@commonpub/layer 0.21.13 → 0.21.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.21.13",
+  "version": "0.21.15",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -50,16 +50,16 @@
     "vue": "^3.4.0",
     "vue-router": "^4.3.0",
     "zod": "^4.3.6",
+    "@commonpub/auth": "0.6.0",
     "@commonpub/config": "0.13.0",
     "@commonpub/docs": "0.6.3",
-    "@commonpub/auth": "0.6.0",
-    "@commonpub/learning": "0.5.2",
+    "@commonpub/server": "2.55.0",
     "@commonpub/schema": "0.16.0",
-    "@commonpub/explainer": "0.7.15",
-    "@commonpub/ui": "0.8.5",
     "@commonpub/editor": "0.7.10",
-    "@commonpub/server": "2.54.2",
-    "@commonpub/protocol": "0.10.1"
+    "@commonpub/learning": "0.5.2",
+    "@commonpub/protocol": "0.12.0",
+    "@commonpub/explainer": "0.7.15",
+    "@commonpub/ui": "0.8.5"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.9.1",

package/server/api/auth/delete-user.post.ts

@@ -1,6 +1,7 @@
 import { deleteUser, federateDelete } from '@commonpub/server';
 import { contentItems } from '@commonpub/schema';
 import { eq, and } from 'drizzle-orm';
+import { clearBetterAuthSessionCookies } from '../../utils/betterAuthCookie';
 
 export default defineEventHandler(async (event): Promise<{ success: true }> => {
   const user = requireAuth(event);
@@ -48,8 +49,13 @@ export default defineEventHandler(async (event): Promise<{ success: true }> => {
   // Delete the user (cascades to all related data)
   await deleteUser(db, user.id, user.id);
 
-  // Clear the session cookie
-  deleteCookie(event, 'better-auth.session_token', { path: '/' });
+  // Clear both Better Auth cookies — session_token AND session_data
+  // (SSR session cache). Federation-hardening Item 8: the previous
+  // single deleteCookie('better-auth.session_token') didn't match the
+  // `__Secure-`-prefixed prod cookie name and left the session_data
+  // cache cookie hanging for up to 5 minutes of stale enriched-user
+  // data on the response of a freshly-deleted account.
+  clearBetterAuthSessionCookies(event);
 
   return { success: true };
 });

package/server/api/auth/federated/callback.get.ts

@@ -1,25 +1,12 @@
-import { consumeOAuthState, exchangeCodeForToken, linkFederatedAccount, findUserByFederatedAccount, createFederatedSession, storePendingLink } from '@commonpub/server';
-import type { H3Event } from 'h3';
+import { consumeOAuthState, exchangeCodeForToken, linkFederatedAccount, findUserByFederatedAccount, createFederatedSession, storePendingLink, getClientIp } from '@commonpub/server';
 import { z } from 'zod';
+import { setBetterAuthSessionCookie } from '../../../utils/betterAuthCookie';
 
 const callbackSchema = z.object({
   code: z.string(),
   state: z.string(),
 });
 
-/**
- * Set the Better Auth session cookie after federated login.
- */
-function setSessionCookie(event: H3Event, token: string, expiresAt: Date): void {
-  setCookie(event, 'better-auth.session_token', token, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    path: '/',
-    expires: expiresAt,
-  });
-}
-
 /**
  * OAuth2 callback handler for federated login.
  * Exchanges authorization code for token, links federated account,
@@ -48,18 +35,25 @@ export default defineEventHandler(async (event) => {
     });
   }
 
-  const ipAddress = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
-    ?? getRequestHeader(event, 'x-real-ip')
-    ?? undefined;
+  // Trusted client IP for the session audit row (federation-hardening
+  // Item 9 — use the rightmost XFF token / x-real-ip / socket address,
+  // matching the rate-limit middleware so the audit log + the rate-limit
+  // key reference the same address).
+  const resolvedIp = getClientIp(event);
+  const ipAddress = resolvedIp === 'unknown' ? undefined : resolvedIp;
   const userAgent = getRequestHeader(event, 'user-agent') ?? undefined;
 
   // Check if a local user is already linked to this federated account
   const existingLink = await findUserByFederatedAccount(db, tokenResult.user.actorUri);
 
   if (existingLink) {
-    // User already linked — create session and redirect to dashboard
+    // User already linked — create session and redirect to dashboard.
+    // Cookie is signed + correctly named (federation-hardening Item 8);
+    // before the fix the bare-token/bare-name cookie was rejected by
+    // Better Auth's getSession on the next request, leaving the redirect
+    // anonymous.
     const session = await createFederatedSession(db, existingLink.userId, ipAddress, userAgent);
-    setSessionCookie(event, session.sessionToken, session.expiresAt);
+    setBetterAuthSessionCookie(event, session.sessionToken, session.expiresAt);
     return sendRedirect(event, '/dashboard', 302);
   }
 

package/server/api/auth/federated/link.post.ts

@@ -2,6 +2,7 @@ import { linkFederatedAccount, consumePendingLink } from '@commonpub/server';
 import { eq, and, isNull } from 'drizzle-orm';
 import { users } from '@commonpub/schema';
 import { z } from 'zod';
+import { setBetterAuthSessionCookie } from '../../../utils/betterAuthCookie';
 
 const linkSchema = z.object({
   /** Local credentials */
@@ -74,14 +75,16 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 409, statusMessage: msg });
   }
 
-  // Step 5: Use the session Better Auth created — set cookie for the client
-  setCookie(event, 'better-auth.session_token', signInResponse.session.token, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    path: '/',
-    expires: new Date(signInResponse.session.expiresAt),
-  });
+  // Step 5: Set a signed + correctly-named Better Auth session cookie so
+  // `auth.api.getSession` reads the session on the next request. Before
+  // federation-hardening Item 8, this used a bare token + bare cookie
+  // name, which Better Auth's getSignedCookie rejected silently — the
+  // sign-in succeeded server-side but the next request was anonymous.
+  setBetterAuthSessionCookie(
+    event,
+    signInResponse.session.token,
+    new Date(signInResponse.session.expiresAt),
+  );
 
   return {
     success: true,

package/server/api/auth/mastodon/callback.get.ts

@@ -22,7 +22,6 @@
  * Gated by `features.identity.signInWithRemote`.
  */
 import { z } from 'zod';
-import type { H3Event } from 'h3';
 import {
   consumeMastodonLoginState,
   createFederatedSession,
@@ -31,7 +30,9 @@ import {
   getOrRegisterRemoteClient,
   linkFederatedAccount,
   storePendingLink,
+  getClientIp,
 } from '@commonpub/server';
+import { setBetterAuthSessionCookie } from '../../../utils/betterAuthCookie';
 
 const callbackSchema = z.object({
   code: z.string().min(1),
@@ -42,16 +43,6 @@ const callbackSchema = z.object({
   error_description: z.string().optional(),
 });
 
-function setSessionCookie(event: H3Event, token: string, expiresAt: Date): void {
-  setCookie(event, 'better-auth.session_token', token, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    path: '/',
-    expires: expiresAt,
-  });
-}
-
 export default defineEventHandler(async (event) => {
   const config = useConfig();
   if (!config.features.identity.signInWithRemote) {
@@ -95,17 +86,21 @@ export default defineEventHandler(async (event) => {
     });
   }
 
-  const ipAddress =
-    getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
-    ?? getRequestHeader(event, 'x-real-ip')
-    ?? undefined;
+  // Trusted client IP for the session audit row (federation-hardening
+  // Item 9 — see federated/callback.get.ts).
+  const resolvedIp = getClientIp(event);
+  const ipAddress = resolvedIp === 'unknown' ? undefined : resolvedIp;
   const userAgent = getRequestHeader(event, 'user-agent') ?? undefined;
 
   // Outcome 1: identity already linked → log them in, redirect.
+  // Cookie minted via the Better Auth signed-cookie helper so
+  // `auth.api.getSession` authenticates the next request
+  // (federation-hardening Item 8 — bare-name/bare-value cookie was
+  // rejected before).
   const existingLink = await findUserByFederatedAccount(db, verified.profile.actorUri);
   if (existingLink) {
     const session = await createFederatedSession(db, existingLink.userId, ipAddress, userAgent);
-    setSessionCookie(event, session.sessionToken, session.expiresAt);
+    setBetterAuthSessionCookie(event, session.sessionToken, session.expiresAt);
     return sendRedirect(event, loginState.returnTo ?? '/dashboard', 302);
   }
 

package/server/api/content/[id]/view.post.ts

@@ -1,4 +1,4 @@
-import { incrementViewCount } from '@commonpub/server';
+import { incrementViewCount, getClientIp } from '@commonpub/server';
 
 // Simple in-memory dedup — tracks IP+contentId pairs for 5 minutes
 const recentViews = new Map<string, number>();
@@ -18,10 +18,11 @@ export default defineEventHandler(async (event): Promise<{ success: boolean }> =
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });
 
-  // De-duplicate views per IP + content within cooldown window
-  const ip = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
-    || getRequestHeader(event, 'x-real-ip')
-    || 'unknown';
+  // De-duplicate views per IP + content within cooldown window. Use the
+  // trusted (rightmost) XFF token (federation-hardening Item 9) — the
+  // previous leftmost-token read let any anonymous caller rotate
+  // `X-Forwarded-For: random` to inflate view counts past the 5-min cap.
+  const ip = getClientIp(event);
   const dedupKey = `${ip}:${id}`;
   const lastView = recentViews.get(dedupKey);
 

package/server/api/federation/content/[id]/view.post.ts

@@ -1,4 +1,4 @@
-import { incrementFederatedViewCount } from '@commonpub/server';
+import { incrementFederatedViewCount, getClientIp } from '@commonpub/server';
 
 const recentViews = new Map<string, number>();
 const VIEW_COOLDOWN_MS = 5 * 60 * 1000;
@@ -15,9 +15,9 @@ export default defineEventHandler(async (event): Promise<{ success: boolean }> =
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });
 
-  const ip = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
-    || getRequestHeader(event, 'x-real-ip')
-    || 'unknown';
+  // Trusted client IP for view dedup (federation-hardening Item 9 — see
+  // sibling content/view.post.ts).
+  const ip = getClientIp(event);
   const dedupKey = `fed:${ip}:${id}`;
   const lastView = recentViews.get(dedupKey);
 

package/server/middleware/security.ts

@@ -1,5 +1,5 @@
 // Security middleware — rate limiting + security headers + CSP
-import { checkRateLimit, createRateLimitStore, createRedisFailOpenLogger, shouldSkipRateLimit, getSecurityHeaders, buildCspHeader, buildCspDirectives } from '@commonpub/server';
+import { checkRateLimit, createRateLimitStore, createRedisFailOpenLogger, shouldSkipRateLimit, getSecurityHeaders, buildCspHeader, buildCspDirectives, getClientIp } from '@commonpub/server';
 
 // Structured JSON sink for fail-open events. Emits one JSON line per event
 // to stdout so Docker logs / Loki / Datadog / CloudWatch can parse without
@@ -54,9 +54,15 @@ export default defineEventHandler(async (event) => {
 
   // Skip rate limiting in development — SSR + HMR + prefetch burns through limits instantly
   if (!isDev) {
-    const ip = getRequestHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
-      || getRequestHeader(event, 'x-real-ip')
-      || 'unknown';
+    // Trusted client IP for the rate-limit bucket (federation-hardening
+    // Item 9). All 3 prod instances run Caddy with `header_up
+    // X-Forwarded-For {remote_host}` (overwrite) — XFF chain length 1,
+    // leftmost === rightmost, so the previous leftmost-token code was NOT
+    // live-exploitable in our setup. The rightmost-token rule here is
+    // forward-compatible hardening for self-hosters on nginx-append /
+    // multi-proxy topologies; they set CPUB_TRUSTED_PROXY_DEPTH to match
+    // their chain (default 1 covers single-proxy append too).
+    const ip = getClientIp(event);
 
     const userId = event.context.auth?.user?.id as string | undefined;
     const { result, headers: rlHeaders } = await checkRateLimit(store, ip, pathname, userId);

package/server/utils/betterAuthCookie.ts

@@ -0,0 +1,141 @@
+/**
+ * Helpers for setting/clearing Better Auth (1.6.4 / better-call 1.3.5)
+ * session cookies from custom Nitro routes that mint a session WITHOUT
+ * going through the auth router (federated SSO callbacks).
+ *
+ * Federation-hardening Item 8. Before this helper, the callbacks at
+ * `auth/federated/callback.get.ts`, `auth/mastodon/callback.get.ts`,
+ * and `auth/federated/link.post.ts` set the cookie themselves with a
+ * BARE token and the BARE `better-auth.session_token` name. Better
+ * Auth (1.6.4) `getSignedCookie` requires `${token}.${HMAC}` format
+ * and the `__Secure-` prefix in production — so the bare-token cookie
+ * silently authenticated as anonymous on the next request (redirect to
+ * /dashboard but no session). Fail-closed (no bypass) but a complete
+ * functional break of the flagged auth flows. Identity flags
+ * `linkRemoteAccounts`/`signInWithRemote` are OFF in prod, so dormant.
+ *
+ * Cookie shape pinned against the vendored `better-auth@1.6.4` +
+ * `better-call@1.3.5`:
+ *   - Name: `${prefix}better-auth.session_token` where
+ *     `prefix === '__Secure-'` when NODE_ENV=production (matches
+ *     better-auth's `isProduction` check in `cookies/index.mjs:20`).
+ *   - Value: `encodeURIComponent(`${token}.${base64(HMAC-SHA256(secret, token))}`)`
+ *     (matches `better-call/dist/crypto.mjs:22-32` `makeSignature`
+ *     + `signCookieValue`).
+ *   - Attributes: `httpOnly: true, secure: isProd, sameSite: 'lax', path: '/'`.
+ *     Default attributes match `cookies/index.mjs:30-39` exactly.
+ *
+ * Node `createHmac('sha256', secret).update(token).digest('base64')` is
+ * byte-identical to better-auth's `btoa(String.fromCharCode(...uint8Array))`:
+ * both are RFC 4648 standard base64 with `=` padding (the signature is
+ * verified by `getSignedCookie` requiring `length === 44 && endsWith('=')`).
+ */
+import { createHmac } from 'node:crypto';
+import type { H3Event } from 'h3';
+
+/** Better Auth session-token cookie name; `__Secure-` prefix when secure. */
+export function getBetterAuthSessionCookieName(useSecurePrefix: boolean): string {
+  return useSecurePrefix ? '__Secure-better-auth.session_token' : 'better-auth.session_token';
+}
+
+/** Better Auth session_data cookie name (SSR cookie cache); `__Secure-` prefix when secure. */
+export function getBetterAuthSessionDataCookieName(useSecurePrefix: boolean): string {
+  return useSecurePrefix ? '__Secure-better-auth.session_data' : 'better-auth.session_data';
+}
+
+/**
+ * Decide whether to apply the `__Secure-` cookie name prefix. Matches Better
+ * Auth's logic from `cookies/index.mjs:20` exactly:
+ *   useSecure = options.useSecureCookies ?? baseURL.startsWith('https://') ?? isProduction
+ *
+ * Production always uses secure (we never want bare cookies in prod). In dev,
+ * checking `siteUrl.startsWith('https://')` covers the local-HTTPS case so
+ * `getSession` still finds our cookie (Better Auth applies the prefix when
+ * its baseURL is HTTPS, even outside production).
+ */
+export function shouldUseSecurePrefix(): boolean {
+  if (process.env.NODE_ENV === 'production') return true;
+  try {
+    const cfg = useRuntimeConfig();
+    const pub = cfg.public as Record<string, unknown> | undefined;
+    const siteUrl = pub?.siteUrl;
+    if (typeof siteUrl === 'string' && siteUrl.startsWith('https://')) return true;
+  } catch {
+    // useRuntimeConfig unavailable outside a Nitro request context (e.g.
+    // tests that import this module without setting up Nuxt). Fall through.
+  }
+  return false;
+}
+
+/**
+ * Build the signed cookie value `${token}.${base64(HMAC-SHA256(secret, token))}`.
+ * Returns the RAW string — NOT URL-encoded. h3's `setCookie` calls
+ * `cookie-es.serialize` which `encodeURIComponent`s the value exactly
+ * once on the way out (see `cookie-es@3.x/dist/index.mjs` —
+ * `const enc = options?.encode || encodeURIComponent`). Pre-encoding
+ * here would double-encode (`+` → `%2B` → `%252B` on the wire), and
+ * Better Auth's `getSignedCookie` only decodes ONCE before checking
+ * `signature.length === 44 && endsWith('=')` — so the signature
+ * fails to parse and every federated session lands as anonymous.
+ * Same class of bug as session 149's safeFetch P0 (algorithm correct
+ * in isolation, broken once the surrounding layer runs).
+ */
+export function signBetterAuthCookieValue(token: string, secret: string): string {
+  if (!secret) {
+    throw new Error('signBetterAuthCookieValue: secret is required');
+  }
+  const signature = createHmac('sha256', secret).update(token).digest('base64');
+  return `${token}.${signature}`;
+}
+
+/**
+ * Resolve the auth-signing secret. MUST match `middleware/auth.ts`'s
+ * secret-resolution logic exactly (lines 27-33) — if the two diverge,
+ * our cookies are signed with a different key than Better Auth's
+ * `getSession` verifies against, and every federated session lands as
+ * anonymous. KEEP IN SYNC WITH `middleware/auth.ts`.
+ *
+ * Prod-without-AUTH_SECRET throws (matches middleware's startup throw).
+ * Dev-without-AUTH_SECRET falls back to the shared `dev-secret-change-me`
+ * sentinel so federated callbacks work in `pnpm dev` without env config.
+ */
+function getAuthSecret(): string {
+  const cfg = useRuntimeConfig();
+  const s = cfg.authSecret as string | undefined;
+  if (!s && process.env.NODE_ENV === 'production') {
+    throw new Error('AUTH_SECRET must be set in production');
+  }
+  return s || 'dev-secret-change-me';
+}
+
+/**
+ * Set a Better Auth session-token cookie on the H3 event. Produces a cookie
+ * indistinguishable from one Better Auth itself would have set during the
+ * sign-in/email flow — same name, same signed value, same attributes — so
+ * `getSession` (which reads via `getSignedCookie`) authenticates the
+ * subsequent request.
+ */
+export function setBetterAuthSessionCookie(event: H3Event, token: string, expiresAt: Date): void {
+  const useSecure = shouldUseSecurePrefix();
+  const secret = getAuthSecret();
+  const value = signBetterAuthCookieValue(token, secret);
+  setCookie(event, getBetterAuthSessionCookieName(useSecure), value, {
+    httpOnly: true,
+    secure: useSecure,
+    sameSite: 'lax',
+    path: '/',
+    expires: expiresAt,
+  });
+}
+
+/**
+ * Clear both Better Auth cookies (session token + SSR session_data cache).
+ * Use from delete-user / explicit sign-out flows that need to wipe the
+ * Better Auth cookie state without invoking the auth router.
+ */
+export function clearBetterAuthSessionCookies(event: H3Event): void {
+  const useSecure = shouldUseSecurePrefix();
+  const opts = { path: '/', secure: useSecure, sameSite: 'lax' as const };
+  deleteCookie(event, getBetterAuthSessionCookieName(useSecure), opts);
+  deleteCookie(event, getBetterAuthSessionDataCookieName(useSecure), opts);
+}

package/server/utils/inbox.ts

@@ -78,28 +78,45 @@ export async function verifyInboxRequest(event: H3Event, label: string): Promise
     throw createError({ statusCode: 401, statusMessage: 'Invalid actor URI' });
   }
 
-  // 6. Date header freshness check
+  // 6. Date header is mandatory + must be fresh (replay-window protection).
   const dateHeader = getHeader(event, 'date');
-  if (dateHeader) {
-    const requestDate = new Date(dateHeader).getTime();
-    if (!isNaN(requestDate)) {
-      const skew = Math.abs(Date.now() - requestDate);
-      if (skew > MAX_DATE_SKEW_MS) {
-        console.warn(`[${label}] Date header too old/new: skew=${Math.round(skew / 1000)}s from ${actorUri}`);
-        throw createError({ statusCode: 401, statusMessage: 'Request date too far from server time' });
-      }
-    }
+  if (!dateHeader) {
+    throw createError({ statusCode: 401, statusMessage: 'Missing Date header' });
+  }
+  const requestDate = new Date(dateHeader).getTime();
+  if (isNaN(requestDate)) {
+    throw createError({ statusCode: 401, statusMessage: 'Invalid Date header' });
+  }
+  const skew = Math.abs(Date.now() - requestDate);
+  if (skew > MAX_DATE_SKEW_MS) {
+    console.warn(`[${label}] Date header too old/new: skew=${Math.round(skew / 1000)}s from ${actorUri}`);
+    throw createError({ statusCode: 401, statusMessage: 'Request date too far from server time' });
   }
 
-  // 7. Read body and reconstruct Request for signature verification
-  const body = await readBody(event);
-  const bodyStr = typeof body === 'string' ? body : JSON.stringify(body);
+  // 7. Read the RAW body once. Two uses:
+  //    - Hashing for digest verification (must match the sender's digest,
+  //      which was computed over the exact bytes on the wire).
+  //    - JSON.parse for handler consumption.
+  //    `JSON.stringify(JSON.parse(x)) !== x` in general, so we cannot
+  //    rebuild the verify-Request from a re-serialized copy without
+  //    breaking digest comparison. Item 6 of federation-hardening Stage 3.
+  const rawBody = await readRawBody(event, false);
+  if (!rawBody) {
+    throw createError({ statusCode: 400, statusMessage: 'Empty body' });
+  }
+  const bodyStr = typeof rawBody === 'string' ? rawBody : Buffer.from(rawBody).toString('utf-8');
 
-  // Body size check on actual content (in case Content-Length was missing/wrong)
   if (bodyStr.length > MAX_BODY_SIZE) {
     throw createError({ statusCode: 413, statusMessage: 'Payload too large' });
   }
 
+  let body: Record<string, unknown>;
+  try {
+    body = JSON.parse(bodyStr);
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid JSON body' });
+  }
+
   const url = getRequestURL(event);
   const headers = new Headers();
   for (const [key, value] of Object.entries(getHeaders(event))) {
@@ -111,7 +128,10 @@ export async function verifyInboxRequest(event: H3Event, label: string): Promise
     body: bodyStr,
   });
 
-  // 8. Verify HTTP Signature cryptographically
+  // 8. Verify HTTP Signature cryptographically (also enforces the coverage
+  //    policy: (request-target), host, date, and — when body is non-empty —
+  //    digest MUST all be in the signed headers set; digest must match raw
+  //    body SHA-256. Item 7.)
   const signatureValid = await verifyHttpSignature(verifyRequest, actor.publicKey.publicKeyPem);
   if (!signatureValid) {
     console.warn(`[${label}] HTTP Signature verification failed for ${actorUri}`);