93811b59cb
C-2: JWT moved from localStorage to httpOnly cookie (eliminates XSS token theft) C-3: WebSocket auth via short-lived single-use tickets (JWT no longer in URLs) H-1: JWT expiry reduced from 7 days to 4 hours H-3: TOTP secrets encrypted at rest with vault EncryptionService (auto-migrates plaintext) H-6: Rate limiting via @nestjs/throttler (60 req/min global, tighten on auth) H-8: Constant-time login — Argon2id verify runs against dummy hash for non-existent users H-9: Password hashing upgraded from bcrypt(10) to Argon2id (auto-upgrades on login) H-10: Credential list API no longer returns encrypted blobs H-16: Admin pages use Nuxt route middleware instead of client-side guard Plus: auth bootstrap plugin, cookie-parser middleware, all frontend Authorization headers removed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
24 lines
811 B
TypeScript
24 lines
811 B
TypeScript
import { Injectable } from '@nestjs/common';
|
|
import { PassportStrategy } from '@nestjs/passport';
|
|
import { ExtractJwt, Strategy } from 'passport-jwt';
|
|
|
|
@Injectable()
|
|
export class JwtStrategy extends PassportStrategy(Strategy) {
|
|
constructor() {
|
|
super({
|
|
jwtFromRequest: (req: any) => {
|
|
// Cookie-based auth (C-2) — preferred in production
|
|
if (req?.cookies?.wraith_token) return req.cookies.wraith_token;
|
|
// Fallback: Authorization header (for migration / API clients)
|
|
return ExtractJwt.fromAuthHeaderAsBearerToken()(req);
|
|
},
|
|
ignoreExpiration: false,
|
|
secretOrKey: process.env.JWT_SECRET,
|
|
});
|
|
}
|
|
|
|
validate(payload: { sub: number; email: string; role: string }) {
|
|
return { sub: payload.sub, email: payload.email, role: payload.role };
|
|
}
|
|
}
|