Merge pull request #96 from soranjiro/copilot/fix-security-risks

fix: Address critical security vulnerabilities in API

Author: soranjiro

apps/api/package.json

@@ -12,6 +12,7 @@
   },
   "dependencies": {
     "@tsndr/cloudflare-worker-jwt": "^3.2.0",
+    "bcryptjs": "^2.4.3",
     "hono": "^4.6.14"
   },
   "devDependencies": {

apps/api/src/routes/auth.ts

@@ -2,6 +2,7 @@ import { Hono } from 'hono';
 import { Env } from '../utils';
 import { ItineraryService } from '../services/itinerary.service';
 import { generateToken, verifyToken, extractBearerToken } from '../utils/jwt';
+import { verifyPassword } from '../utils/password';
 import type { PasswordAuthRequest } from '@tabitabi/types';
 
 const auth = new Hono<{ Bindings: Env }>();
@@ -52,17 +53,20 @@ auth.post('/password', async (c) => {
     }, 404);
   }
 
-  // If itinerary has a password, verify it
-  if (itinerary.password && itinerary.password !== password) {
-    return c.json({
-      success: false,
-      error: { code: 'UNAUTHORIZED', message: 'Invalid password' }
-    }, 401);
-  }
-
-  // If itinerary has no password, allow access (password can be anything or empty)
-  if (!itinerary.password) {
-    // No check needed
+  if (itinerary.password) {
+    if (!password) {
+      return c.json({
+        success: false,
+        error: { code: 'UNAUTHORIZED', message: 'Invalid password' }
+      }, 401);
+    }
+    const isValid = await verifyPassword(password, itinerary.password);
+    if (!isValid) {
+      return c.json({
+        success: false,
+        error: { code: 'UNAUTHORIZED', message: 'Invalid password' }
+      }, 401);
+    }
   }
 
   const token = await generateToken(shioriId, c.env.JWT_SECRET);

apps/api/src/services/itinerary.service.ts

@@ -2,6 +2,7 @@ import type { Itinerary, CreateItineraryInput, UpdateItineraryInput } from '@tab
 import type { D1Database } from '@cloudflare/workers-types';
 import { generateId, getCurrentTimestamp } from '../utils';
 import { validateMemoJson } from '../utils/memo';
+import { hashPassword } from '../utils/password';
 
 const DEFAULT_THEME_ID = 'standard-autumn';
 
@@ -42,7 +43,7 @@ export class ItineraryService {
   }
 
   async create(input: CreateItineraryInput): Promise<Itinerary> {
-    const id = generateId(32);
+    const id = generateId();
     const now = getCurrentTimestamp();
 
     const memo = input.memo ?? '{"text":""}';
@@ -51,13 +52,15 @@ export class ItineraryService {
       throw new Error(validation.error);
     }
 
+    const hashedPassword = input.password ? await hashPassword(input.password) : null;
+
     const itinerary: Itinerary = {
       id,
       title: input.title,
       theme_id: input.theme_id || DEFAULT_THEME_ID,
       memo,
       walica_id: input.walica_id ?? null,
-      password: input.password ?? null,
+      password: hashedPassword,
       secret_settings: input.secret_settings ? {
         enabled: input.secret_settings.enabled,
         offset_minutes: input.secret_settings.offset_minutes
@@ -103,7 +106,7 @@ export class ItineraryService {
 
     const now = getCurrentTimestamp();
     const fields = ['updated_at = ?'];
-    const values: any[] = [now];
+    const values: (string | number | null)[] = [now];
 
     if (input.title !== undefined) {
       fields.push('title = ?');
@@ -123,7 +126,8 @@ export class ItineraryService {
     }
     if (input.password !== undefined) {
       fields.push('password = ?');
-      values.push(input.password);
+      const hashedPassword = input.password ? await hashPassword(input.password) : null;
+      values.push(hashedPassword);
     }
 
     if (fields.length > 1) {
@@ -200,7 +204,7 @@ export class ItineraryService {
     return result.success;
   }
 
-  private mapToItinerary(row: any): Itinerary {
+  private mapToItinerary(row: Record<string, unknown>): Itinerary {
     const itinerary: Itinerary = {
       id: row.id,
       title: row.title,

apps/api/src/services/step.service.ts

@@ -8,7 +8,7 @@ export class StepService {
 
   async list(itineraryId: string, options?: { currentTime?: string; offsetMinutes?: number; maskSecrets?: boolean }): Promise<Step[]> {
     let query = 'SELECT * FROM steps WHERE itinerary_id = ?';
-    const bindings: any[] = [itineraryId];
+    const bindings: (string | number)[] = [itineraryId];
 
     // If time filtering is enabled (secret mode)
     if (options?.currentTime && options?.offsetMinutes !== undefined) {
@@ -48,7 +48,7 @@ export class StepService {
   }
 
   async create(input: CreateStepInput): Promise<Step> {
-    const id = generateId(32);
+    const id = generateId();
     const now = getCurrentTimestamp();
 
     const notes = input.notes ?? '{"text":""}';
@@ -95,7 +95,7 @@ export class StepService {
 
     const now = getCurrentTimestamp();
     const fields = ['updated_at = ?'];
-    const values: any[] = [now];
+    const values: (string | number | null)[] = [now];
 
     if (input.title !== undefined) {
       fields.push('title = ?');
@@ -141,7 +141,7 @@ export class StepService {
     return result.success;
   }
 
-  private mapToStep(row: any, maskSecrets: boolean = true): Step {
+  private mapToStep(row: Record<string, unknown>, maskSecrets: boolean = true): Step {
     const step: Step = {
       id: row.id,
       itinerary_id: row.itinerary_id,

apps/api/src/utils/index.ts

@@ -4,13 +4,8 @@ export interface Env {
   JWT_SECRET?: string;
 }
 
-export function generateId(length: number = 32): string {
-  const chars = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
-  let result = '';
-  for (let i = 0; i < length; i++) {
-    result += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-  return result;
+export function generateId(): string {
+  return crypto.randomUUID();
 }
 
 export function getCurrentTimestamp(): string {

apps/api/src/utils/jwt.ts

@@ -6,26 +6,28 @@ export interface JwtPayload {
   exp: number;
 }
 
-const DEFAULT_SECRET = 'tabitabi-default-secret-change-in-production';
 const TOKEN_EXPIRY = 30 * 24 * 60 * 60;
 
 export async function generateToken(shioriId: string, secret?: string): Promise<string> {
+  if (!secret) {
+    throw new Error('JWT_SECRET is required');
+  }
   const now = Math.floor(Date.now() / 1000);
   const payload: JwtPayload = {
     shioriId,
     iat: now,
     exp: now + TOKEN_EXPIRY,
   };
 
-  return await sign(payload, secret || DEFAULT_SECRET);
+  return await sign(payload, secret);
 }
 
 export async function verifyToken(token: string, secret?: string): Promise<JwtPayload | null> {
+  if (!secret) {
+    throw new Error('JWT_SECRET is required');
+  }
   try {
-    const isValid = await verify(token, secret || DEFAULT_SECRET);
-    if (!isValid) return null;
-
-    const { payload } = await verify(token, secret || DEFAULT_SECRET, { throwError: true }) as { payload: JwtPayload };
+    const { payload } = await verify(token, secret, { throwError: true }) as { payload: JwtPayload };
 
     if (payload.exp < Math.floor(Date.now() / 1000)) {
       return null;

apps/api/src/utils/password.ts

@@ -0,0 +1,11 @@
+import bcrypt from 'bcryptjs';
+
+const SALT_ROUNDS = 10;
+
+export function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+export function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}

apps/api/test/auth.test.ts

@@ -0,0 +1,163 @@
+import { env } from 'cloudflare:test';
+import { describe, it, expect, beforeEach } from 'vitest';
+import app from '../src/index';
+
+async function applyMigrations(db: D1Database) {
+  const migrations = [
+    `CREATE TABLE IF NOT EXISTS itineraries (
+      id TEXT PRIMARY KEY,
+      title TEXT NOT NULL,
+      theme_id TEXT NOT NULL DEFAULT 'standard-autumn',
+      memo TEXT,
+      password TEXT,
+      created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+      updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+    );`,
+    `CREATE TABLE IF NOT EXISTS steps (
+      id TEXT PRIMARY KEY,
+      itinerary_id TEXT NOT NULL,
+      title TEXT NOT NULL,
+      date TEXT NOT NULL,
+      time TEXT NOT NULL,
+      location TEXT,
+      notes TEXT,
+      created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+      updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+      FOREIGN KEY (itinerary_id) REFERENCES itineraries(id) ON DELETE CASCADE
+    );`,
+    `CREATE INDEX IF NOT EXISTS idx_steps_itinerary ON steps(itinerary_id);`,
+    `CREATE TABLE IF NOT EXISTS itinerary_secrets (
+      itinerary_id TEXT PRIMARY KEY,
+      enabled BOOLEAN DEFAULT FALSE,
+      offset_minutes INTEGER DEFAULT 60,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      FOREIGN KEY (itinerary_id) REFERENCES itineraries(id) ON DELETE CASCADE
+    );`,
+    `CREATE TABLE IF NOT EXISTS itinerary_walica_settings (
+      itinerary_id TEXT PRIMARY KEY,
+      walica_id TEXT NOT NULL,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      FOREIGN KEY (itinerary_id) REFERENCES itineraries(id) ON DELETE CASCADE
+    );`,
+  ];
+
+  for (const sql of migrations) {
+    await db.prepare(sql).run();
+  }
+}
+
+describe('Password Authentication', () => {
+  beforeEach(async () => {
+    await applyMigrations(env.DB);
+    await env.DB.prepare('DELETE FROM steps').run();
+    await env.DB.prepare('DELETE FROM itinerary_secrets').run();
+    await env.DB.prepare('DELETE FROM itinerary_walica_settings').run();
+    await env.DB.prepare('DELETE FROM itineraries').run();
+  });
+
+  describe('Itinerary with password', () => {
+    it('creates itinerary with hashed password', async () => {
+      const request = new Request('http://localhost/api/v1/itineraries', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: 'Protected Trip', password: 'secret123' }),
+      });
+
+      const response = await app.fetch(request, env);
+      expect(response.status).toBe(201);
+
+      const { success, data } = await response.json() as { success: boolean; data: { id: string; is_password_protected: boolean } };
+      expect(success).toBe(true);
+      expect(data.is_password_protected).toBe(true);
+
+      const dbResult = await env.DB.prepare('SELECT password FROM itineraries WHERE id = ?').bind(data.id).first() as { password: string } | null;
+      expect(dbResult).not.toBeNull();
+      expect(dbResult!.password).not.toBe('secret123');
+      expect(dbResult!.password).toMatch(/^\$2[aby]\$\d{2}\$.{53}$/);
+    });
+  });
+
+  describe('POST /api/v1/auth/password', () => {
+    it('authenticates with correct password', async () => {
+      const createRequest = new Request('http://localhost/api/v1/itineraries', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: 'Protected Trip', password: 'secret123' }),
+      });
+      const createResponse = await app.fetch(createRequest, env);
+      const { data: created } = await createResponse.json() as { data: { id: string } };
+
+      const authRequest = new Request('http://localhost/api/v1/auth/password', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ shioriId: created.id, password: 'secret123' }),
+      });
+      const response = await app.fetch(authRequest, env);
+
+      expect(response.status).toBe(200);
+      const { success, data } = await response.json() as { success: boolean; data: { token: string } };
+      expect(success).toBe(true);
+      expect(data.token).toBeDefined();
+    });
+
+    it('rejects authentication with incorrect password', async () => {
+      const createRequest = new Request('http://localhost/api/v1/itineraries', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: 'Protected Trip', password: 'secret123' }),
+      });
+      const createResponse = await app.fetch(createRequest, env);
+      const { data: created } = await createResponse.json() as { data: { id: string } };
+
+      const authRequest = new Request('http://localhost/api/v1/auth/password', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ shioriId: created.id, password: 'wrongpassword' }),
+      });
+      const response = await app.fetch(authRequest, env);
+
+      expect(response.status).toBe(401);
+      const { success, error } = await response.json() as { success: boolean; error: { code: string } };
+      expect(success).toBe(false);
+      expect(error.code).toBe('UNAUTHORIZED');
+    });
+
+    it('allows access to itinerary without password', async () => {
+      const createRequest = new Request('http://localhost/api/v1/itineraries', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: 'Public Trip' }),
+      });
+      const createResponse = await app.fetch(createRequest, env);
+      const { data: created } = await createResponse.json() as { data: { id: string } };
+
+      const authRequest = new Request('http://localhost/api/v1/auth/password', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ shioriId: created.id }),
+      });
+      const response = await app.fetch(authRequest, env);
+
+      expect(response.status).toBe(200);
+      const { success, data } = await response.json() as { success: boolean; data: { token: string } };
+      expect(success).toBe(true);
+      expect(data.token).toBeDefined();
+    });
+
+    it('returns 404 for non-existent itinerary', async () => {
+      const authRequest = new Request('http://localhost/api/v1/auth/password', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ shioriId: 'nonexistent', password: 'secret' }),
+      });
+      const response = await app.fetch(authRequest, env);
+
+      expect(response.status).toBe(404);
+      const { success, error } = await response.json() as { success: boolean; error: { code: string } };
+      expect(success).toBe(false);
+      expect(error.code).toBe('NOT_FOUND');
+    });
+  });
+});