letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
292a8b5e4a0cb8a65f5f7b7db19b0149a893ca70
pn-new-crm/src/lib/db/schema/portal.ts
Matt b2c8ed2ff1 fix(audit-wave-11): auth-flow hardening (auth-flow-auditor) 
Address the two CRITICAL items from auth-flow-auditor plus the
high-impact M10 open-redirect.

**C1 — Password reset doesn't revoke existing sessions**

CRM side: Better Auth has a built-in
`emailAndPassword.revokeSessionsOnPasswordReset` flag — flip it on.
Verified by reading password.mjs in node_modules/better-auth: this
calls `internalAdapter.deleteSessions(userId)` after the password
update commits. One-line fix, closes the canonical session-bumping
gap on the CRM forgot-password flow.

Portal side: the portal uses JWT sessions (not DB-side rows) so
there's no `deleteSessions` to call. Add a per-user
`password_changed_at` watermark column on `portal_users` and have
`verifyPortalToken` reject any token whose `iat` predates the
watermark. Updated on `resetPassword`, `changePortalPassword`, and
`activateAccount` so every password mutation revokes outstanding
cookies. Token shape gains a required `portalUserId` claim so the
verify step can do the watermark lookup without an email-based join;
legacy tokens (pre-Wave-11) lack it and are rejected → forces one
re-login per portal user post-deploy (24h max delay since portal
tokens already self-expire at 24h).

Migration `0058_portal_password_revocation.sql` stamps existing
rows to `now()` so no current session is invalidated by the schema
change itself.

**M10 — Portal login `?next=` open redirect**

`portal/login/page.tsx` did `router.replace(next as never)` against
unvalidated `searchParams.get('next')`. An attacker could send a
victim to `/portal/login?next=https://evil.example` and the post-sign-in
redirect would navigate cross-site. Add `safeNextPath()` that requires
`/portal/...` prefix and rejects protocol-relative URLs; everything
else falls back to `/portal/dashboard`.

**Other auth-flow items confirmed resolved by earlier waves:**
- H6 resolve-identifier enumeration: endpoint deleted in Wave 1
  (replaced with sign-in-by-identifier which keeps the synthetic
  email behind a server-side proxy)

Tests updated: portal-auth integration test mocks `db` so the new
DB-watermark lookup in `verifyPortalToken` stays unit-pure.

Tests 1315/1315 after `psql ALTER TABLE` to apply migration locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:52:17 +02:00

88 lines
3.4 KiB
TypeScript
Raw Blame History

import { pgTable, text, boolean, timestamp, index, uniqueIndex } from 'drizzle-orm/pg-core';
import { ports } from './ports';
import { clients } from './clients';
/**
* Portal users - one per client account that's been invited to the client
* portal. Separate from the CRM `users` table (managed by better-auth) so the
* authentication realms stay isolated.
*
* Created by an admin from the client detail page; the admin's invite mails
* an activation token that lets the client set their own password.
*/
export const portalUsers = pgTable(
'portal_users',
{
id: text('id')
.primaryKey()
.$defaultFn(() => crypto.randomUUID()),
portId: text('port_id')
.notNull()
.references(() => ports.id),
clientId: text('client_id')
.notNull()
.references(() => clients.id, { onDelete: 'cascade' }),
email: text('email').notNull(),
/**
* scrypt-hashed password. Format: `salt:keyHex` (both base64url). Null
* until the user activates their account.
*/
passwordHash: text('password_hash'),
/**
* Watermark for JWT-session revocation on password change. Any
* `verifyPortalToken` call where the JWT's `iat` is older than this
* value rejects the token even if it's otherwise valid. Updated on
* `resetPassword`, `activateAccount`, and `changePortalPassword` so
* a stolen cookie stops working after the legitimate owner does the
* forgot-password / change-password dance. auth-flow-auditor C1.
*/
passwordChangedAt: timestamp('password_changed_at', { withTimezone: true })
.notNull()
.defaultNow(),
name: text('name'),
isActive: boolean('is_active').notNull().default(true),
lastLoginAt: timestamp('last_login_at', { withTimezone: true }),
createdBy: text('created_by').notNull(),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
},
(table) => [
uniqueIndex('idx_portal_users_email_unique').on(table.email),
index('idx_portal_users_client').on(table.clientId),
index('idx_portal_users_port').on(table.portId),
],
);
/**
* Single-use tokens for portal-account activation and password reset.
*
* `tokenHash` is a SHA-256 hash of the raw token sent in the email. Lookups
* happen by hash so a DB compromise never leaks active tokens.
*/
export const portalAuthTokens = pgTable(
'portal_auth_tokens',
{
id: text('id')
.primaryKey()
.$defaultFn(() => crypto.randomUUID()),
portalUserId: text('portal_user_id')
.notNull()
.references(() => portalUsers.id, { onDelete: 'cascade' }),
tokenHash: text('token_hash').notNull(),
type: text('type').notNull(), // 'activation' | 'reset'
expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
usedAt: timestamp('used_at', { withTimezone: true }),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
},
(table) => [
uniqueIndex('idx_portal_tokens_hash_unique').on(table.tokenHash),
index('idx_portal_tokens_user').on(table.portalUserId),
],
);
export type PortalUser = typeof portalUsers.$inferSelect;
export type NewPortalUser = typeof portalUsers.$inferInsert;
export type PortalAuthToken = typeof portalAuthTokens.$inferSelect;
export type NewPortalAuthToken = typeof portalAuthTokens.$inferInsert;
Reference in New Issue View Git Blame Copy Permalink