apply security audit

backend/src/controllers/auth.controller.ts

@@ -1,11 +1,12 @@
 import { Request, Response } from 'express';
+import { z } from 'zod';
 import authentikService from '../services/authentik.service';
 import tokenService from '../services/token.service';
 import userService from '../services/user.service';
 import logger from '../utils/logger';
-import { AuthRequest } from '../types/auth.types';
 import auditService, { AuditAction, AuditResourceType } from '../services/audit.service';
 import { extractIp, extractUserAgent } from '../middleware/audit.middleware';
+import { getUserRole } from '../middleware/rbac.middleware';
 
 /**
  * Extract given_name and family_name from Authentik userinfo.
@@ -60,10 +61,13 @@ class AuthController {
     const userAgent = extractUserAgent(req);
 
     try {
-      const { code } = req.body as AuthRequest;
+      const callbackSchema = z.object({
+        code: z.string().min(1),
+        redirect_uri: z.string().url().optional(),
+      });
 
-      // Validate code
-      if (!code) {
+      const parseResult = callbackSchema.safeParse(req.body);
+      if (!parseResult.success) {
         res.status(400).json({
           success: false,
           message: 'Authorization code is required',
@@ -71,6 +75,8 @@ class AuthController {
         return;
       }
 
+      const { code } = parseResult.data;
+
       logger.info('Processing OAuth callback', { hasCode: !!code });
 
       // Step 1: Exchange code for tokens
@@ -83,9 +89,9 @@ class AuthController {
       // Step 3: Verify ID token if present
       if (tokens.id_token) {
         try {
-          authentikService.verifyIdToken(tokens.id_token);
+          await authentikService.verifyIdToken(tokens.id_token);
         } catch (error) {
-          logger.warn('ID token verification failed', { error });
+          logger.warn('ID token verification failed — continuing with userinfo', { error });
         }
       }
 
@@ -190,11 +196,13 @@ class AuthController {
       }
 
       // Step 5: Generate internal JWT token
+      const role = await getUserRole(user.id);
       const accessToken = tokenService.generateToken({
         userId:       user.id,
         email:        user.email,
         authentikSub: user.authentik_sub,
         groups,
+        role,
       });
 
       // Generate refresh token
@@ -309,9 +317,12 @@ class AuthController {
    */
   async handleRefresh(req: Request, res: Response): Promise<void> {
     try {
-      const { refreshToken } = req.body;
+      const refreshSchema = z.object({
+        refreshToken: z.string().min(1),
+      });
 
-      if (!refreshToken) {
+      const parseResult = refreshSchema.safeParse(req.body);
+      if (!parseResult.success) {
         res.status(400).json({
           success: false,
           message: 'Refresh token is required',
@@ -319,6 +330,8 @@ class AuthController {
         return;
       }
 
+      const { refreshToken } = parseResult.data;
+
       // Verify refresh token
       let decoded;
       try {
@@ -358,10 +371,12 @@ class AuthController {
       }
 
       // Generate new access token
+      const role = await getUserRole(user.id);
       const accessToken = tokenService.generateToken({
         userId:       user.id,
         email:        user.email,
         authentikSub: user.authentik_sub,
+        role,
       });
 
       logger.info('Token refreshed successfully', {