fix(security): owner auth gate, OAuth state cookie binding, 0600 token perms

- Add OWNER_SECRET-based session: signed HMAC cookie, /api/auth/owner login, requireOwner middleware. All Tesla routes refuse 401 without it. - Bind OAuth state to a SameSite=Lax httpOnly cookie at /start, validate match in /callback with constant-time compare. Refuses unmatched callbacks. - Token store now mkdir 0700, writeFile + rename atomic, mode 0600 with defensive chmod. Owner-only on disk. - VIN masked to last 4 in responses; partner-register no longer echoes raw Tesla body to clients; coord bounds checked on send-to-nav. - Client: useTesla also tracks owner status; Connect Tesla button opens an OwnerLoginModal when not authenticated, then continues to Tesla OAuth. Conscious deferrals: - Explicit CSRF tokens on POST routes: mitigated by SameSite=Lax cookies + same-origin CORS. Will revisit if cross-origin clients land. - At-rest token encryption: deferred for single-user app; tokens are on a 0700 Dokku volume readable only by the app uid. Will add AES-GCM if we multi-tenant.
2026-05-31 22:32:22 +01:00
parent d705669dda
commit f793b526aa
8 changed files with 348 additions and 73 deletions
@@ -25,6 +25,10 @@ export const env = {
  grokEnabled: process.env.GROK_ENABLED !== 'false',
  forceXaiApi: process.env.FORCE_XAI_API === 'true',

+  // Owner auth — single-user gate for the Tesla integration until
+  // auth.tony.codes is wired in. Set OWNER_SECRET to a long random string.
+  ownerSecret: process.env.OWNER_SECRET || '',
+
  // Tesla Fleet API
  tesla: {
    // Public key served at /.well-known/appspecific/com.tesla.3p.public-key.pem