diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index 5c7716ff..a1b1eb3a 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -48,7 +48,6 @@ Load relevant documentation based on your current task. Don't load everything— | **Schema** | `docs/reference/schema.md` | Database changes, data persistence, entity schemas | | **Models** | `docs/reference/models.md` | 3D models, GLTF specs, model requirements | | **Textures** | `docs/reference/textures.md` | Texture specs, UV mapping, material setup | -| **Security** | `docs/security/SECURITY_AUDIT.md` | Security review, vulnerability assessment | | **Testing** | `docs/TESTING.md` | Test framework, coverage reports, testing patterns | ### Project Management (in `.claude/`) @@ -266,8 +265,6 @@ docs/ │ ├── schema.md # Database schema │ ├── models.md # 3D model specs │ └── textures.md # Texture specs -├── security/ # Security docs -│ └── SECURITY_AUDIT.md └── tools/ # Development tools ├── blender/ # Blender scripts ├── asset-pipeline/ # Asset processing diff --git a/.claude/TODO.md b/.claude/TODO.md index 1b66488c..1d4e7e66 100644 --- a/.claude/TODO.md +++ b/.claude/TODO.md @@ -2,8 +2,6 @@ ## Current Priority: Core Features (Single-Player) -> See **ROADMAP.md** for comprehensive feature breakdown - --- ## Fog of War Post-Processing Overhaul (January 2026) ✓ @@ -1133,8 +1131,6 @@ ## Future: Multiplayer - P2P Architecture (NEW DIRECTION) -> See **P2P_ARCHITECTURE.md** for comprehensive design document - ### Current Multiplayer Status (Supabase-Based) **✅ Infrastructure Complete:** diff --git a/docs/security/SECURITY_AUDIT.md b/docs/security/SECURITY_AUDIT.md deleted file mode 100644 index 3bbd6cd8..00000000 --- a/docs/security/SECURITY_AUDIT.md +++ /dev/null @@ -1,245 +0,0 @@ -# VOIDSTRIKE Security Audit Report - -> ⚠️ **HISTORICAL DOCUMENT - ARCHITECTURE CHANGED** -> -> This audit was created for the **old Supabase-based architecture** on January 15, 2026. -> The same day, the project was refactored to use **serverless P2P multiplayer** via Nostr relays. -> -> **What's now irrelevant:** -> - Supabase authentication (removed) -> - Database rate limiting (no database) -> - Password policies (no passwords - Ed25519 keys) -> - Auth endpoint security (no auth endpoints) -> -> **What was fixed:** -> - ✅ Next.js upgraded from 14.0.4 to 16.1.2 (critical vulnerability fixed) -> -> **Still relevant:** -> - Security headers recommendation (partially implemented) - ---- - -**Original Date:** January 15, 2026 -**Scope:** MVP Launch Readiness (Pre-Architecture Change) -**Status:** SUPERSEDED - ---- - -## Executive Summary (Historical) - -This application has **one critical vulnerability** that must be fixed before MVP launch, along with several medium-priority security hardening items. The codebase is generally well-structured and avoids many common "slop AI" security mistakes. - -### Original Verdict: NOT READY for MVP launch until Critical issue is fixed -### Current Status: Critical issue FIXED (Next.js upgraded) - ---- - -## Critical Issues (Must Fix Before Launch) - -### 1. Outdated Next.js with Known Critical Vulnerabilities - -**Severity:** CRITICAL -**Location:** `package.json` line 13 -**Current Version:** 14.0.4 -**Fixed Version:** 14.2.35+ - -**Vulnerabilities in Current Version:** -- Server-Side Request Forgery (SSRF) in Server Actions -- Authorization Bypass in Middleware (CVE allows bypassing auth) -- Cache Poisoning attacks -- Multiple Denial of Service vectors -- Image Optimization Content Injection - -**Fix:** -```bash -npm install next@14.2.35 -# or for latest -npm install next@latest -``` - -**Why This Is Embarassing Hour-1 Material:** Security researchers actively scan for outdated Next.js. Automated tools will flag this immediately. Known exploits exist. - ---- - -## High Priority Issues (Fix Before Launch) - -### 2. Missing Security Headers - -**Severity:** HIGH -**Location:** `next.config.js` - -The application only sets COOP/COEP headers (for SharedArrayBuffer). Missing critical security headers: - -| Header | Purpose | Impact if Missing | -|--------|---------|-------------------| -| Content-Security-Policy | XSS prevention | Script injection attacks | -| X-Frame-Options | Clickjacking prevention | UI redressing attacks | -| X-Content-Type-Options | MIME sniffing prevention | Content-type attacks | -| Strict-Transport-Security | Force HTTPS | Downgrade attacks | -| Referrer-Policy | URL leakage prevention | Information disclosure | - -**Recommended Fix for `next.config.js`:** -```javascript -headers: [ - { - source: '/:path*', - headers: [ - { key: 'Cross-Origin-Opener-Policy', value: 'same-origin' }, - { key: 'Cross-Origin-Embedder-Policy', value: 'require-corp' }, - { key: 'X-Frame-Options', value: 'DENY' }, - { key: 'X-Content-Type-Options', value: 'nosniff' }, - { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }, - { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' }, - // Add CSP appropriate for your app - ], - }, -] -``` - -### 3. No Rate Limiting - -**Severity:** HIGH -**Location:** All API endpoints, Auth functions - -No rate limiting exists on: -- Authentication attempts (enables credential stuffing) -- Lobby creation (enables resource exhaustion) -- Online player count queries (enables scraping) - -**Recommendation:** Implement rate limiting at the edge (Vercel) or via middleware: -```typescript -// Example using Vercel Edge Config or upstash/ratelimit -import { Ratelimit } from '@upstash/ratelimit' -``` - ---- - -## Medium Priority Issues (Fix Soon After Launch) - -### 4. Weak Password Policy - -**Severity:** MEDIUM -**Location:** `src/components/auth/AuthModal.tsx:71` - -Current policy: 6 characters minimum, no complexity requirements. - -**Issues:** -- No uppercase/lowercase requirements -- No number requirements -- No special character requirements -- Supabase default allows common passwords - -**Note:** This is enforced client-side only. Supabase server may have additional validation. - -### 5. No Route Protection Middleware - -**Severity:** MEDIUM -**Location:** Project root (missing `middleware.ts`) - -No middleware exists to protect routes. All authorization is done at the component level. While RLS protects data, route-level protection provides defense in depth. - -### 6. SECURITY DEFINER Functions - -**Severity:** MEDIUM -**Location:** `supabase/migrations/001_initial_schema.sql:325, 368` - -Two functions use `SECURITY DEFINER`: -- `update_player_stats_after_match()` -- `cleanup_stale_lobbies()` - -These run with elevated privileges. While they appear safe, any future modifications require careful review. - -### 7. No Audit Logging - -**Severity:** MEDIUM -**Location:** Application-wide - -No logging of security-relevant events: -- Failed login attempts -- Account creation -- Profile modifications -- Lobby creation/deletion - ---- - -## Low Priority Issues (Nice to Have) - -### 8. Username Validation - -**Severity:** LOW -**Location:** `src/lib/auth.ts:170-176` - -Usernames are stored without sanitization. While React auto-escapes on render (preventing XSS), server-side validation would provide defense in depth. - -Current: `maxLength={32}` in UI only -Recommendation: Add server-side validation regex - -### 9. Anonymous Account Abuse Potential - -**Severity:** LOW -**Location:** Auth flow - -Anonymous accounts can: -- Join public lobbies -- Have stats recorded -- Potentially participate in ranked (check RLS policies) - -Consider whether this is the intended behavior. - ---- - -## What's Actually Good (Not "Slop AI" Issues) - -The codebase correctly handles several security concerns: - -1. **No SQL Injection:** Uses Supabase SDK with parameterized queries -2. **No Hardcoded Secrets:** All secrets in environment variables -3. **No eval() or dangerous patterns:** No dynamic code execution -4. **No innerHTML with user data:** Only static string in desync indicator -5. **Row Level Security enabled:** Database has RLS on all tables -6. **TypeScript strict mode:** Catches type-related security issues -7. **React auto-escaping:** JSX prevents basic XSS -8. **Environment variables properly gitignored:** `.env` files not in repo -9. **Proper session handling:** Using Supabase's secure session management -10. **Music API is safe:** Config-driven, no user input to file paths - ---- - -## Pre-Launch Checklist - -- [ ] **CRITICAL:** Update Next.js to 14.2.35+ (`npm install next@14.2.35`) -- [ ] Add security headers to `next.config.js` -- [ ] Implement rate limiting on auth endpoints -- [ ] Consider stronger password policy -- [ ] Run `npm audit fix` after Next.js update -- [ ] Verify Supabase RLS policies in dashboard -- [ ] Enable Supabase's built-in abuse protection - ---- - -## Commands to Run - -```bash -# Fix critical vulnerability -npm install next@14.2.35 - -# Check for remaining issues -npm audit - -# Verify build still works -npm run build -npm run type-check -``` - ---- - -## Summary - -| Category | Count | Status | -|----------|-------|--------| -| Critical | 1 | Must fix | -| High | 2 | Should fix | -| Medium | 4 | Fix soon | -| Low | 2 | Nice to have | - -**Bottom Line:** Fix the Next.js version and add security headers before launch. The rest of the codebase is reasonably secure for an MVP - no embarrassing AI slop issues like hardcoded API keys, eval(), or SQL injection.