Many security updates - Githubissues

HackGT / ground-truth

🛰 Single sign on for HackGT apps

https://login.hack.gt

MIT License

7 stars 2 forks source link

Many security updates #37

Closed ayush-goyal closed 3 years ago

ayush-goyal commented 3 years ago

Add 404 and 500 error pages rather than stack traces in prod

Add password complexity/length requirement
At first, I only added password checking when signing up, but in a later commit I added it in when changing/resetting your password

Update all dependencies to latest - some of them add security updates that were needed
I had to add in new typings and updated the mongo db options because of this

Switched bugsnag error handling over to sentry since this is what we will be using going forward

Added CSRF protection for all forms (ex. when changing password, and for all admin endpoints)
Added in express Helmet for protection
Refactored express post parser

Added rate limiting to all endpoints, and created utility functions for different rate limiting options per endpont (in middleware.ts)

ehsanmasdar commented 3 years ago

This is awesome!

Added rate limiting to all endpoints, and created utility functions for different rate limiting options per endpont (in middleware.ts)

Might be worth adding recaptcha on some endpoints to reduce risk of brute force/spam even further.

evan10s commented 3 years ago

Same as Ehsan, these are all excellent improvements to make! I will look at the code shortly - I agree about recaptcha and have a couple thoughts about password complexity requirements as well

ayush-goyal commented 3 years ago

@ehsanmasdar @evan10s I added in recaptcha for certain routes. See login.dev.hack.gt

evan10s commented 3 years ago

Also, when I sign in at login.dev.hack.gt, I get taken to https://login.dev.hack.gt/favicon.ico instead of the profile page.

ayush-goyal commented 3 years ago

Also, when I sign in at login.dev.hack.gt, I get taken to https://login.dev.hack.gt/favicon.ico instead of the profile page.

Can you explain more? When I sign in I go to the profile page

evan10s commented 3 years ago

As crazy as this sounds, it only seems to happen if I click on the icon part of the Next button or if I complete the recaptcha (when I wrote this comment, the change to the location of the captcha hadn't deployed yet), then click back to the password field and hit Enter (in Chrome on Windows). It still ends up logging me in though, and both of those seem to be consistent causes

ayush-goyal commented 3 years ago

I'm not sure what the problem is and I can't replicate it. Can you try a hard reload and clear your cache?

evan10s commented 3 years ago

Yeah, it's still happening in an incognito window.