sec: fix C4/C5/M4/M5 + domain migration to syntrex.pro

C4: Remove localhost:9100 fallback from 27 dashboard files (use relative URLs) C5: JWT token_type differentiation (access vs refresh) - middleware rejects refresh as Bearer M4: Server-side registration gate via SOC_REGISTRATION_OPEN env var M5: HTML tag stripping on name/org_name fields (XSS prevention) Domain migration: - users.go: admin@syntrex.pro - zerotrust.go: SPIFFE trust domain - sbom.go: namespace URL - .env.production.example: all URLs updated - identity_test.go: test email
2026-04-26 04:46:22 +02:00 · 2026-03-24 11:49:33 +10:00 · 2026-03-24 11:49:33 +10:00 · 62ecc1c7a3
commit 62ecc1c7a3
parent 1b028099be
7 changed files with 76 additions and 35 deletions
--- a/internal/infrastructure/auth/middleware.go
+++ b/internal/infrastructure/auth/middleware.go
@ -78,6 +78,18 @@ func (m *JWTMiddleware) Middleware(next http.Handler) http.Handler {
 			return
 		}

+		// SEC-C5: Reject refresh tokens used as access tokens.
+		// Only "access" tokens (or legacy tokens without type) can access protected routes.
+		if claims.TokenType == "refresh" {
+			slog.Warn("refresh token used as access token",
+				"sub", claims.Sub,
+				"path", r.URL.Path,
+				"remote", r.RemoteAddr,
+			)
+			writeAuthError(w, http.StatusUnauthorized, "access token required — refresh tokens cannot be used for API access")
+			return
+		}
+
 		// Inject claims into context for downstream handlers.
 		ctx := context.WithValue(r.Context(), claimsKey, claims)
 		next.ServeHTTP(w, r.WithContext(ctx))