Skip to content

fix(security): OWASP P0 hardening — gRPC auth, upload safety, BOLA, OAuth redirects#36

Draft
abbasajorlou1371 wants to merge 1 commit into
mainfrom
cursor/security-p0-fixes-c3e9
Draft

fix(security): OWASP P0 hardening — gRPC auth, upload safety, BOLA, OAuth redirects#36
abbasajorlou1371 wants to merge 1 commit into
mainfrom
cursor/security-p0-fixes-c3e9

Conversation

@abbasajorlou1371

Copy link
Copy Markdown
Collaborator

Summary

Implements the P0 items from the OWASP security audit. Tracked follow-ups remain open for P1/P2 work (see issues #23#35).

Closes #17
Closes #18
Closes #19
Closes #20
Closes #21
Closes #22

Changes

1. Wallet RPC protection (#17)

  • Removed commercial/financial wallet RPCs from shouldSkipAuth
  • Added INTERNAL_SERVICE_SECRET metadata validation for internal-only wallet mutations
  • GetWallet now requires auth + ownership (or internal service credentials)
  • Commercial clients attach internal credentials on outbound gRPC dials

2. gRPC authentication on all services (#18)

  • Added auth.UnaryServerInterceptor to auth, commercial, features, financial, support, storage, notifications, dynasty, levels, social, calendar, and training services
  • Auth-service uses an in-process LocalTokenValidator
  • Services fail fast if auth-service is unreachable at startup

3. Upload hardening (#19)

  • /api/upload now requires authentication at grpc-gateway
  • upload_path allowlist (profile, kyc, tickets, notes, reports)
  • Rejects .. traversal in paths and upload_id
  • Verifies resolved write paths stay under the upload root

4. UpdateProfile BOLA fix (#20)

  • grpc-gateway binds user_id from auth context (ignores client-supplied user_id)
  • auth-service gRPC handler enforces ownership

5. OAuth redirect safety (#21)

  • Validates redirect_to / back_url against allowlisted origins (FRONT_END_URL, APP_URL, ALLOWED_REDIRECT_ORIGINS)
  • Delivers session tokens in URL fragments instead of query strings

6. Docker network exposure (#22)

  • Removed host port mappings for gRPC services (50051–50062) and storage HTTP (8059)
  • Added INTERNAL_SERVICE_SECRET to docker-compose service environments

Configuration

Set in each environment (see config.env.sample updates):

INTERNAL_SERVICE_SECRET=<strong-random-secret>
ALLOWED_REDIRECT_ORIGINS=https://app.example.com

Breaking changes

  • Frontend OAuth callback: tokens are now in the URL hash (#token=...) instead of query (?token=...). Update the SPA to read window.location.hash.
  • Direct gRPC access: all non-public RPCs require a bearer token or internal service secret.
  • Docker dev: gRPC ports are no longer published on localhost; use Kong on :8000.
  • Uploads: /api/upload requires authentication; upload_path must be an allowlisted subdirectory.

Tests

  • shared/pkg/auth — internal service auth tests
  • services/auth-service/internal/auth — redirect allowlist tests
  • services/storage-service/internal/service — upload path traversal tests
  • commercial-service/internal/handler — existing handler tests pass

Related issues (not in this PR)

Priority Issues
P1 #23#29
P2 #30#35
Open in Web Open in Cursor 

- Require INTERNAL_SERVICE_SECRET for wallet mutation gRPC RPCs
- Add gRPC auth interceptors to all services with fail-fast dial
- Protect /api/upload with auth middleware; harden upload path handling
- Fix UpdateProfile BOLA by binding user ID from auth context
- Validate OAuth redirect origins and deliver tokens in URL fragments
- Stop publishing gRPC/storage HTTP ports on Docker host

Co-authored-by: abbasajorlou1371 <abbasajorlou1371@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment