sec: fix C4/C5/M4/M5 + domain migration to syntrex.pro

C4: Remove localhost:9100 fallback from 27 dashboard files (use relative URLs) C5: JWT token_type differentiation (access vs refresh) - middleware rejects refresh as Bearer M4: Server-side registration gate via SOC_REGISTRATION_OPEN env var M5: HTML tag stripping on name/org_name fields (XSS prevention) Domain migration: - users.go: admin@syntrex.pro - zerotrust.go: SPIFFE trust domain - sbom.go: namespace URL - .env.production.example: all URLs updated - identity_test.go: test email
2026-04-26 04:46:22 +02:00 · 2026-03-24 11:49:33 +10:00 · 2026-03-24 11:49:33 +10:00 · 62ecc1c7a3
commit 62ecc1c7a3
parent 1b028099be
7 changed files with 76 additions and 35 deletions
--- a/internal/infrastructure/auth/jwt.go
+++ b/internal/infrastructure/auth/jwt.go
@ -16,19 +16,21 @@ import (

 // Standard JWT errors.
 var (
-	ErrInvalidToken  = errors.New("auth: invalid token")
-	ErrExpiredToken  = errors.New("auth: token expired")
-	ErrInvalidSecret = errors.New("auth: secret too short (min 32 bytes)")
+	ErrInvalidToken    = errors.New("auth: invalid token")
+	ErrExpiredToken    = errors.New("auth: token expired")
+	ErrInvalidSecret   = errors.New("auth: secret too short (min 32 bytes)")
+	ErrWrongTokenType  = errors.New("auth: wrong token type")
 )

 // Claims represents JWT payload.
 type Claims struct {
-	Sub      string `json:"sub"`                   // Subject (username or user ID)
-	Role     string `json:"role"`                  // RBAC role: admin, operator, analyst, viewer
-	TenantID string `json:"tenant_id,omitempty"`   // Multi-tenant isolation
-	Exp      int64  `json:"exp"`                   // Expiration (Unix timestamp)
-	Iat      int64  `json:"iat"`                   // Issued at
-	Iss      string `json:"iss,omitempty"`         // Issuer
+	Sub       string `json:"sub"`                   // Subject (username or user ID)
+	Role      string `json:"role"`                  // RBAC role: admin, operator, analyst, viewer
+	TenantID  string `json:"tenant_id,omitempty"`   // Multi-tenant isolation
+	TokenType string `json:"token_type,omitempty"` // "access" or "refresh"
+	Exp       int64  `json:"exp"`                   // Expiration (Unix timestamp)
+	Iat       int64  `json:"iat"`                   // Issued at
+	Iss       string `json:"iss,omitempty"`         // Issuer
 }

 // IsExpired returns true if the token has expired.
@ -101,9 +103,10 @@ func NewAccessToken(subject, role string, secret []byte, ttl time.Duration) (str
 		ttl = 15 * time.Minute
 	}
 	return Sign(Claims{
-		Sub: subject,
-		Role: role,
-		Exp: time.Now().Add(ttl).Unix(),
+		Sub:       subject,
+		Role:      role,
+		TokenType: "access",
+		Exp:       time.Now().Add(ttl).Unix(),
 	}, secret)
 }

@ -113,9 +116,10 @@ func NewRefreshToken(subject, role string, secret []byte, ttl time.Duration) (st
 		ttl = 7 * 24 * time.Hour
 	}
 	return Sign(Claims{
-		Sub: subject,
-		Role: role,
-		Exp: time.Now().Add(ttl).Unix(),
+		Sub:       subject,
+		Role:      role,
+		TokenType: "refresh",
+		Exp:       time.Now().Add(ttl).Unix(),
 	}, secret)
 }