security: fix remaining audit findings — refresh bypass, registration bypass, admin protection

IM.codes · claude · IM.codes · commit 70f95bee2b1e · 2026-03-22T19:10:10.000+08:00
Critical:
- Refresh token rotation now checks user.status — disabled users can no
  longer refresh sessions (consumes token but rejects new pair)
- Public registration (POST /api/auth/register) now checks
  registration_enabled + require_approval settings

High:
- Default admin (username='admin') cannot be disabled, not just deleted
- User deletion cascades: revokes refresh_tokens, api_keys, deletes
  passkey_credentials before removing user row

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/server/src/db/queries.ts b/server/src/db/queries.ts
@@ -104,6 +104,10 @@ export async function updateUserStatus(db: PgDatabase, userId: string, status: '
 }
 
 export async function deleteUser(db: PgDatabase, userId: string): Promise<void> {
+  // Cascade: revoke all auth artifacts before deleting user
+  await db.prepare('DELETE FROM refresh_tokens WHERE user_id = ?').bind(userId).run();
+  await db.prepare('UPDATE api_keys SET revoked_at = ? WHERE user_id = ? AND revoked_at IS NULL').bind(Date.now(), userId).run();
+  await db.prepare('DELETE FROM passkey_credentials WHERE user_id = ?').bind(userId).run();
   await db.prepare('DELETE FROM users WHERE id = ?').bind(userId).run();
 }
 
diff --git a/server/src/routes/admin.ts b/server/src/routes/admin.ts
@@ -69,6 +69,9 @@ adminRoutes.post('/users/:id/disable', async (c) => {
   const target = await getUserById(c.env.DB, targetId);
   if (!target) return c.json({ error: 'not_found' }, 404);
 
+  // Default admin cannot be disabled
+  if (target.username === 'admin') return c.json({ error: 'cannot_disable_admin' }, 403);
+
   // Cannot disable the last active admin
   if (target.is_admin && target.status === 'active') {
     const adminCount = await countActiveAdmins(c.env.DB);
diff --git a/server/src/routes/auth.ts b/server/src/routes/auth.ts
@@ -1,7 +1,7 @@
 import { Hono } from 'hono';
 import { getCookie, setCookie, deleteCookie } from 'hono/cookie';
 import type { Env } from '../env.js';
-import { createUser, getUserById, getUserByUsername } from '../db/queries.js';
+import { createUser, getUserById, getUserByUsername, getSetting, updateUserStatus } from '../db/queries.js';
 import { randomHex, sha256Hex, signJwt, verifyJwt, hashPassword, verifyPassword } from '../security/crypto.js';
 import { checkIdempotency, recordIdempotency } from '../security/replay.js';
 import { logAudit } from '../security/audit.js';
@@ -64,6 +64,12 @@ async function resolveUserId(c: AnyAuthContext): Promise<string | null> {
 
 // POST /api/auth/register — create a new user and issue initial API key
 authRoutes.post('/register', async (c) => {
+  // Check if registration is enabled
+  const regEnabled = await getSetting(c.env.DB, 'registration_enabled');
+  if (regEnabled === 'false') {
+    return c.json({ error: 'registration_disabled' }, 403);
+  }
+
   // Idempotency: deduplicate retried registration requests
   const idempotencyKey = c.req.header('Idempotency-Key');
   if (idempotencyKey) {
@@ -74,6 +80,12 @@ authRoutes.post('/register', async (c) => {
   const userId = randomHex(16);
   await createUser(c.env.DB, userId);
 
+  // Set status to pending if approval is required
+  const requireApproval = await getSetting(c.env.DB, 'require_approval');
+  if (requireApproval === 'true') {
+    await updateUserStatus(c.env.DB, userId, 'pending');
+  }
+
   const rawKey = `deck_${randomHex(32)}`;
   const keyHash = sha256Hex(rawKey);
   const now = Date.now();
@@ -302,6 +314,14 @@ authRoutes.post('/refresh', async (c) => {
     return c.json({ error: 'invalid_token' }, 401);
   }
 
+  // Reject disabled/pending users — prevents token refresh after admin disables account
+  const refreshUser = await getUserById(c.env.DB, row.user_id);
+  if (!refreshUser || refreshUser.status !== 'active') {
+    // Consume the token to prevent replay, but don't issue new ones
+    await c.env.DB.prepare('UPDATE refresh_tokens SET used_at = ? WHERE id = ?').bind(Date.now(), row.id).run();
+    return c.json({ error: 'account_disabled' }, 403);
+  }
+
   // Per-user lockout check
   const userLockout = await checkAuthLockout(c.env.DB, `user:${row.user_id}`);
   if (userLockout.locked) {

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,10 @@ export async function updateUserStatus(db: PgDatabase, userId: string, status: '`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`export async function deleteUser(db: PgDatabase, userId: string): Promise<void> {`
	`107`	`+ // Cascade: revoke all auth artifacts before deleting user`
	`108`	`+ await db.prepare('DELETE FROM refresh_tokens WHERE user_id = ?').bind(userId).run();`
	`109`	`+ await db.prepare('UPDATE api_keys SET revoked_at = ? WHERE user_id = ? AND revoked_at IS NULL').bind(Date.now(), userId).run();`
	`110`	`+ await db.prepare('DELETE FROM passkey_credentials WHERE user_id = ?').bind(userId).run();`
`107`	`111`	`await db.prepare('DELETE FROM users WHERE id = ?').bind(userId).run();`
`108`	`112`	`}`
`109`	`113`