feat(opsserver): add health, audit, cluster health, and durable credential management hardening
This commit is contained in:
@@ -4,6 +4,7 @@ import * as interfaces from '../../../ts_interfaces/index.ts';
|
||||
|
||||
export interface IJwtData {
|
||||
userId: string;
|
||||
role: 'admin';
|
||||
status: 'loggedIn' | 'loggedOut';
|
||||
expiresAt: number;
|
||||
}
|
||||
@@ -11,6 +12,8 @@ export interface IJwtData {
|
||||
export class AdminHandler {
|
||||
public typedrouter = new plugins.typedrequest.TypedRouter();
|
||||
public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
|
||||
private revokedTokens = new Set<string>();
|
||||
private failedLoginAttempts = new Map<string, { count: number; firstAttemptAt: number }>();
|
||||
|
||||
constructor(private opsServerRef: OpsServer) {
|
||||
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
|
||||
@@ -29,19 +32,37 @@ export class AdminHandler {
|
||||
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
|
||||
'adminLoginWithUsernameAndPassword',
|
||||
async (dataArg) => {
|
||||
this.assertLoginNotRateLimited(dataArg.username);
|
||||
const adminPassword = this.opsServerRef.objectStorageRef.config.adminPassword;
|
||||
if (dataArg.username !== 'admin' || dataArg.password !== adminPassword) {
|
||||
this.recordFailedLogin(dataArg.username);
|
||||
await this.opsServerRef.objectStorageRef.auditLogger.log({
|
||||
actorUserId: dataArg.username || 'anonymous',
|
||||
action: 'admin.login',
|
||||
targetType: 'adminSession',
|
||||
success: false,
|
||||
message: 'Invalid credentials',
|
||||
});
|
||||
throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
|
||||
}
|
||||
|
||||
this.failedLoginAttempts.delete(dataArg.username);
|
||||
const expiresAt = Date.now() + 24 * 3600 * 1000;
|
||||
const userId = 'admin';
|
||||
const jwt = await this.smartjwtInstance.createJWT({
|
||||
userId,
|
||||
role: 'admin',
|
||||
status: 'loggedIn',
|
||||
expiresAt,
|
||||
});
|
||||
|
||||
await this.opsServerRef.objectStorageRef.auditLogger.log({
|
||||
actorUserId: userId,
|
||||
action: 'admin.login',
|
||||
targetType: 'adminSession',
|
||||
success: true,
|
||||
});
|
||||
|
||||
console.log('Admin user logged in');
|
||||
|
||||
return {
|
||||
@@ -61,7 +82,16 @@ export class AdminHandler {
|
||||
this.typedrouter.addTypedHandler(
|
||||
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLogout>(
|
||||
'adminLogout',
|
||||
async (_dataArg) => {
|
||||
async (dataArg) => {
|
||||
if (dataArg.identity?.jwt) {
|
||||
this.revokedTokens.add(dataArg.identity.jwt);
|
||||
await this.opsServerRef.objectStorageRef.auditLogger.log({
|
||||
actorUserId: dataArg.identity.userId,
|
||||
action: 'admin.logout',
|
||||
targetType: 'adminSession',
|
||||
success: true,
|
||||
});
|
||||
}
|
||||
return { ok: true };
|
||||
},
|
||||
),
|
||||
@@ -75,18 +105,20 @@ export class AdminHandler {
|
||||
if (!dataArg.identity?.jwt) {
|
||||
return { valid: false };
|
||||
}
|
||||
if (this.revokedTokens.has(dataArg.identity.jwt)) return { valid: false };
|
||||
try {
|
||||
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
|
||||
if (jwtData.expiresAt < Date.now()) return { valid: false };
|
||||
if (jwtData.status !== 'loggedIn') return { valid: false };
|
||||
if (jwtData.role !== 'admin') return { valid: false };
|
||||
return {
|
||||
valid: true,
|
||||
identity: {
|
||||
jwt: dataArg.identity.jwt,
|
||||
userId: jwtData.userId,
|
||||
username: dataArg.identity.username,
|
||||
username: jwtData.userId,
|
||||
expiresAt: jwtData.expiresAt,
|
||||
role: dataArg.identity.role,
|
||||
role: jwtData.role,
|
||||
},
|
||||
};
|
||||
} catch {
|
||||
@@ -103,12 +135,15 @@ export class AdminHandler {
|
||||
}>(
|
||||
async (dataArg) => {
|
||||
if (!dataArg.identity?.jwt) return false;
|
||||
if (this.revokedTokens.has(dataArg.identity.jwt)) return false;
|
||||
try {
|
||||
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
|
||||
if (jwtData.expiresAt < Date.now()) return false;
|
||||
if (jwtData.status !== 'loggedIn') return false;
|
||||
if (jwtData.role !== 'admin') return false;
|
||||
if (dataArg.identity.expiresAt !== jwtData.expiresAt) return false;
|
||||
if (dataArg.identity.userId !== jwtData.userId) return false;
|
||||
if (dataArg.identity.role !== jwtData.role) return false;
|
||||
return true;
|
||||
} catch {
|
||||
return false;
|
||||
@@ -122,10 +157,33 @@ export class AdminHandler {
|
||||
identity: interfaces.data.IIdentity;
|
||||
}>(
|
||||
async (dataArg) => {
|
||||
const isValid = await this.validIdentityGuard.exec(dataArg);
|
||||
if (!isValid) return false;
|
||||
return dataArg.identity.role === 'admin';
|
||||
return await this.validIdentityGuard.exec(dataArg);
|
||||
},
|
||||
{ failedHint: 'user is not admin', name: 'adminIdentityGuard' },
|
||||
);
|
||||
|
||||
private assertLoginNotRateLimited(username: string): void {
|
||||
const attempt = this.failedLoginAttempts.get(username);
|
||||
if (!attempt) return;
|
||||
|
||||
const windowMs = 60 * 1000;
|
||||
if (Date.now() - attempt.firstAttemptAt > windowMs) {
|
||||
this.failedLoginAttempts.delete(username);
|
||||
return;
|
||||
}
|
||||
|
||||
if (attempt.count >= 5) {
|
||||
throw new plugins.typedrequest.TypedResponseError('Too many failed login attempts');
|
||||
}
|
||||
}
|
||||
|
||||
private recordFailedLogin(username: string): void {
|
||||
const now = Date.now();
|
||||
const attempt = this.failedLoginAttempts.get(username);
|
||||
if (!attempt || now - attempt.firstAttemptAt > 60 * 1000) {
|
||||
this.failedLoginAttempts.set(username, { count: 1, firstAttemptAt: now });
|
||||
return;
|
||||
}
|
||||
attempt.count++;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user