matthias/dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: matthias:e9463c1c66c0473d0e2e2c14846e22c61f3d0290
Branches Tags
matthias:main
..
compare: matthias:3c9b7d3446591db18ecba61a3a7cc3a33b2aaf66
Branches Tags
matthias:main

2 Commits
e9463c1c66 ... 3c9b7d3446

Author SHA1 Message Date
Matthias Hochmeister
3c9b7d3446 apply security audit 2026-03-11 13:51:01 +01:00
Matthias Hochmeister
93a87a7ae9 apply security audit 2026-03-11 13:18:10 +01:00
35 changed files with 519 additions and 379 deletions
Expand all files Collapse all files

1
backend/package.json
View File

@@ -21,6 +21,7 @@
"express": "^5.2.1",
"express-rate-limit": "^8.2.1",
"helmet": "^8.1.0",
"jose": "^6.0.11",
"jsonwebtoken": "^9.0.3",
"pg": "^8.18.0",
"winston": "^3.19.0",

29
backend/src/config/environment.ts
View File

@@ -55,7 +55,7 @@ const environment: EnvironmentConfig = {
password: process.env.DB_PASSWORD || 'dev_password',
},
jwt: {
secret: process.env.JWT_SECRET || 'your-secret-key-change-in-production',
secret: process.env.JWT_SECRET || '',
expiresIn: process.env.JWT_EXPIRES_IN || '24h',
},
cors: {
@@ -83,4 +83,31 @@ const environment: EnvironmentConfig = {
},
};
function validateEnvironment(env: EnvironmentConfig): void {
const secret = env.jwt.secret;
if (!secret) {
throw new Error(
'FATAL: JWT_SECRET is not set. ' +
'Set a strong, random secret of at least 32 characters before starting the server.'
);
}
if (secret === 'your-secret-key-change-in-production') {
throw new Error(
'FATAL: JWT_SECRET is still set to the known weak default value. ' +
'Replace it with a strong, random secret of at least 32 characters.'
);
}
if (secret.length < 32) {
throw new Error(
`FATAL: JWT_SECRET is too short (${secret.length} characters). ` +
'A minimum of 32 characters is required.'
);
}
}
validateEnvironment(environment);
export default environment;

31
backend/src/controllers/auth.controller.ts
View File

@@ -1,11 +1,12 @@
import { Request, Response } from 'express';
import { z } from 'zod';
import authentikService from '../services/authentik.service';
import tokenService from '../services/token.service';
import userService from '../services/user.service';
import logger from '../utils/logger';
import { AuthRequest } from '../types/auth.types';
import auditService, { AuditAction, AuditResourceType } from '../services/audit.service';
import { extractIp, extractUserAgent } from '../middleware/audit.middleware';
import { getUserRole } from '../middleware/rbac.middleware';
/**
* Extract given_name and family_name from Authentik userinfo.
@@ -60,10 +61,13 @@ class AuthController {
const userAgent = extractUserAgent(req);
try {
const { code } = req.body as AuthRequest;
const callbackSchema = z.object({
code: z.string().min(1),
redirect_uri: z.string().url().optional(),
});
// Validate code
if (!code) {
const parseResult = callbackSchema.safeParse(req.body);
if (!parseResult.success) {
res.status(400).json({
success: false,
message: 'Authorization code is required',
@@ -71,6 +75,8 @@ class AuthController {
return;
}
const { code } = parseResult.data;
logger.info('Processing OAuth callback', { hasCode: !!code });
// Step 1: Exchange code for tokens
@@ -83,9 +89,9 @@ class AuthController {
// Step 3: Verify ID token if present
if (tokens.id_token) {
try {
authentikService.verifyIdToken(tokens.id_token);
await authentikService.verifyIdToken(tokens.id_token);
} catch (error) {
logger.warn('ID token verification failed', { error });
logger.warn('ID token verification failed — continuing with userinfo', { error });
}
}
@@ -190,11 +196,13 @@ class AuthController {
}
// Step 5: Generate internal JWT token
const role = await getUserRole(user.id);
const accessToken = tokenService.generateToken({
userId: user.id,
email: user.email,
authentikSub: user.authentik_sub,
groups,
role,
});
// Generate refresh token
@@ -309,9 +317,12 @@ class AuthController {
*/
async handleRefresh(req: Request, res: Response): Promise<void> {
try {
const { refreshToken } = req.body;
const refreshSchema = z.object({
refreshToken: z.string().min(1),
});
if (!refreshToken) {
const parseResult = refreshSchema.safeParse(req.body);
if (!parseResult.success) {
res.status(400).json({
success: false,
message: 'Refresh token is required',
@@ -319,6 +330,8 @@ class AuthController {
return;
}
const { refreshToken } = parseResult.data;
// Verify refresh token
let decoded;
try {
@@ -358,10 +371,12 @@ class AuthController {
}
// Generate new access token
const role = await getUserRole(user.id);
const accessToken = tokenService.generateToken({
userId: user.id,
email: user.email,
authentikSub: user.authentik_sub,
role,
});
logger.info('Token refreshed successfully', {

4
backend/src/controllers/bookstack.controller.ts
View File

@@ -28,6 +28,10 @@ class BookStackController {
res.status(400).json({ success: false, message: 'Suchbegriff fehlt' });
return;
}
if (query.trim().length > 500) {
res.status(400).json({ success: false, message: 'Suchanfrage zu lang' });
return;
}
try {
const results = await bookstackService.searchPages(query.trim());
res.status(200).json({ success: true, data: results, configured: true });

87
backend/src/middleware/auth.middleware.ts
View File

@@ -3,36 +3,6 @@ import tokenService from '../services/token.service';
import userService from '../services/user.service';
import logger from '../utils/logger';
import { JwtPayload } from '../types/auth.types';
import { auditPermissionDenied } from './audit.middleware';
import { AuditResourceType } from '../services/audit.service';
// ---------------------------------------------------------------------------
// Application roles — extend as needed when Authentik group mapping is added
// ---------------------------------------------------------------------------
export type AppRole = 'admin' | 'member' | 'viewer';
export const Permission = {
ADMIN_ACCESS: 'admin:access',
MEMBER_WRITE: 'member:write',
MEMBER_READ: 'member:read',
INCIDENT_WRITE:'incident:write',
INCIDENT_READ: 'incident:read',
EXPORT: 'export',
} as const;
export type Permission = typeof Permission[keyof typeof Permission];
// Simple permission → required role mapping.
// Adjust once Authentik group sync is implemented.
const PERMISSION_ROLES: Record<Permission, AppRole[]> = {
'admin:access': ['admin'],
'member:write': ['admin', 'member'],
'member:read': ['admin', 'member', 'viewer'],
'incident:write': ['admin', 'member'],
'incident:read': ['admin', 'member', 'viewer'],
'export': ['admin'],
};
// Extend Express Request type to include user
declare global {
@@ -42,7 +12,7 @@ declare global {
id: string; // UUID
email: string;
authentikSub: string;
role?: AppRole; // populated when role is stored in DB / JWT
role?: string; // populated when role is stored in DB / JWT
groups?: string[];
};
}
@@ -122,6 +92,7 @@ export const authenticate = async (
email: decoded.email,
authentikSub: decoded.authentikSub,
groups: decoded.groups ?? [],
role: decoded.role,
};
logger.debug('User authenticated successfully', {
@@ -139,60 +110,6 @@ export const authenticate = async (
}
};
// ---------------------------------------------------------------------------
// Role-based access control middleware
// ---------------------------------------------------------------------------
/**
* requirePermission — factory that returns Express middleware enforcing a
* specific permission. Must be placed after `authenticate` in the chain.
*
* Usage:
* router.get('/admin/audit-log', authenticate, requirePermission('admin:access'), handler);
*
* When access is denied, a PERMISSION_DENIED audit entry is written before
* the 403 response is sent.
*
* NOTE: Until Authentik group → role mapping is persisted to the users table
* or JWT, this middleware checks req.user.role. Temporary workaround:
* hard-code specific admin user IDs via the ADMIN_USER_IDS env variable, OR
* add a `role` column to the users table (recommended).
*/
export const requirePermission = (permission: Permission) => {
return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
if (!req.user) {
res.status(401).json({ success: false, message: 'Not authenticated' });
return;
}
const userRole: AppRole = req.user.role ?? 'viewer';
const allowedRoles = PERMISSION_ROLES[permission];
if (!allowedRoles.includes(userRole)) {
logger.warn('Permission denied', {
userId: req.user.id,
permission,
userRole,
path: req.path,
});
// Audit the denied access — fire-and-forget
auditPermissionDenied(req, AuditResourceType.SYSTEM, undefined, {
required_permission: permission,
user_role: userRole,
});
res.status(403).json({
success: false,
message: 'Insufficient permissions',
});
return;
}
next();
};
};
/**
* Optional authentication middleware
* Attaches user if token is valid, but doesn't require it

4
backend/src/middleware/error.middleware.ts
View File

@@ -46,9 +46,7 @@ export const errorHandler = (
res.status(500).json({
status: 'error',
message: process.env.NODE_ENV === 'production'
? 'Internal server error'
: err.message,
message: 'An internal error occurred',
});
};

23
backend/src/middleware/rbac.middleware.ts
View File

@@ -48,6 +48,19 @@ const PERMISSION_ROLE_MIN: Record<string, AppRole> = {
'admin:access': 'admin',
'audit:read': 'admin',
'audit:export': 'admin',
'members:read': 'mitglied',
'members:write': 'kommandant',
'vehicles:write': 'kommandant',
'vehicles:status': 'gruppenfuehrer',
'vehicles:delete': 'admin',
'equipment:write': 'gruppenfuehrer',
'equipment:delete': 'admin',
'events:write': 'gruppenfuehrer',
'events:categories': 'gruppenfuehrer',
'atemschutz:write': 'gruppenfuehrer',
'atemschutz:delete': 'kommandant',
'bookings:write': 'gruppenfuehrer',
'bookings:delete': 'admin',
};
function hasPermission(role: AppRole, permission: string): boolean {
@@ -103,7 +116,9 @@ export function requirePermission(permission: string) {
return;
}
const role = await getUserRole(req.user.id);
const role = (req.user as any).role
? (req.user as any).role as AppRole
: await getUserRole(req.user.id);
// Attach role to request for downstream use (e.g., bericht_text redaction)
(req as Request & { userRole?: AppRole }).userRole = role;
@@ -124,7 +139,7 @@ export function requirePermission(permission: string) {
res.status(403).json({
success: false,
message: `Keine Berechtigung: ${permission}`,
message: 'Keine Berechtigung',
});
return;
}
@@ -149,7 +164,9 @@ export function requireGroups(requiredGroups: string[]) {
return;
}
const userGroups: string[] = (req.user as any).groups ?? [];
logger.warn('DEPRECATED: requireGroups() — migrate to requirePermission()', { requiredGroups });
const userGroups: string[] = req.user?.groups ?? [];
const hasAccess = requiredGroups.some(g => userGroups.includes(g));
if (!hasAccess) {

15
backend/src/routes/atemschutz.routes.ts
View File

@@ -1,10 +1,7 @@
import { Router } from 'express';
import atemschutzController from '../controllers/atemschutz.controller';
import { authenticate } from '../middleware/auth.middleware';
import { requireGroups } from '../middleware/rbac.middleware';
const ADMIN_GROUPS = ['dashboard_admin', 'dashboard_kommando', 'dashboard_atemschutz', 'dashboard_moderator'];
const WRITE_GROUPS = ['dashboard_admin', 'dashboard_kommando', 'dashboard_atemschutz', 'dashboard_moderator'];
import { requirePermission } from '../middleware/rbac.middleware';
const router = Router();
@@ -15,13 +12,13 @@ router.get('/stats', authenticate, atemschutzController.getStats.bind(atems
router.get('/my-status', authenticate, atemschutzController.getMyStatus.bind(atemschutzController));
router.get('/:id', authenticate, atemschutzController.getOne.bind(atemschutzController));
// ── Write — admin + kommandant ───────────────────────────────────────────────
// ── Write — gruppenfuehrer+ ─────────────────────────────────────────────────
router.post('/', authenticate, requireGroups(WRITE_GROUPS), atemschutzController.create.bind(atemschutzController));
router.patch('/:id', authenticate, requireGroups(WRITE_GROUPS), atemschutzController.update.bind(atemschutzController));
router.post('/', authenticate, requirePermission('atemschutz:write'), atemschutzController.create.bind(atemschutzController));
router.patch('/:id', authenticate, requirePermission('atemschutz:write'), atemschutzController.update.bind(atemschutzController));
// ── Delete — admin only ──────────────────────────────────────────────────────
// ── Delete — kommandant+ ────────────────────────────────────────────────────
router.delete('/:id', authenticate, requireGroups(ADMIN_GROUPS), atemschutzController.delete.bind(atemschutzController));
router.delete('/:id', authenticate, requirePermission('atemschutz:delete'), atemschutzController.delete.bind(atemschutzController));
export default router;

6
backend/src/routes/auth.routes.ts
View File

@@ -1,6 +1,6 @@
import { Router } from 'express';
import authController from '../controllers/auth.controller';
import { optionalAuth } from '../middleware/auth.middleware';
import { authenticate } from '../middleware/auth.middleware';
const router = Router();
@@ -14,9 +14,9 @@ router.post('/callback', authController.handleCallback);
/**
* @route POST /api/auth/logout
* @desc Logout user
* @access Public (optional auth for logging purposes)
* @access Private
*/
router.post('/logout', optionalAuth, authController.handleLogout);
router.post('/logout', authenticate, authController.handleLogout);
/**
* @route POST /api/auth/refresh

11
backend/src/routes/booking.routes.ts
View File

@@ -1,10 +1,7 @@
import { Router } from 'express';
import bookingController from '../controllers/booking.controller';
import { authenticate, optionalAuth } from '../middleware/auth.middleware';
import { requireGroups } from '../middleware/rbac.middleware';
const WRITE_GROUPS = ['dashboard_admin', 'dashboard_fahrmeister', 'dashboard_moderator'];
const ADMIN_GROUPS = ['dashboard_admin'];
import { requirePermission } from '../middleware/rbac.middleware';
const router = Router();
@@ -22,13 +19,13 @@ router.get('/calendar-token', authenticate, bookingController.getCalendarToken.b
// ── Write operations ──────────────────────────────────────────────────────────
router.post('/', authenticate, bookingController.create.bind(bookingController));
router.patch('/:id', authenticate, requireGroups(WRITE_GROUPS), bookingController.update.bind(bookingController));
router.patch('/:id', authenticate, requirePermission('bookings:write'), bookingController.update.bind(bookingController));
// Soft-cancel (sets abgesagt=TRUE)
router.delete('/:id', authenticate, requireGroups(WRITE_GROUPS), bookingController.cancel.bind(bookingController));
router.delete('/:id', authenticate, requirePermission('bookings:write'), bookingController.cancel.bind(bookingController));
// Hard-delete (admin only)
router.delete('/:id/force', authenticate, requireGroups(ADMIN_GROUPS), bookingController.hardDelete.bind(bookingController));
router.delete('/:id/force', authenticate, requirePermission('bookings:delete'), bookingController.hardDelete.bind(bookingController));
// ── Single booking read — after specific routes to avoid path conflicts ───────

17
backend/src/routes/equipment.routes.ts
View File

@@ -1,10 +1,7 @@
import { Router } from 'express';
import equipmentController from '../controllers/equipment.controller';
import { authenticate } from '../middleware/auth.middleware';
import { requireGroups } from '../middleware/rbac.middleware';
const ADMIN_GROUPS = ['dashboard_admin'];
const WRITE_GROUPS = ['dashboard_admin', 'dashboard_fahrmeister', 'dashboard_zeugmeister'];
import { requirePermission } from '../middleware/rbac.middleware';
const router = Router();
@@ -18,15 +15,15 @@ router.get('/vehicle-warnings', authenticate, equipmentController.getVehicleW
router.get('/vehicle/:fahrzeugId', authenticate, equipmentController.getByVehicle.bind(equipmentController));
router.get('/:id', authenticate, equipmentController.getEquipment.bind(equipmentController));
// ── Write — admin + fahrmeister ──────────────────────────────────────────────
// ── Write — gruppenfuehrer+ ────────────────────────────────────────────────
router.post('/', authenticate, requireGroups(WRITE_GROUPS), equipmentController.createEquipment.bind(equipmentController));
router.patch('/:id', authenticate, requireGroups(WRITE_GROUPS), equipmentController.updateEquipment.bind(equipmentController));
router.patch('/:id/status', authenticate, requireGroups(WRITE_GROUPS), equipmentController.updateStatus.bind(equipmentController));
router.post('/:id/wartung', authenticate, requireGroups(WRITE_GROUPS), equipmentController.addWartung.bind(equipmentController));
router.post('/', authenticate, requirePermission('equipment:write'), equipmentController.createEquipment.bind(equipmentController));
router.patch('/:id', authenticate, requirePermission('equipment:write'), equipmentController.updateEquipment.bind(equipmentController));
router.patch('/:id/status', authenticate, requirePermission('equipment:write'), equipmentController.updateStatus.bind(equipmentController));
router.post('/:id/wartung', authenticate, requirePermission('equipment:write'), equipmentController.addWartung.bind(equipmentController));
// ── Delete — admin only ──────────────────────────────────────────────────────
router.delete('/:id', authenticate, requireGroups(ADMIN_GROUPS), equipmentController.deleteEquipment.bind(equipmentController));
router.delete('/:id', authenticate, requirePermission('equipment:delete'), equipmentController.deleteEquipment.bind(equipmentController));
export default router;

37
backend/src/routes/events.routes.ts
View File

@@ -1,13 +1,10 @@
import { Router } from 'express';
import eventsController from '../controllers/events.controller';
import { authenticate, optionalAuth } from '../middleware/auth.middleware';
import { requireGroups } from '../middleware/rbac.middleware';
import { requirePermission } from '../middleware/rbac.middleware';
const router = Router();
/** Groups that may create, update, or cancel events */
const WRITE_GROUPS = ['dashboard_admin', 'dashboard_moderator'];
// ---------------------------------------------------------------------------
// Categories
// ---------------------------------------------------------------------------
@@ -20,34 +17,34 @@ router.get('/kategorien', authenticate, eventsController.listKategorien.bind(eve
/**
* POST /api/events/kategorien
* Create a new category. Requires admin or moderator.
* Create a new category. Requires gruppenfuehrer+.
*/
router.post(
'/kategorien',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:categories'),
eventsController.createKategorie.bind(eventsController)
);
/**
* PATCH /api/events/kategorien/:id
* Update an existing category. Requires admin or moderator.
* Update an existing category. Requires gruppenfuehrer+.
*/
router.patch(
'/kategorien/:id',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:categories'),
eventsController.updateKategorie.bind(eventsController)
);
/**
* DELETE /api/events/kategorien/:id
* Delete a category (only if no events reference it). Requires admin or moderator.
* Delete a category (only if no events reference it). Requires gruppenfuehrer+.
*/
router.delete(
'/kategorien/:id',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:categories'),
eventsController.deleteKategorie.bind(eventsController)
);
@@ -106,23 +103,23 @@ router.get(
/**
* POST /api/events/import
* Bulk import events from CSV data. Requires admin or moderator.
* Bulk import events from CSV data. Requires gruppenfuehrer+.
*/
router.post(
'/import',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:write'),
eventsController.importEvents.bind(eventsController)
);
/**
* POST /api/events
* Create a new event. Requires admin or moderator.
* Create a new event. Requires gruppenfuehrer+.
*/
router.post(
'/',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:write'),
eventsController.createEvent.bind(eventsController)
);
@@ -134,34 +131,34 @@ router.get('/:id', authenticate, eventsController.getById.bind(eventsController)
/**
* PATCH /api/events/:id
* Update an existing event. Requires admin or moderator.
* Update an existing event. Requires gruppenfuehrer+.
*/
router.patch(
'/:id',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:write'),
eventsController.updateEvent.bind(eventsController)
);
/**
* DELETE /api/events/:id
* Soft-cancel an event (sets abgesagt=TRUE + reason). Requires admin or moderator.
* Soft-cancel an event (sets abgesagt=TRUE + reason). Requires gruppenfuehrer+.
*/
router.delete(
'/:id',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:write'),
eventsController.cancelEvent.bind(eventsController)
);
/**
* POST /api/events/:id/delete
* Hard-delete an event permanently. Requires admin or moderator.
* Hard-delete an event permanently. Requires gruppenfuehrer+.
*/
router.post(
'/:id/delete',
authenticate,
requireGroups(WRITE_GROUPS),
requirePermission('events:write'),
eventsController.deleteEvent.bind(eventsController)
);

102
backend/src/routes/member.routes.ts
View File

@@ -1,87 +1,16 @@
import { Router, Request, Response, NextFunction } from 'express';
import memberController from '../controllers/member.controller';
import { authenticate } from '../middleware/auth.middleware';
import logger from '../utils/logger';
import { requirePermission } from '../middleware/rbac.middleware';
const router = Router();
// ----------------------------------------------------------------
// Role/permission middleware
//
// The JWT currently carries: { userId, email, authentikSub }.
// Roles come from Authentik group membership stored in the
// `groups` array on the UserInfo response. The auth controller
// already upserts the user in the DB on every login; this
// middleware resolves the role from req.user (extended below).
//
// Until a full roles column exists in the users table, roles are
// derived from a well-known Authentik group naming convention:
//
// "feuerwehr-admin" → AppRole 'admin'
// "feuerwehr-kommandant" → AppRole 'kommandant'
// (everything else) → AppRole 'mitglied'
//
// The groups are passed through the JWT as req.user.groups (added
// by the extended type below). Replace this logic with a DB
// lookup once a roles column is added to users.
// Apply authentication to every route in this router.
// requirePermission is applied per-route because PATCH allows the
// owner to update their own limited fields even without 'members:write'.
// ----------------------------------------------------------------
type AppRole = 'admin' | 'kommandant' | 'mitglied';
/**
* Resolves the AppRole from Authentik groups attached to the JWT.
* Mutates req.user.role so downstream controllers can read it directly.
*/
const resolveRole = (req: Request, _res: Response, next: NextFunction): void => {
if (req.user) {
const groups: string[] = (req.user as any).groups ?? [];
if (groups.includes('feuerwehr-admin')) {
req.user.role = 'admin';
} else if (groups.includes('feuerwehr-kommandant')) {
req.user.role = 'kommandant' as any;
} else {
req.user.role = 'mitglied' as any;
}
logger.debug('resolveRole', { userId: req.user.id, role: req.user.role });
}
next();
};
/**
* Factory: creates a middleware that enforces the minimum required role.
* Role hierarchy: admin > kommandant > mitglied
*/
const requirePermission = (permission: 'members:read' | 'members:write') => {
return (req: Request, res: Response, next: NextFunction): void => {
const role = (req.user as any)?.role ?? 'mitglied';
const writeRoles: AppRole[] = ['admin', 'kommandant'];
const readRoles: AppRole[] = ['admin', 'kommandant', 'mitglied'];
const allowed =
permission === 'members:write'
? writeRoles.includes(role)
: readRoles.includes(role);
if (!allowed) {
res.status(403).json({
success: false,
message: 'Keine Berechtigung für diese Aktion.',
});
return;
}
next();
};
};
// ----------------------------------------------------------------
// Apply authentication + role resolution to every route in this
// router. Note: requirePermission is applied per-route because
// PATCH allows the owner to update their own limited fields even
// without 'members:write'.
// ----------------------------------------------------------------
router.use(authenticate, resolveRole);
router.use(authenticate);
// IMPORTANT: The static /stats route must be registered BEFORE
// the dynamic /:userId route, otherwise Express would match
@@ -110,14 +39,29 @@ router.post(
memberController.createMemberProfile.bind(memberController)
);
/**
* Inline middleware for PATCH /:userId.
* Enforces that the caller is either the profile owner OR holds members:write.
* This is the route-level IDOR guard; the controller still applies the
* correct Zod schema (full vs. limited fields) based on role.
*/
const requireOwnerOrWrite = (req: Request, res: Response, next: NextFunction): void => {
const isOwner = req.user?.id === req.params.userId;
if (isOwner) {
next();
return;
}
// Not the owner — must have members:write permission
requirePermission('members:write')(req, res, next);
};
/**
* PATCH /:userId — open to both privileged users AND the profile owner.
* The controller itself enforces the correct Zod schema (full vs. limited)
* based on the caller's role.
* Route-level guard rejects all other callers before the controller runs.
*/
router.patch(
'/:userId',
// No requirePermission here — controller handles own-profile vs. write-role logic
requireOwnerOrWrite,
memberController.updateMember.bind(memberController)
);

19
backend/src/routes/vehicle.routes.ts
View File

@@ -1,10 +1,7 @@
import { Router } from 'express';
import vehicleController from '../controllers/vehicle.controller';
import { authenticate } from '../middleware/auth.middleware';
import { requireGroups } from '../middleware/rbac.middleware';
const ADMIN_GROUPS = ['dashboard_admin'];
const WRITE_GROUPS = ['dashboard_admin', 'dashboard_fahrmeister'];
import { requirePermission } from '../middleware/rbac.middleware';
const router = Router();
@@ -16,15 +13,15 @@ router.get('/alerts', authenticate, vehicleController.getAlerts.bind(vehicleCont
router.get('/:id', authenticate, vehicleController.getVehicle.bind(vehicleController));
router.get('/:id/wartung', authenticate, vehicleController.getWartung.bind(vehicleController));
// ── Write — admin only ────────────────────────────────────────────────────────
// ── Write — kommandant+ ──────────────────────────────────────────────────────
router.post('/', authenticate, requireGroups(ADMIN_GROUPS), vehicleController.createVehicle.bind(vehicleController));
router.patch('/:id', authenticate, requireGroups(ADMIN_GROUPS), vehicleController.updateVehicle.bind(vehicleController));
router.delete('/:id', authenticate, requireGroups(ADMIN_GROUPS), vehicleController.deleteVehicle.bind(vehicleController));
router.post('/', authenticate, requirePermission('vehicles:write'), vehicleController.createVehicle.bind(vehicleController));
router.patch('/:id', authenticate, requirePermission('vehicles:write'), vehicleController.updateVehicle.bind(vehicleController));
router.delete('/:id', authenticate, requirePermission('vehicles:delete'), vehicleController.deleteVehicle.bind(vehicleController));
// ── Status + maintenance log — admin + fahrmeister ────────────────────────────
// ── Status + maintenance log — gruppenfuehrer+ ──────────────────────────────
router.patch('/:id/status', authenticate, requireGroups(WRITE_GROUPS), vehicleController.updateVehicleStatus.bind(vehicleController));
router.post('/:id/wartung', authenticate, requireGroups(WRITE_GROUPS), vehicleController.addWartung.bind(vehicleController));
router.patch('/:id/status', authenticate, requirePermission('vehicles:status'), vehicleController.updateVehicleStatus.bind(vehicleController));
router.post('/:id/wartung', authenticate, requirePermission('vehicles:status'), vehicleController.addWartung.bind(vehicleController));
export default router;

54
backend/src/services/authentik.service.ts
View File

@@ -1,9 +1,23 @@
import axios, { AxiosError } from 'axios';
import * as jose from 'jose';
import authentikConfig from '../config/authentik';
import logger from '../utils/logger';
import { TokenResponse, UserInfo } from '../types/auth.types';
class AuthentikService {
private jwks: ReturnType<typeof jose.createRemoteJWKSet> | null = null;
private getJwks(): ReturnType<typeof jose.createRemoteJWKSet> {
if (!this.jwks) {
// Derive JWKS URI from the issuer URL
// Issuer: https://auth.example.com/application/o/myapp/
// JWKS: https://auth.example.com/application/o/myapp/jwks/
const jwksUri = new URL('jwks/', authentikConfig.issuer.endsWith('/') ? authentikConfig.issuer : authentikConfig.issuer + '/');
this.jwks = jose.createRemoteJWKSet(jwksUri);
}
return this.jwks;
}
/**
* Exchange authorization code for access and ID tokens
*/
@@ -61,48 +75,26 @@ class AuthentikService {
}
/**
* Verify and decode ID token (basic validation)
* Note: For production, use a proper JWT verification library like jose or jsonwebtoken
* Verify and decode ID token using JWKS
*/
verifyIdToken(idToken: string): any {
async verifyIdToken(idToken: string): Promise<jose.JWTPayload> {
try {
// Split the token into parts
const parts = idToken.split('.');
if (parts.length !== 3) {
throw new Error('Invalid ID token format');
}
// Decode the payload (Base64URL)
const payload = JSON.parse(
Buffer.from(parts[1], 'base64url').toString('utf-8')
);
// Basic validation
if (!payload.sub || !payload.email) {
throw new Error('Invalid ID token payload');
}
// Check expiration
if (payload.exp && payload.exp * 1000 < Date.now()) {
throw new Error('ID token has expired');
}
// Check issuer
if (payload.iss && !payload.iss.includes(authentikConfig.issuer)) {
logger.warn('ID token issuer mismatch', {
expected: authentikConfig.issuer,
received: payload.iss,
const { payload } = await jose.jwtVerify(idToken, this.getJwks(), {
issuer: authentikConfig.issuer,
});
if (!payload.sub || !payload.email) {
throw new Error('Invalid ID token payload: missing sub or email');
}
logger.info('ID token verified successfully', {
logger.info('ID token verified successfully via JWKS', {
sub: payload.sub,
email: payload.email,
});
return payload;
} catch (error) {
logger.error('Failed to verify ID token', { error });
logger.error('Failed to verify ID token via JWKS', { error });
throw new Error('Invalid ID token');
}
}

49
backend/src/services/bookstack.service.ts
View File

@@ -32,6 +32,47 @@ export interface BookStackSearchResult {
tags: { name: string; value: string; order: number }[];
}
/**
* Validates that a URL is safe to use as an outbound service endpoint.
* Rejects non-http(s) protocols and private/loopback IP ranges to prevent SSRF.
*/
function isValidServiceUrl(raw: string): boolean {
let parsed: URL;
try {
parsed = new URL(raw);
} catch {
return false;
}
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
return false;
}
const hostname = parsed.hostname.toLowerCase();
// Reject plain loopback / localhost names
if (hostname === 'localhost' || hostname === '::1') {
return false;
}
// Reject numeric IPv4 private / loopback / link-local ranges
const ipv4Parts = hostname.split('.');
if (ipv4Parts.length === 4) {
const [a, b] = ipv4Parts.map(Number);
if (
a === 127 || // 127.0.0.0/8 loopback
a === 10 || // 10.0.0.0/8 private
(a === 172 && b >= 16 && b <= 31) || // 172.16.0.0/12 private
(a === 192 && b === 168) || // 192.168.0.0/16 private
(a === 169 && b === 254) // 169.254.0.0/16 link-local
) {
return false;
}
}
return true;
}
function buildHeaders(): Record<string, string> {
const { bookstack } = environment;
return {
@@ -42,8 +83,8 @@ function buildHeaders(): Record<string, string> {
async function getRecentPages(): Promise<BookStackPage[]> {
const { bookstack } = environment;
if (!bookstack.url) {
throw new Error('BOOKSTACK_URL is not configured');
if (!bookstack.url || !isValidServiceUrl(bookstack.url)) {
throw new Error('BOOKSTACK_URL is not configured or is not a valid service URL');
}
try {
@@ -73,8 +114,8 @@ async function getRecentPages(): Promise<BookStackPage[]> {
async function searchPages(query: string): Promise<BookStackSearchResult[]> {
const { bookstack } = environment;
if (!bookstack.url) {
throw new Error('BOOKSTACK_URL is not configured');
if (!bookstack.url || !isValidServiceUrl(bookstack.url)) {
throw new Error('BOOKSTACK_URL is not configured or is not a valid service URL');
}
try {

52
backend/src/services/nextcloud.service.ts
View File

@@ -34,10 +34,51 @@ interface LoginFlowCredentials {
appPassword: string;
}
/**
* Validates that a URL is safe to use as an outbound service endpoint.
* Rejects non-http(s) protocols and private/loopback IP ranges to prevent SSRF.
*/
function isValidServiceUrl(raw: string): boolean {
let parsed: URL;
try {
parsed = new URL(raw);
} catch {
return false;
}
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
return false;
}
const hostname = parsed.hostname.toLowerCase();
// Reject plain loopback / localhost names
if (hostname === 'localhost' || hostname === '::1') {
return false;
}
// Reject numeric IPv4 private / loopback / link-local ranges
const ipv4Parts = hostname.split('.');
if (ipv4Parts.length === 4) {
const [a, b] = ipv4Parts.map(Number);
if (
a === 127 || // 127.0.0.0/8 loopback
a === 10 || // 10.0.0.0/8 private
(a === 172 && b >= 16 && b <= 31) || // 172.16.0.0/12 private
(a === 192 && b === 168) || // 192.168.0.0/16 private
(a === 169 && b === 254) // 169.254.0.0/16 link-local
) {
return false;
}
}
return true;
}
async function initiateLoginFlow(): Promise<LoginFlowResult> {
const baseUrl = environment.nextcloudUrl;
if (!baseUrl) {
throw new Error('NEXTCLOUD_URL is not configured');
if (!baseUrl || !isValidServiceUrl(baseUrl)) {
throw new Error('NEXTCLOUD_URL is not configured or is not a valid service URL');
}
try {
@@ -60,6 +101,9 @@ async function initiateLoginFlow(): Promise<LoginFlowResult> {
}
async function pollLoginFlow(pollEndpoint: string, pollToken: string): Promise<LoginFlowCredentials | null> {
if (!isValidServiceUrl(pollEndpoint)) {
throw new Error('pollEndpoint is not a valid service URL');
}
try {
const response = await axios.post(pollEndpoint, `token=${pollToken}`, {
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
@@ -85,8 +129,8 @@ async function pollLoginFlow(pollEndpoint: string, pollToken: string): Promise<L
async function getConversations(loginName: string, appPassword: string): Promise<ConversationsResult> {
const baseUrl = environment.nextcloudUrl;
if (!baseUrl) {
throw new Error('NEXTCLOUD_URL is not configured');
if (!baseUrl || !isValidServiceUrl(baseUrl)) {
throw new Error('NEXTCLOUD_URL is not configured or is not a valid service URL');
}
try {

1
backend/src/services/token.service.ts
View File

@@ -15,6 +15,7 @@ class TokenService {
email: payload.email,
authentikSub: payload.authentikSub,
groups: payload.groups ?? [],
role: payload.role,
},
environment.jwt.secret,
{

53
backend/src/services/vikunja.service.ts
View File

@@ -16,6 +16,47 @@ export interface VikunjaProject {
title: string;
}
/**
* Validates that a URL is safe to use as an outbound service endpoint.
* Rejects non-http(s) protocols and private/loopback IP ranges to prevent SSRF.
*/
function isValidServiceUrl(raw: string): boolean {
let parsed: URL;
try {
parsed = new URL(raw);
} catch {
return false;
}
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
return false;
}
const hostname = parsed.hostname.toLowerCase();
// Reject plain loopback / localhost names
if (hostname === 'localhost' || hostname === '::1') {
return false;
}
// Reject numeric IPv4 private / loopback / link-local ranges
const ipv4Parts = hostname.split('.');
if (ipv4Parts.length === 4) {
const [a, b] = ipv4Parts.map(Number);
if (
a === 127 || // 127.0.0.0/8 loopback
a === 10 || // 10.0.0.0/8 private
(a === 172 && b >= 16 && b <= 31) || // 172.16.0.0/12 private
(a === 192 && b === 168) || // 192.168.0.0/16 private
(a === 169 && b === 254) // 169.254.0.0/16 link-local
) {
return false;
}
}
return true;
}
function buildHeaders(): Record<string, string> {
return {
'Authorization': `Bearer ${environment.vikunja.apiToken}`,
@@ -25,8 +66,8 @@ function buildHeaders(): Record<string, string> {
async function getMyTasks(): Promise<VikunjaTask[]> {
const { vikunja } = environment;
if (!vikunja.url) {
throw new Error('VIKUNJA_URL is not configured');
if (!vikunja.url || !isValidServiceUrl(vikunja.url)) {
throw new Error('VIKUNJA_URL is not configured or is not a valid service URL');
}
try {
@@ -58,8 +99,8 @@ async function getOverdueTasks(): Promise<VikunjaTask[]> {
async function getProjects(): Promise<VikunjaProject[]> {
const { vikunja } = environment;
if (!vikunja.url) {
throw new Error('VIKUNJA_URL is not configured');
if (!vikunja.url || !isValidServiceUrl(vikunja.url)) {
throw new Error('VIKUNJA_URL is not configured or is not a valid service URL');
}
try {
@@ -82,8 +123,8 @@ async function getProjects(): Promise<VikunjaProject[]> {
async function createTask(projectId: number, title: string, dueDate?: string): Promise<VikunjaTask> {
const { vikunja } = environment;
if (!vikunja.url) {
throw new Error('VIKUNJA_URL is not configured');
if (!vikunja.url || !isValidServiceUrl(vikunja.url)) {
throw new Error('VIKUNJA_URL is not configured or is not a valid service URL');
}
try {

1
backend/src/types/auth.types.ts
View File

@@ -28,6 +28,7 @@ export interface JwtPayload {
email: string;
authentikSub: string;
groups?: string[];
role?: string;
iat?: number;
exp?: number;
}

10
frontend/src/components/auth/LoginCallback.tsx
View File

@@ -30,8 +30,14 @@ const LoginCallback: React.FC = () => {
try {
await login(code);
// Navigate to the originally intended page, falling back to the dashboard
const from = sessionStorage.getItem('auth_redirect_from') || '/dashboard';
// Navigate to the originally intended page, falling back to the dashboard.
// Validate that the stored path is a safe internal path: must start with '/'
// but must NOT start with '//' (protocol-relative redirect).
const rawFrom = sessionStorage.getItem('auth_redirect_from');
const from =
rawFrom && rawFrom.startsWith('/') && !rawFrom.startsWith('//')
? rawFrom
: '/dashboard';
sessionStorage.removeItem('auth_redirect_from');
navigate(from, { replace: true });
} catch (err) {

3
frontend/src/components/dashboard/BookStackRecentWidget.tsx
View File

@@ -13,13 +13,14 @@ import { formatDistanceToNow } from 'date-fns';
import { de } from 'date-fns/locale';
import { bookstackApi } from '../../services/bookstack';
import type { BookStackPage } from '../../types/bookstack.types';
import { safeOpenUrl } from '../../utils/safeOpenUrl';
const PageRow: React.FC<{ page: BookStackPage; showDivider: boolean }> = ({
page,
showDivider,
}) => {
const handleClick = () => {
window.open(page.url, '_blank', 'noopener,noreferrer');
safeOpenUrl(page.url);
};
const relativeTime = page.updated_at

3
frontend/src/components/dashboard/BookStackSearchWidget.tsx
View File

@@ -14,6 +14,7 @@ import { Search, MenuBook } from '@mui/icons-material';
import { useQuery } from '@tanstack/react-query';
import { bookstackApi } from '../../services/bookstack';
import type { BookStackSearchResult } from '../../types/bookstack.types';
import { safeOpenUrl } from '../../utils/safeOpenUrl';
function stripHtml(html: string): string {
return html.replace(/<[^>]*>/g, '').trim();
@@ -28,7 +29,7 @@ const ResultRow: React.FC<{ result: BookStackSearchResult; showDivider: boolean
return (
<>
<Box
onClick={() => window.open(result.url, '_blank', 'noopener,noreferrer')}
onClick={() => safeOpenUrl(result.url)}
sx={{
py: 1.5,
px: 1,

3
frontend/src/components/dashboard/NextcloudTalkWidget.tsx
View File

@@ -18,6 +18,7 @@ import { formatDistanceToNow } from 'date-fns';
import { de } from 'date-fns/locale';
import { nextcloudApi } from '../../services/nextcloud';
import type { NextcloudConversation } from '../../types/nextcloud.types';
import { safeOpenUrl } from '../../utils/safeOpenUrl';
const POLL_INTERVAL = 2000;
const POLL_TIMEOUT = 5 * 60 * 1000;
@@ -27,7 +28,7 @@ const ConversationRow: React.FC<{ conversation: NextcloudConversation; showDivid
showDivider,
}) => {
const handleClick = () => {
window.open(conversation.url, '_blank', 'noopener,noreferrer');
safeOpenUrl(conversation.url);
};
const relativeTime = conversation.lastMessage

3
frontend/src/components/dashboard/VikunjaMyTasksWidget.tsx
View File

@@ -14,6 +14,7 @@ import { format, isPast } from 'date-fns';
import { de } from 'date-fns/locale';
import { vikunjaApi } from '../../services/vikunja';
import type { VikunjaTask } from '../../types/vikunja.types';
import { safeOpenUrl } from '../../utils/safeOpenUrl';
const PRIORITY_LABELS: Record<number, { label: string; color: 'default' | 'warning' | 'error' }> = {
0: { label: 'Keine', color: 'default' },
@@ -30,7 +31,7 @@ const TaskRow: React.FC<{ task: VikunjaTask; showDivider: boolean; vikunjaUrl: s
vikunjaUrl,
}) => {
const handleClick = () => {
window.open(`${vikunjaUrl}/tasks/${task.id}`, '_blank', 'noopener,noreferrer');
safeOpenUrl(`${vikunjaUrl}/tasks/${task.id}`);
};
const dueDateStr = task.due_date

18
frontend/src/components/shared/NotificationBell.tsx
View File

@@ -25,6 +25,20 @@ import type { Notification, NotificationSchwere } from '../../types/notification
const POLL_INTERVAL_MS = 60_000; // 60 seconds
/**
* Only allow window.open for URLs whose origin matches the current app origin.
* External-looking URLs (different host or protocol-relative) are rejected to
* prevent open-redirect / tab-napping via notification link data from the backend.
*/
function isTrustedUrl(url: string): boolean {
try {
const parsed = new URL(url, window.location.origin);
return parsed.origin === window.location.origin;
} catch {
return false;
}
}
function schwerebColor(schwere: NotificationSchwere): 'error' | 'warning' | 'info' {
if (schwere === 'fehler') return 'error';
if (schwere === 'warnung') return 'warning';
@@ -103,7 +117,11 @@ const NotificationBell: React.FC = () => {
handleClose();
if (n.link) {
if (n.link.startsWith('http://') || n.link.startsWith('https://')) {
if (isTrustedUrl(n.link)) {
window.open(n.link, '_blank');
} else {
console.warn('NotificationBell: blocked navigation to untrusted URL', n.link);
}
} else {
navigate(n.link);
}

6
frontend/src/contexts/AuthContext.tsx
View File

@@ -1,7 +1,7 @@
import React, { createContext, useCallback, useContext, useState, useEffect, ReactNode } from 'react';
import { AuthContextType, AuthState, User } from '../types/auth.types';
import { authService } from '../services/auth';
import { getToken, setToken, removeToken, getUser, setUser, removeUser } from '../utils/storage';
import { getToken, setToken, removeToken, getUser, setUser, removeUser, setRefreshToken, removeRefreshToken } from '../utils/storage';
import { useNotification } from './NotificationContext';
import { setAuthInitialized } from '../services/api';
@@ -71,10 +71,11 @@ export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
try {
setState((prev) => ({ ...prev, isLoading: true }));
const { token, user } = await authService.handleCallback(code);
const { token, refreshToken, user } = await authService.handleCallback(code);
// Save to localStorage
setToken(token);
setRefreshToken(refreshToken);
setUser(user);
// Update state
@@ -115,6 +116,7 @@ export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
// Clear local state
removeToken();
removeRefreshToken();
removeUser();
setState({
user: null,

15
frontend/src/pages/Login.tsx
View File

@@ -23,7 +23,11 @@ function Login() {
useEffect(() => {
if (isAuthenticated) {
setIsRedirecting(true);
const from = (location.state as any)?.from || '/dashboard';
const rawFrom = (location.state as any)?.from;
const from =
rawFrom && rawFrom.startsWith('/') && !rawFrom.startsWith('//')
? rawFrom
: '/dashboard';
navigate(from, { replace: true });
}
}, [isAuthenticated, navigate, location.state]);
@@ -31,10 +35,11 @@ function Login() {
const handleLogin = () => {
try {
// Persist the intended destination so LoginCallback can restore it
// after the full-page Authentik redirect round-trip
const from = (location.state as any)?.from;
if (from) {
sessionStorage.setItem('auth_redirect_from', from);
// after the full-page Authentik redirect round-trip.
// Validate that from is a safe internal path before storing it.
const rawFrom = (location.state as any)?.from;
if (rawFrom && rawFrom.startsWith('/') && !rawFrom.startsWith('//')) {
sessionStorage.setItem('auth_redirect_from', rawFrom);
}
const authUrl = authService.getAuthUrl();
window.location.href = authUrl;

82
frontend/src/pages/Settings.tsx
View File

@@ -1,4 +1,3 @@
import { useState } from 'react';
import {
Container,
Typography,
@@ -10,35 +9,16 @@ import {
Switch,
Divider,
Box,
Button,
ToggleButtonGroup,
ToggleButton,
} from '@mui/material';
import { Settings as SettingsIcon, Notifications, Palette, Language, Save, SettingsBrightness, LightMode, DarkMode } from '@mui/icons-material';
import { Settings as SettingsIcon, Notifications, Palette, Language, SettingsBrightness, LightMode, DarkMode } from '@mui/icons-material';
import DashboardLayout from '../components/dashboard/DashboardLayout';
import { useNotification } from '../contexts/NotificationContext';
import { useThemeMode } from '../contexts/ThemeContext';
function Settings() {
const notification = useNotification();
const { themeMode, setThemeMode } = useThemeMode();
// Settings state
const [emailNotifications, setEmailNotifications] = useState(true);
const [alarmNotifications, setAlarmNotifications] = useState(true);
const [maintenanceReminders, setMaintenanceReminders] = useState(false);
const [systemNotifications, setSystemNotifications] = useState(true);
const [compactView, setCompactView] = useState(true);
const [animations, setAnimations] = useState(true);
const handleSaveSettings = () => {
try {
// In a real application, save settings to backend
notification.showSuccess('Einstellungen erfolgreich gespeichert');
} catch (error) {
notification.showError('Fehler beim Speichern der Einstellungen');
}
};
return (
<DashboardLayout>
<Container maxWidth="lg">
@@ -58,41 +38,24 @@ function Settings() {
<Divider sx={{ mb: 2 }} />
<FormGroup>
<FormControlLabel
control={
<Switch
checked={emailNotifications}
onChange={(e) => setEmailNotifications(e.target.checked)}
/>
}
control={<Switch checked={false} disabled />}
label="E-Mail-Benachrichtigungen"
/>
<FormControlLabel
control={
<Switch
checked={alarmNotifications}
onChange={(e) => setAlarmNotifications(e.target.checked)}
/>
}
control={<Switch checked={false} disabled />}
label="Einsatz-Alarme"
/>
<FormControlLabel
control={
<Switch
checked={maintenanceReminders}
onChange={(e) => setMaintenanceReminders(e.target.checked)}
/>
}
control={<Switch checked={false} disabled />}
label="Wartungserinnerungen"
/>
<FormControlLabel
control={
<Switch
checked={systemNotifications}
onChange={(e) => setSystemNotifications(e.target.checked)}
/>
}
control={<Switch checked={false} disabled />}
label="System-Benachrichtigungen"
/>
<Typography variant="caption" color="text.secondary" sx={{ mt: 1 }}>
(Bald verfügbar)
</Typography>
</FormGroup>
</CardContent>
</Card>
@@ -109,23 +72,16 @@ function Settings() {
<Divider sx={{ mb: 2 }} />
<FormGroup>
<FormControlLabel
control={
<Switch
checked={compactView}
onChange={(e) => setCompactView(e.target.checked)}
/>
}
control={<Switch checked={false} disabled />}
label="Kompakte Ansicht"
/>
<FormControlLabel
control={
<Switch
checked={animations}
onChange={(e) => setAnimations(e.target.checked)}
/>
}
control={<Switch checked={false} disabled />}
label="Animationen"
/>
<Typography variant="caption" color="text.secondary" sx={{ mt: 1 }}>
(Bald verfügbar)
</Typography>
<Box sx={{ mt: 1 }}>
<Typography variant="body2" sx={{ mb: 1 }}>
Farbschema
@@ -204,18 +160,6 @@ function Settings() {
wird in zukünftigen Updates implementiert.
</Typography>
</Box>
<Box sx={{ mt: 3, display: 'flex', justifyContent: 'flex-end' }}>
<Button
variant="contained"
color="primary"
size="large"
startIcon={<Save />}
onClick={handleSaveSettings}
>
Einstellungen speichern
</Button>
</Box>
</Container>
</DashboardLayout>
);

81
frontend/src/services/api.ts
View File

@@ -1,10 +1,27 @@
import axios, { AxiosInstance, AxiosRequestConfig, AxiosResponse, AxiosError } from 'axios';
import { API_URL } from '../utils/config';
import { getToken, removeToken, removeUser } from '../utils/storage';
import { getToken, setToken, removeToken, removeUser, getRefreshToken, removeRefreshToken } from '../utils/storage';
let authInitialized = false;
let isRedirectingToLogin = false;
let isRefreshing = false;
let failedQueue: Array<{
resolve: (token: string) => void;
reject: (error: any) => void;
}> = [];
function processQueue(error: any, token: string | null = null) {
failedQueue.forEach((prom) => {
if (error) {
prom.reject(error);
} else {
prom.resolve(token!);
}
});
failedQueue = [];
}
export function setAuthInitialized(value: boolean): void {
authInitialized = value;
if (value === true) {
@@ -54,15 +71,71 @@ class ApiService {
(response) => response,
async (error: AxiosError) => {
if (error.response?.status === 401) {
const originalRequest = error.config as AxiosRequestConfig & { _retry?: boolean };
// Don't attempt refresh during auth initialization or if already retried
if (!authInitialized || originalRequest._retry) {
if (authInitialized && !isRedirectingToLogin) {
isRedirectingToLogin = true;
// Clear tokens and redirect to login
console.warn('Unauthorized request, redirecting to login');
removeToken();
removeRefreshToken();
removeUser();
window.location.href = '/login';
}
// During initialization, silently reject without redirecting
return Promise.reject(this.handleError(error));
}
if (isRefreshing) {
return new Promise<AxiosResponse>((resolve, reject) => {
failedQueue.push({
resolve: (token: string) => {
originalRequest.headers = { ...originalRequest.headers, Authorization: `Bearer ${token}` };
resolve(this.axiosInstance.request(originalRequest));
},
reject: (err: any) => {
reject(err);
},
});
});
}
originalRequest._retry = true;
isRefreshing = true;
const refreshToken = getRefreshToken();
if (!refreshToken) {
isRefreshing = false;
if (!isRedirectingToLogin) {
isRedirectingToLogin = true;
removeToken();
removeRefreshToken();
removeUser();
window.location.href = '/login';
}
return Promise.reject(this.handleError(error));
}
try {
// Use a raw axios call (not the intercepted instance) to avoid loops
const response = await axios.post(`${API_URL}/api/auth/refresh`, { refreshToken });
const newToken = response.data.data.accessToken;
setToken(newToken);
processQueue(null, newToken);
originalRequest.headers = { ...originalRequest.headers, Authorization: `Bearer ${newToken}` };
return this.axiosInstance.request(originalRequest);
} catch (refreshError) {
processQueue(refreshError, null);
if (!isRedirectingToLogin) {
isRedirectingToLogin = true;
removeToken();
removeRefreshToken();
removeUser();
window.location.href = '/login';
}
return Promise.reject(this.handleError(error));
} finally {
isRefreshing = false;
}
}
// Retry on 429 (Too Many Requests) with exponential backoff

2
frontend/src/services/auth.ts
View File

@@ -6,6 +6,7 @@ const REDIRECT_URI = `${window.location.origin}/auth/callback`;
export interface AuthCallbackResponse {
token: string;
refreshToken: string;
user: User;
}
@@ -51,6 +52,7 @@ export const authService = {
});
return {
token: response.data.data.accessToken,
refreshToken: response.data.data.refreshToken,
user: mapBackendUser(response.data.data.user),
};
},

17
frontend/src/utils/config.ts
View File

@@ -1,7 +1,18 @@
const apiUrl: string = import.meta.env.VITE_API_URL;
const authentikUrl: string = import.meta.env.AUTHENTIK_URL || 'https://auth.firesuite.feuerwehr-rems.at';
const clientId: string = import.meta.env.AUTHENTIK_CLIENT_ID;
if (!apiUrl) {
console.error('Missing required environment variable: VITE_API_URL');
}
if (!clientId) {
console.error('Missing required environment variable: AUTHENTIK_CLIENT_ID');
}
export const config = {
apiUrl: import.meta.env.VITE_API_URL || 'http://localhost:3000',
authentikUrl: import.meta.env.AUTHENTIK_URL || 'https://auth.firesuite.feuerwehr-rems.at',
clientId: import.meta.env.AUTHENTIK_CLIENT_ID || 'your_client_id_here',
apiUrl,
authentikUrl,
clientId,
};
export const API_URL = config.apiUrl;

20
frontend/src/utils/safeOpenUrl.ts Normal file
View File

@@ -0,0 +1,20 @@
/**
* Safely opens a URL in a new tab.
*
* Validates the URL before opening it to prevent malicious URLs (e.g.
* javascript: or data: URIs) from being opened if an API response is
* ever compromised. Only http: and https: URLs are allowed.
*/
export function safeOpenUrl(url: string): void {
try {
const parsed = new URL(url);
if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
console.warn(`safeOpenUrl: blocked URL with unexpected protocol "${parsed.protocol}": ${url}`);
return;
}
} catch {
console.warn(`safeOpenUrl: blocked invalid URL: ${url}`);
return;
}
window.open(url, '_blank', 'noopener,noreferrer');
}

27
frontend/src/utils/storage.ts
View File

@@ -28,6 +28,33 @@ export const removeToken = (): void => {
}
};
const REFRESH_TOKEN_KEY = 'auth_refresh_token';
export const getRefreshToken = (): string | null => {
try {
return localStorage.getItem(REFRESH_TOKEN_KEY);
} catch (error) {
console.error('Error getting refresh token from localStorage:', error);
return null;
}
};
export const setRefreshToken = (token: string): void => {
try {
localStorage.setItem(REFRESH_TOKEN_KEY, token);
} catch (error) {
console.error('Error setting refresh token in localStorage:', error);
}
};
export const removeRefreshToken = (): void => {
try {
localStorage.removeItem(REFRESH_TOKEN_KEY);
} catch (error) {
console.error('Error removing refresh token from localStorage:', error);
}
};
export const getUser = (): User | null => {
try {
const userStr = localStorage.getItem(USER_KEY);

2
frontend/vite.config.ts
View File

@@ -23,6 +23,6 @@ export default defineConfig({
envPrefix: ['VITE_', 'AUTHENTIK_'],
build: {
outDir: 'dist',
sourcemap: true,
sourcemap: false,
},
});