security: harden remote-access stack (pentest remediation R1-R4)

App layer (R1): bind frps NewProxy to token-owned subdomain (anti-hijack), default-deny unknown webhook ops, HMAC-verify stripe-stub billing webhook, enforce bandwidth quota kill-switch (Ping op), least-privilege table grants (migrations 0002/0003), GOTRUE_PASSWORD_MIN_LENGTH=12. Infra/net (R2): unpublish internal host ports (kong/pooler/analytics/frps-dash), read-only docker-socket-proxy for vector (no host breakout), on-demand-TLS allow-list authorizer, edge-block machine-only webhooks, no-new-privileges on custom containers. Secrets (R3): rotate Postgres password (all roles) + frps dashboard; replace predictable supavisor defaults; secrets externalized to gitignored .env. Med/Low (R4): security response headers (HSTS/XCTO/XFO/Referrer/Permissions/COOP), restrict frp proxy_type to http (no open relay), disable destructive redis commands, tighten frps.toml perms. No secrets committed; rotated values live only in gitignored .env files.
2026-05-30 10:45:07 +02:00
parent a8593afa61
commit 50ab46dbe1
12 changed files with 259 additions and 33 deletions
@@ -0,0 +1,54 @@
+-- 0002: pentest remediation (A4/W3 privilege reduction, A3 quota default, W1 subscription rows)
+BEGIN;
+
+-- ---------------------------------------------------------------------------
+-- A4 / W3: authenticated users must NOT be able to UPDATE tunnels directly.
+-- All legitimate writes (claim, token rotation, quota/usage, activation) go
+-- through service-role server routes / workers. A direct grant let an owner
+-- tamper with bytes_used, quota_bytes, is_active, token and subdomain.
+-- ---------------------------------------------------------------------------
+REVOKE UPDATE ON public.tunnels FROM authenticated;
+DROP POLICY IF EXISTS tunnels_update_own ON public.tunnels;
+-- SELECT (read-only dashboard) stays intact via tunnels_select_own.
+
+-- ---------------------------------------------------------------------------
+-- A3: free-tier quota default 1 TiB -> 2 GiB, and shrink existing rows that
+-- still carry the old default so the kill-switch is meaningful.
+-- ---------------------------------------------------------------------------
+ALTER TABLE public.tunnels ALTER COLUMN quota_bytes SET DEFAULT 2147483648;
+UPDATE public.tunnels
+   SET quota_bytes = 2147483648
+ WHERE quota_bytes = 1099511627776;
+
+-- ---------------------------------------------------------------------------
+-- W1 (enablement): ensure every user has a subscriptions row so the billing
+-- webhook activation (PATCH by user) actually targets a row, and backfill
+-- existing users.
+-- ---------------------------------------------------------------------------
+CREATE OR REPLACE FUNCTION public.handle_new_user()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  INSERT INTO public.users_profile (user_id, email)
+  VALUES (NEW.id, NEW.email)
+  ON CONFLICT (user_id) DO NOTHING;
+
+  INSERT INTO public.subscriptions (user_id, plan, status)
+  VALUES (NEW.id, 'free', 'active')
+  ON CONFLICT (user_id) DO NOTHING;
+
+  RETURN NEW;
+END;
+$$;
+
+REVOKE ALL ON FUNCTION public.handle_new_user() FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION public.handle_new_user() TO supabase_auth_admin;
+
+INSERT INTO public.subscriptions (user_id, plan, status)
+SELECT id, 'free', 'active' FROM auth.users
+ON CONFLICT (user_id) DO NOTHING;
+
+COMMIT;