changed files with 101 additions and 7 deletions
--- a/tests/integration/portal-auth.test.ts
+++ b/tests/integration/portal-auth.test.ts
@@ -6,15 +6,37 @@
 * Without these claims the CRM (better-auth) and portal sessions are
 * structurally identical, so a portal token could be replayed against any
 * `verifyPortalToken` consumer (and vice versa).
+ *
+ * The post-Wave-11 `verifyPortalToken` also does a DB lookup for the
+ * portal user's password-change watermark (auth-flow-auditor C1). Mock
+ * `@/lib/db` so these tests stay unit-pure and don't need a seeded
+ * portal_users row.
 */
-import { describe, expect, it } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
 import { SignJWT } from 'jose';

-import { createPortalToken, verifyPortalToken } from '@/lib/portal/auth';
+const PORTAL_USER_ID = '33333333-3333-3333-3333-333333333333';
+
+vi.mock('@/lib/db', () => ({
+  db: {
+    query: {
+      portalUsers: {
+        findFirst: vi.fn(async () => ({
+          // Watermark in the past so iat (≈ now) is later.
+          passwordChangedAt: new Date(Date.now() - 60_000),
+          isActive: true,
+        })),
+      },
+    },
+  },
+}));
+
+const { createPortalToken, verifyPortalToken } = await import('@/lib/portal/auth');

 const SECRET = new TextEncoder().encode(process.env.BETTER_AUTH_SECRET);

 const SESSION = {
+  portalUserId: PORTAL_USER_ID,
  clientId: '11111111-1111-1111-1111-111111111111',
  portId: '22222222-2222-2222-2222-222222222222',
  email: 'client@example.com',