pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 14:31:12 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
django-backend
thrilltrack-explorer/src-old/lib/securityValidation.ts

93 lines
3.2 KiB
TypeScript
Raw Permalink Blame History

import { z } from 'zod';
import type { SecurityOperation } from '@/types/auth';
import type { UserRole } from '@/hooks/useUserRole';
/**
* Validation schemas for security operations
*/
export const sessionRevocationSchema = z.object({
sessionId: z.string().uuid('Invalid session ID'),
requiresConfirmation: z.boolean().default(true),
});
export const identityOperationSchema = z.object({
provider: z.enum(['google', 'discord']),
redirectTo: z.string().url().optional(),
});
export const mfaOperationSchema = z.object({
factorId: z.string().uuid('Invalid factor ID').optional(),
code: z.string().length(6, 'Code must be 6 digits').regex(/^\d+$/, 'Code must be numeric').optional(),
});
export const passwordChangeSchema = z.object({
currentPassword: z.string().min(1, 'Current password required'),
newPassword: z.string()
.min(8, 'Must be at least 8 characters')
.max(128, 'Must be less than 128 characters')
.regex(/[A-Z]/, 'Must contain uppercase letter')
.regex(/[a-z]/, 'Must contain lowercase letter')
.regex(/[0-9]/, 'Must contain number')
.regex(/[^A-Za-z0-9]/, 'Must contain special character'),
confirmPassword: z.string(),
captchaToken: z.string().min(1, 'CAPTCHA verification required'),
}).refine(data => data.newPassword === data.confirmPassword, {
message: "Passwords don't match",
path: ["confirmPassword"]
});
/**
* Determines if an operation requires CAPTCHA verification
*/
export function requiresCaptcha(operation: SecurityOperation): boolean {
const captchaOperations: SecurityOperation[] = [
'password_change',
'identity_disconnect',
'mfa_unenroll'
];
return captchaOperations.includes(operation);
}
/**
* Determines if an operation requires MFA verification for the user's role
*/
export function requiresMFA(
operation: SecurityOperation,
userRoles: UserRole[]
): boolean {
const privilegedRoles: UserRole[] = ['moderator', 'admin', 'superuser'];
const hasPrivilegedRole = userRoles.some(role => privilegedRoles.includes(role));
if (!hasPrivilegedRole) return false;
// MFA required for these operations if user is privileged
const mfaOperations: SecurityOperation[] = [
'password_change',
'session_revoke',
'mfa_unenroll'
];
return mfaOperations.includes(operation);
}
/**
* Get rate limit parameters for a security operation
*/
export function getRateLimitParams(operation: SecurityOperation): {
action: string;
maxAttempts: number;
windowMinutes: number;
} {
const limits: Record<SecurityOperation, { action: string; maxAttempts: number; windowMinutes: number }> = {
password_change: { action: 'password_change', maxAttempts: 3, windowMinutes: 60 },
identity_disconnect: { action: 'identity_disconnect', maxAttempts: 3, windowMinutes: 60 },
identity_connect: { action: 'identity_connect', maxAttempts: 5, windowMinutes: 60 },
session_revoke: { action: 'session_revoke', maxAttempts: 10, windowMinutes: 60 },
mfa_enroll: { action: 'mfa_enroll', maxAttempts: 3, windowMinutes: 60 },
mfa_unenroll: { action: 'mfa_unenroll', maxAttempts: 2, windowMinutes: 1440 }, // Phase 4: 2 per day
};
return limits[operation] || { action: operation, maxAttempts: 5, windowMinutes: 60 };
}
Reference in New Issue View Git Blame Copy Permalink