security: comprehensive security audit and remediation (20 fixes)

CRITICAL fixes: - Restrict X-View-Tenant impersonation to global admin only (was any admin) - Add authorization to subscription endpoints (was open to any user) - Make webhook signature verification mandatory (was skippable) - Remove databaseName from JWT payload (resolve server-side with cache) - Reduce body size limit from 1GB to 10MB (50MB for bulk CFDI) - Restrict .env file permissions to 600 HIGH fixes: - Add authorization to SAT cron endpoints (global admin only) - Add Content-Security-Policy and Permissions-Policy headers - Centralize isGlobalAdmin() utility with caching - Add rate limiting on auth endpoints (express-rate-limit) - Require authentication on logout endpoint MEDIUM fixes: - Replace Math.random() with crypto.randomBytes for temp passwords - Remove console.log of temporary passwords in production - Remove DB credentials from admin notification email - Add escapeHtml() to email templates (prevent HTML injection) - Add file size validation on FIEL upload (50KB max) - Require TLS for SMTP connections - Normalize email to lowercase before uniqueness check - Remove hardcoded default for FIEL_ENCRYPTION_KEY Also includes: - Complete production deployment documentation - API reference documentation - Security audit report with remediation details - Updated README with v0.5.0 changelog - New client admin email template - Utility scripts (create-carlos, test-emails) - PM2 ecosystem config updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 22:32:04 +00:00
parent 38626bd3e6
commit 351b14a78c
31 changed files with 1287 additions and 103 deletions
--- a/apps/api/src/controllers/sat.controller.ts
+++ b/apps/api/src/controllers/sat.controller.ts
@@ -7,6 +7,7 @@ import {
 } from '../services/sat/sat.service.js';
 import { getJobInfo, runSatSyncJobManually } from '../jobs/sat-sync.job.js';
 import type { StartSyncRequest } from '@horux/shared';
+import { isGlobalAdmin } from '../utils/global-admin.js';

 /**
 * Inicia una sincronización manual
@@ -121,10 +122,14 @@ export async function retry(req: Request, res: Response): Promise<void> {
 }

 /**
- * Obtiene información del job programado (solo admin)
+ * Obtiene información del job programado (solo admin global)
 */
 export async function cronInfo(req: Request, res: Response): Promise<void> {
  try {
+    if (!(await isGlobalAdmin(req.user!.tenantId, req.user!.role))) {
+      res.status(403).json({ error: 'Solo el administrador global puede ver info del cron' });
+      return;
+    }
    const info = getJobInfo();
    res.json(info);
  } catch (error: any) {
@@ -134,10 +139,14 @@ export async function cronInfo(req: Request, res: Response): Promise<void> {
 }

 /**
- * Ejecuta el job de sincronización manualmente (solo admin)
+ * Ejecuta el job de sincronización manualmente (solo admin global)
 */
 export async function runCron(req: Request, res: Response): Promise<void> {
  try {
+    if (!(await isGlobalAdmin(req.user!.tenantId, req.user!.role))) {
+      res.status(403).json({ error: 'Solo el administrador global puede ejecutar el cron' });
+      return;
+    }
    // Ejecutar en background
    runSatSyncJobManually().catch(err =>
      console.error('[SAT Controller] Error ejecutando cron manual:', err)