sec: fix C4/C5/M4/M5 + domain migration to syntrex.pro

C4: Remove localhost:9100 fallback from 27 dashboard files (use relative URLs) C5: JWT token_type differentiation (access vs refresh) - middleware rejects refresh as Bearer M4: Server-side registration gate via SOC_REGISTRATION_OPEN env var M5: HTML tag stripping on name/org_name fields (XSS prevention) Domain migration: - users.go: admin@syntrex.pro - zerotrust.go: SPIFFE trust domain - sbom.go: namespace URL - .env.production.example: all URLs updated - identity_test.go: test email
2026-04-28 05:46:22 +02:00 · 2026-03-24 11:49:33 +10:00 · 2026-03-24 11:49:33 +10:00 · 62ecc1c7a3
commit 62ecc1c7a3
parent 1b028099be
7 changed files with 76 additions and 35 deletions
--- a/internal/infrastructure/auth/handlers.go
+++ b/internal/infrastructure/auth/handlers.go
@ -50,10 +50,11 @@ func HandleLogin(store *UserStore, secret []byte) http.HandlerFunc {
 		}

 		accessToken, err := Sign(Claims{
-			Sub:      user.Email,
-			Role:     user.Role,
-			TenantID: user.TenantID,
-			Exp:      time.Now().Add(15 * time.Minute).Unix(),
+			Sub:       user.Email,
+			Role:      user.Role,
+			TenantID:  user.TenantID,
+			TokenType: "access",
+			Exp:       time.Now().Add(15 * time.Minute).Unix(),
 		}, secret)
 		if err != nil {
 			writeAuthError(w, http.StatusInternalServerError, "token generation failed")
@ -61,10 +62,11 @@ func HandleLogin(store *UserStore, secret []byte) http.HandlerFunc {
 		}

 		refreshToken, err := Sign(Claims{
-			Sub:      user.Email,
-			Role:     user.Role,
-			TenantID: user.TenantID,
-			Exp:      time.Now().Add(7 * 24 * time.Hour).Unix(),
+			Sub:       user.Email,
+			Role:      user.Role,
+			TenantID:  user.TenantID,
+			TokenType: "refresh",
+			Exp:       time.Now().Add(7 * 24 * time.Hour).Unix(),
 		}, secret)
 		if err != nil {
 			writeAuthError(w, http.StatusInternalServerError, "token generation failed")
@ -101,6 +103,12 @@ func HandleRefresh(secret []byte) http.HandlerFunc {
 			return
 		}

+		// SEC-C5: Only accept refresh tokens for token renewal
+		if claims.TokenType != "refresh" {
+			writeAuthError(w, http.StatusUnauthorized, "invalid token type — refresh token required")
+			return
+		}
+
 		accessToken, err := NewAccessToken(claims.Sub, claims.Role, secret, 0)
 		if err != nil {
 			writeAuthError(w, http.StatusInternalServerError, "token generation failed")