fix: comprehensive security, performance, and quality hardening

Security: apply AdminOnly middleware to mutating routes, require ENCRYPTION_KEY and ADMIN_PASSWORD (no insecure defaults), restrict CORS to same-origin, fix OIDC token delivery via cookie instead of URL query param, add rate limiting on login, add MaxBytesReader, validate volume paths against traversal, add security headers, validate user roles, add Secure flag to OIDC cookie. Performance: set SQLite MaxOpenConns(1) to prevent SQLITE_BUSY, add FK indexes on 8 columns, track notifier goroutines with WaitGroup for graceful shutdown, use GetRegistryByName instead of GetAllRegistries in deployer, pass basePath param to avoid redundant settings query, return empty slices from store to remove reflection. Quality: refactor TriggerDeploy to delegate to runDeploy (~100 lines removed), consolidate duplicated utilities (extractPort, boolToInt, now, isTerminalStatus) into shared exports, migrate all log.Printf to slog structured logging, use consistent webhook response envelope, remove dead code (parseEnvVars, duplicate auth types). UX: clean up NPM proxy on instance removal via API, add README with quickstart guide, add .env.example, require ADMIN_PASSWORD in docker-compose, document staging-net prerequisite.
2026-03-29 12:49:24 +03:00
parent c5bfc586c1
commit be6ad15efc
32 changed files with 519 additions and 392 deletions
@@ -10,6 +10,7 @@ import (
 	"github.com/alexei/docker-watcher/internal/crypto"
 	"github.com/alexei/docker-watcher/internal/docker"
 	"github.com/alexei/docker-watcher/internal/events"
+	"github.com/alexei/docker-watcher/internal/npm"
 	"github.com/alexei/docker-watcher/internal/store"
 	"github.com/alexei/docker-watcher/internal/webhook"
 )
@@ -18,6 +19,7 @@ import (
 type Server struct {
 	store        *store.Store
 	docker       *docker.Client
+	npm          *npm.Client
 	deployer     DeployTriggerer
 	webhook      *webhook.Handler
 	eventBus     *events.Bus
@@ -30,6 +32,7 @@ type Server struct {
 func NewServer(
 	st *store.Store,
 	dockerClient *docker.Client,
+	npmClient *npm.Client,
 	deployer DeployTriggerer,
 	webhookHandler *webhook.Handler,
 	eventBus *events.Bus,
@@ -40,6 +43,7 @@ func NewServer(
 	s := &Server{
 		store:     st,
 		docker:    dockerClient,
+		npm:       npmClient,
 		deployer:  deployer,
 		webhook:   webhookHandler,
 		eventBus:  eventBus,
@@ -86,15 +90,19 @@ func (s *Server) Router() chi.Router {

 	// Global middleware.
 	r.Use(recovery)
+	r.Use(securityHeaders)
 	r.Use(logging)
 	r.Use(cors)

+	loginLimiter := newRateLimiter()
+
 	r.Route("/api", func(r chi.Router) {
-		// JSON content type only for API routes (not static files).
+		// JSON content type and body size limit for API routes.
 		r.Use(jsonContentType)
+		r.Use(limitBody)

 		// Public auth endpoints (no auth required).
-		r.Post("/auth/login", s.login)
+		r.Post("/auth/login", s.rateLimitedLogin(loginLimiter))
 		r.Get("/auth/oidc/login", s.oidcLogin)
 		r.Get("/auth/oidc/callback", s.oidcCallback)

@@ -105,80 +113,87 @@ func (s *Server) Router() chi.Router {
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(s.localAuth))

-			// Config export (protected — reveals project/infra details).
-			r.Get("/config/export", s.exportConfig)
-
-			// Auth management.
+			// Read-only endpoints (any authenticated user).
 			r.Get("/auth/me", s.currentUser)
-			r.Get("/auth/settings", s.getAuthSettings)
-			r.Put("/auth/settings", s.updateAuthSettings)
-			r.Get("/auth/users", s.listUsers)
-			r.Post("/auth/users", s.createUser)
-			r.Delete("/auth/users/{uid}", s.deleteUser)
-
-			// Project endpoints.
 			r.Get("/projects", s.listProjects)
-			r.Post("/projects", s.createProject)
 			r.Route("/projects/{id}", func(r chi.Router) {
 				r.Get("/", s.getProject)
-				r.Put("/", s.updateProject)
-				r.Delete("/", s.deleteProject)
-
-				// Stage endpoints.
-				r.Post("/stages", s.createStage)
-				r.Put("/stages/{stage}", s.updateStage)
-				r.Delete("/stages/{stage}", s.deleteStage)
-
-				// Stage env override endpoints.
 				r.Get("/stages/{stage}/env", s.listStageEnv)
-				r.Post("/stages/{stage}/env", s.createStageEnv)
-				r.Put("/stages/{stage}/env/{envId}", s.updateStageEnv)
-				r.Delete("/stages/{stage}/env/{envId}", s.deleteStageEnv)
-
-				// Instance endpoints.
 				r.Get("/stages/{stage}/instances", s.listInstances)
-				r.Post("/stages/{stage}/instances", s.deployInstance)
-				r.Delete("/stages/{stage}/instances/{iid}", s.removeInstance)
-
-				// Instance control endpoints.
-				r.Post("/stages/{stage}/instances/{iid}/stop", s.stopInstance)
-				r.Post("/stages/{stage}/instances/{iid}/start", s.startInstance)
-				r.Post("/stages/{stage}/instances/{iid}/restart", s.restartInstance)
-
-				// Volume endpoints.
 				r.Get("/volumes", s.listVolumes)
-				r.Post("/volumes", s.createVolume)
-				r.Put("/volumes/{volId}", s.updateVolume)
-				r.Delete("/volumes/{volId}", s.deleteVolume)
 			})
-
-			// Deploy endpoints.
 			r.Get("/deploys", s.listDeploys)
 			r.Get("/deploys/{id}/logs", s.streamDeployLogs)
-
-			// SSE endpoint for real-time instance status and deploy events.
 			r.Get("/events", s.streamEvents)
-
-			// Quick deploy endpoints.
-			r.Post("/deploy/inspect", s.inspectImage)
-			r.Post("/deploy/quick", s.quickDeploy)
-
-			// Registry endpoints.
 			r.Get("/registries", s.listRegistries)
-			r.Post("/registries", s.createRegistry)
 			r.Route("/registries/{id}", func(r chi.Router) {
-				r.Put("/", s.updateRegistry)
-				r.Delete("/", s.deleteRegistry)
-				r.Post("/test", s.testRegistry)
 				r.Get("/tags/*", s.listRegistryTags)
 				r.Get("/images", s.listRegistryImages)
 			})
-
-			// Settings endpoints.
 			r.Get("/settings", s.getSettings)
-			r.Put("/settings", s.updateSettings)
-			r.Get("/settings/webhook-url", s.getWebhookURL)
-			r.Post("/settings/webhook-url/regenerate", s.regenerateWebhookSecret)
+
+			// Admin-only routes: require admin role.
+			r.Group(func(r chi.Router) {
+				r.Use(auth.AdminOnly)
+
+				// Config export (reveals project/infra details).
+				r.Get("/config/export", s.exportConfig)
+
+				// Auth management.
+				r.Get("/auth/settings", s.getAuthSettings)
+				r.Put("/auth/settings", s.updateAuthSettings)
+				r.Get("/auth/users", s.listUsers)
+				r.Post("/auth/users", s.createUser)
+				r.Delete("/auth/users/{uid}", s.deleteUser)
+
+				// Project mutation endpoints.
+				r.Post("/projects", s.createProject)
+				r.Route("/projects/{id}", func(r chi.Router) {
+					r.Put("/", s.updateProject)
+					r.Delete("/", s.deleteProject)
+
+					// Stage endpoints.
+					r.Post("/stages", s.createStage)
+					r.Put("/stages/{stage}", s.updateStage)
+					r.Delete("/stages/{stage}", s.deleteStage)
+
+					// Stage env override endpoints.
+					r.Post("/stages/{stage}/env", s.createStageEnv)
+					r.Put("/stages/{stage}/env/{envId}", s.updateStageEnv)
+					r.Delete("/stages/{stage}/env/{envId}", s.deleteStageEnv)
+
+					// Instance endpoints.
+					r.Post("/stages/{stage}/instances", s.deployInstance)
+					r.Delete("/stages/{stage}/instances/{iid}", s.removeInstance)
+
+					// Instance control endpoints.
+					r.Post("/stages/{stage}/instances/{iid}/stop", s.stopInstance)
+					r.Post("/stages/{stage}/instances/{iid}/start", s.startInstance)
+					r.Post("/stages/{stage}/instances/{iid}/restart", s.restartInstance)
+
+					// Volume endpoints.
+					r.Post("/volumes", s.createVolume)
+					r.Put("/volumes/{volId}", s.updateVolume)
+					r.Delete("/volumes/{volId}", s.deleteVolume)
+				})
+
+				// Quick deploy endpoints.
+				r.Post("/deploy/inspect", s.inspectImage)
+				r.Post("/deploy/quick", s.quickDeploy)
+
+				// Registry mutation endpoints.
+				r.Post("/registries", s.createRegistry)
+				r.Route("/registries/{id}", func(r chi.Router) {
+					r.Put("/", s.updateRegistry)
+					r.Delete("/", s.deleteRegistry)
+					r.Post("/test", s.testRegistry)
+				})
+
+				// Settings endpoints.
+				r.Put("/settings", s.updateSettings)
+				r.Get("/settings/webhook-url", s.getWebhookURL)
+				r.Post("/settings/webhook-url/regenerate", s.regenerateWebhookSecret)
+			})
 		})
 	})