curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(02): update verification report after plan 06 gap closure — 2 security blockers flagged

Browse Source
This commit is contained in:
curo1305
2026-06-01 14:37:23 +02:00
parent a6c227cc7e
commit 8601a02189
1 changed files with 177 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.planning/phases/02-users-authentication/02-VERIFICATION.md
+177 -131
View File
@@ -1,76 +1,86 @@
---
phase: 02-users-authentication
verified: 2026-05-22T18:18:52Z
status: gaps_found
score: 4/5
verified: 2026-06-01T14:35:00Z
status: human_needed
score: 6/6
overrides_applied: 0
re_verification: false
gaps:
re_verification:
previous_status: gaps_found
previous_score: 4/5
gaps_closed:
- "Admin can create a new user via POST /api/admin/users without HTTP 500 (session.flush() confirmed, regression test passes)"
- "Auth/login pages show AuthLayout only — App.vue now layout-aware via route.meta.layout conditional"
- "After logout the sidebar is gone — same App.vue v-if fix covers the logged-out state"
- "Non-admin user navigating to /admin is redirected to / — requiresAdmin guard in beforeEach wired"
- "TOTP enrollment shows scannable QR image — qrcode library installed, img tag renders QR from QRCode.toDataURL"
- "TOTP enrollment accessible from Account tab in /settings — SettingsAccountTab.vue created and wired"
gaps_remaining:
- "SC5 (admin JWT returns 403 on document content) — deferred to Phase 3 per D-07 CONTEXT.md decision"
open_findings:
- "CR-01: change_password does not revoke active sessions (CLAUDE.md line 153 — security invariant)"
- "CR-02: disable_totp does not revoke active sessions (CLAUDE.md line 153 — security invariant)"
- "CR-03: ConfirmBlock.vue has no named slot — #confirm-button in SettingsAccountTab is dead (spinner/guard never activates)"
- "WR-01: decodeURIComponent on query param in SettingsView.vue has no error handling — URIError on malformed %encoding"
- "WR-02: TOTP verify code button re-enables during 800ms success flash — double-submission possible"
- "WR-03: Password error routing uses fragile string-matching on raw API messages"
- "WR-04: topicsStore.fetchTopics() fires unconditionally on every page load including auth pages"
regressions: []
deferred:
- truth: "Attempting to access document content via an admin JWT returns 403"
status: partial
reason: "The documents API (backend/api/documents.py) has no authentication enforcement at all — no get_current_user dependency, no JWT validation. Any request (with or without a JWT) accesses documents. An admin JWT does not receive a 403; it is simply ignored. Admin.py has no document-content endpoints (SEC-07's admin-response clause is met), but the documents API does not reject admin-role tokens or any tokens."
artifacts:
- path: "backend/api/documents.py"
issue: "No auth dependency on any endpoint. get_current_user is not imported or used. This is the pre-Phase-3 single-user API state — per D-03 note in STATE.md, auth enforcement on documents is deferred to Phase 3."
missing:
- "Either: add get_current_user + role check to documents.py endpoints NOW to make admin-JWT return 403, OR explicitly scope SC5's 'admin JWT returns 403' clause as a Phase 3 deliverable in ROADMAP.md."
addressed_in: "Phase 3"
evidence: "Phase 3 goal: Document Migration and Multi-User Isolation. CONTEXT.md D-07: existing /api/documents stays public in Phase 2; gains get_current_user guards in Phase 3. REQUIREMENTS.md traceability: SEC-04 mapped to Phase 3."
human_verification:
- test: "TOTP enrollment end-to-end"
expected: "User scans otpauth:// link in authenticator app, enters 6-digit code, sees 10 backup codes, checks acknowledgment checkbox, enables 2FA, and thereafter login requires TOTP code"
why_human: "Multi-step UI flow with authenticator app interaction cannot be verified by grep or build"
expected: "User navigates to /settings, clicks Account tab, sees TotpEnrollment component. In setup step: QR image renders (not a text link). User scans QR with authenticator app. In verify step: user enters 6-digit code. In backup-codes step: 10 codes displayed in 2-column grid with Copy All button and acknowledgment checkbox gating Enable 2FA. After enabling: account shows 2FA active; next login requires TOTP code."
why_human: "Multi-step flow requires authenticator app; QR image rendering requires visual confirmation; backup-code acknowledgment gate requires UI interaction"
- test: "Password reset email delivery"
expected: "User receives reset email at their address, link expires after 1 hour, following the link and setting a new password returns 200 with 'Please sign in' (no auto-login), user must pass TOTP gate on next login"
why_human: "Requires SMTP/Celery infrastructure running and actual email receipt"
- test: "Sign out all devices from account settings"
expected: "Clicking 'Sign out all devices' in AccountView invalidates all active sessions; other browser tabs/devices lose access on next request"
why_human: "Multi-session behavior requires multiple live browser sessions"
- test: "Admin panel tab navigation"
expected: "Admin user sees shield icon 'Admin' link in sidebar, can navigate Users / Quotas / AI Config tabs, non-admin user does not see the admin link"
why_human: "UI rendering and role-conditional visibility require browser"
expected: "User triggers /password-reset for a real email account. Email arrives with correct signed link. Link expires after 1 hour. Following the link and submitting a new strong password returns success message with no auto-login. User must go to /login and pass TOTP gate if 2FA was enabled."
why_human: "Requires SMTP/Celery infrastructure running and actual email receipt; anti-enumeration 202 response cannot confirm dispatch"
- test: "Sign out all devices"
expected: "User clicks Sign out all devices in /settings Account tab. ConfirmBlock appears. On confirm: all sessions revoked, current browser redirected to /login. A second browser tab's next authenticated request fails with 401."
why_human: "Multi-session testing requires two live sessions; refresh token family invalidation requires browser-level verification"
- test: "Admin panel role visibility and CRUD"
expected: "Regular user does not see Admin link in sidebar and cannot navigate to /admin (redirected to /). Admin user sees Admin link with shield icon; can navigate Users/Quotas/AI Config tabs; can create a test user (no HTTP 500); can deactivate a user with inline confirmation showing correct email."
why_human: "Visual rendering, role-conditional DOM, and inline confirmation UX require browser interaction"
- test: "CR-01 / CR-02: Session revocation on password change and TOTP disable"
expected: "After successfully changing password in Account tab: current session is invalidated and user is redirected to /login (or receives a clear sign-out prompt). Any other active refresh tokens are revoked. Same behavior after disabling TOTP. A previously-valid refresh cookie must fail with 401 after the change."
why_human: "Requires confirming backend revocation behavior with live sessions; current code does NOT revoke sessions (CR-01/CR-02 are open code-review blockers — this test is expected to FAIL until the backend fix is applied)"
---
# Phase 2: Users & Authentication — Verification Report
# Phase 2: Users & Authentication — Verification Report (Re-Verification after Plan 06 Gap Closure)
**Phase Goal:** Users can register, log in (with optional TOTP 2FA), reset their password, and sign out all active sessions; admins can manage user accounts and assign AI providers — all enforced by a complete FastAPI dependency chain.
**Verified:** 2026-05-22T18:18:52Z
**Status:** GAPS FOUND
**Re-verification:** No — initial verification
**Verified:** 2026-06-01T14:35:00Z
**Status:** HUMAN NEEDED (all automated checks pass; 5 items require human testing; 2 security invariants from CLAUDE.md require developer resolution)
**Re-verification:** Yes — after Plan 06 gap closure (5 UAT gaps closed)
---
## Goal Achievement
### Observable Truths (Success Criteria)
### Observable Truths (Success Criteria from Plan 06 must_haves)
| # | Truth | Status | Evidence |
|---|-------|--------|----------|
| SC1 | New user can register with strength-validated password; HIBP-listed password rejected | VERIFIED | `check_hibp()` in services/auth.py uses k-anonymity SHA-1 prefix (5 chars); `_validate_password_strength()` enforces 12+ chars, upper, lower, digit, special; 4 tests covering register success, duplicate email, weak password, HIBP breach all pass |
| SC2 | User can enroll TOTP authenticator, receive 10 backup codes with acknowledgment gate, TOTP required on every subsequent login, backup code invalidated on first use | VERIFIED | `provision_totp()`, `generate_backup_codes(10)`, `store_backup_codes()` in services/auth.py; `BackupCodesDisplay.vue` has acknowledgment checkbox gating "Enable 2FA" button; `verify_backup_code()` iterates all codes (constant-time) and sets `used_at=now()` on match; Redis replay prevention on `totp_used:{user_id}:{code}` TTL=90s |
| SC3 | User can reset password via email link (1-hour token), no auto-login after reset, returns to TOTP gate | VERIFIED | `create_password_reset_token()` / `decode_password_reset_token()` uses `typ="password-reset"` claim; `/password-reset/confirm` explicitly does NOT return access_token (comment: "AUTH-05 — user must pass TOTP gate on next login"); anti-enumeration: `/password-reset` always returns 202; test `test_password_reset_confirm_valid_no_autologin` passes |
| SC4 | User can trigger "sign out all devices"; other sessions immediately invalidated; reuse of rotated refresh token revokes entire family | VERIFIED | `revoke_all_refresh_tokens()` marks all user's tokens revoked; `rotate_refresh_token()` checks `row.revoked=True` → calls `revoke_all_refresh_tokens()` + `send_security_alert_email.delay()` + raises `ValueError("token_family_revoked")`; `logout_all` endpoint (lines 370-379 api/auth.py) calls `revoke_all_refresh_tokens()` |
| SC5 | Admin can create/deactivate/reset user accounts and assign AI provider; **attempting to access document content via admin JWT returns 403** | PARTIAL — BLOCKER | Admin CRUD endpoints verified (7 endpoints, `get_current_admin` on all, `_user_to_dict()` whitelist excludes `password_hash`/`credentials_enc`). BUT: `backend/api/documents.py` has NO auth enforcement at all — any request (with or without JWT) accesses documents. An admin JWT is not rejected; it is simply ignored. The 403 clause of SC5 is not met. |
| T1 | Admin can create a new user via POST /api/admin/users without HTTP 500 | VERIFIED | `await session.flush()` at admin.py:247 (before `write_audit_log()`); `test_create_user_writes_audit_log` passes (1 passed, 2.23s) |
| T2 | Login, register, and password-reset pages show AuthLayout only — no sidebar, no user identity footer | VERIFIED | App.vue line 2: `<AuthLayout v-if="route.meta.layout === 'auth'" />`; all 4 auth routes have `meta: { public: true, layout: 'auth' }` in router/index.js (4 grep matches at lines 22, 27, 32, 37) |
| T3 | After logout the sidebar is gone — the user lands on the login page with AuthLayout | VERIFIED | Same App.vue v-if fix covers logged-out state; /login has `layout: 'auth'` meta so AuthLayout renders, not app shell |
| T4 | Non-admin user navigating to /admin is redirected to / | VERIFIED | router/index.js:91-93: `if (to.meta.requiresAdmin && authStore.user?.role !== 'admin') return { path: '/' }`; /admin has `meta: { requiresAdmin: true }` at line 42 |
| T5 | TOTP enrollment step 1 shows a scannable QR image, not a text link | VERIFIED | TotpEnrollment.vue:111 `import QRCode from 'qrcode'`; line 120 `const qrDataUrl = ref('')`; line 136 `qrDataUrl.value = await QRCode.toDataURL(qrUri.value, ...)`; line 34 `<img v-if="qrDataUrl" :src="qrDataUrl" alt="TOTP QR code" ...>` |
| T6 | TOTP enrollment option is accessible from a tab within /settings (Account tab) | VERIFIED | SettingsView.vue:92 imports SettingsAccountTab; line 100 `{ id: 'account', label: 'Account' }` in tabs array; line 52 `<SettingsAccountTab v-if="activeTab === 'account'" />`; SettingsAccountTab.vue contains TotpEnrollment component at line 63 |
**Score: 4/5 truths verified**
**Score: 6/6 truths verified**
---
### Gap Detail: SC5 — Admin JWT Document Access
### Deferred Items (from Initial Verification — SC5)
**Status:** PARTIAL / BLOCKER
Items not yet met but explicitly addressed in later milestone phases.
The documents API (`backend/api/documents.py`) has no `get_current_user` or `get_current_admin` dependency on any endpoint. No JWT is validated. This is the pre-Phase 3 single-user API state, explicitly noted in STATE.md (D-03 decision):
> "documents.user_id nullable Phase 1 — D-03 — no auth in Phase 1; Phase 2 migration adds NOT NULL after auth lands"
However, SEC-07 (Phase 2 requirement) states: "Admin role verified on every admin endpoint request; admin cannot access document content, extracted text, or cloud credentials in any response." The admin API endpoints correctly meet the first clause (all protected by `get_current_admin`) and the second clause (no document content in admin responses via `_user_to_dict()` whitelist). But the documents API itself is fully open — an admin JWT does not return 403 when accessing document content there.
Phase 3's scope (Document Migration & Multi-User Isolation) will add `get_current_user` to document endpoints and enforce `resource.user_id == current_user.id`. Once Phase 3 lands, all users (including admins) will only see their own documents. However, the ROADMAP SC5 specifically says "admin JWT returns 403 for document content" as a Phase 2 deliverable.
**Options for resolution:**
1. Add a narrow role-check guard in documents.py now (e.g., admin role in `get_current_user` → 403) — minimal Phase 2 work
2. Update ROADMAP.md to scope the "admin JWT → 403 on documents" clause to Phase 3 alongside full auth enforcement
3. Accept as-is noting Phase 3 fully resolves it (with ROADMAP update)
| # | Item | Addressed In | Evidence |
|---|------|-------------|---------|
| 1 | Attempting to access document content via an admin JWT returns 403 | Phase 3 | Phase 3 goal: "Document Migration and Multi-User Isolation." CONTEXT.md D-07: `/api/documents`, `/api/topics`, `/api/settings` stay public in Phase 2; gain `get_current_user` guards in Phase 3. REQUIREMENTS.md: SEC-04 mapped to Phase 3. The admin panel API (`/api/admin/*`) correctly enforces `get_current_admin` on all endpoints. |
---
@@ -78,20 +88,14 @@ Phase 3's scope (Document Migration & Multi-User Isolation) will add `get_curren
| Artifact | Expected | Status | Details |
|----------|----------|--------|---------|
| `backend/services/auth.py` | Full auth service layer (Argon2, JWT, refresh, TOTP, backup codes, HIBP) | VERIFIED | 428 lines; 16 exported functions; no FastAPI coupling (single mention of "HTTPException" is in module docstring comment, not import or raise) |
| `backend/deps/auth.py` | `get_current_user` + `get_current_admin` FastAPI dependencies | VERIFIED | Both functions present; `get_current_admin` raises 403 on non-admin role |
| `backend/api/auth.py` | Register, login, refresh, logout, logout-all, me, change-password, TOTP setup/enable/disable, password-reset, password-reset/confirm | VERIFIED | 615 lines; 13 async handlers; all endpoints present |
| `backend/api/admin.py` | 7 admin endpoints with `get_current_admin` on every handler | VERIFIED | 380 lines; 7 handlers; `get_current_admin` count = 10; `_user_to_dict()` whitelist |
| `backend/db/models.py` (BackupCode) | `class BackupCode` with `used_at` nullable field | VERIFIED | `grep -c "class BackupCode"` = 1; `used_at: Mapped[Optional[datetime]]` present |
| `backend/db/models.py` (password_must_change) | `password_must_change` BOOLEAN column on User | VERIFIED | `grep -c "password_must_change"` = 1 |
| `backend/migrations/versions/0002_add_backup_codes_and_password_must_change.py` | Alembic migration for backup_codes table and password_must_change column | VERIFIED | File exists: `ls migrations/versions/ \| grep backup_codes` returns file |
| `frontend/src/stores/auth.js` | Pinia store with `accessToken` in `ref()` memory only — no localStorage | VERIFIED | `grep -c "localStorage"` = 0; `accessToken = ref(null)` confirmed |
| `frontend/src/router/index.js` | `beforeEach` guard with redirect preservation | VERIFIED | `grep -c "beforeEach"` = 1 |
| `frontend/src/views/auth/LoginView.vue` | Three-step login with TOTP + backup code paths | VERIFIED | File exists; contains backup code toggle |
| `frontend/src/views/auth/RegisterView.vue` | Registration with PasswordStrengthBar | VERIFIED | File exists; contains PasswordStrengthBar import |
| `frontend/src/views/AdminView.vue` | Tabbed admin panel | VERIFIED | File exists; imports all three tab components |
| `frontend/src/components/admin/AdminUsersTab.vue` | User CRUD with create/deactivate/reset | VERIFIED | File exists; wired to real API endpoints |
| `frontend/src/components/layout/AppSidebar.vue` | Role-gated admin link | VERIFIED | `grep -c "role.*admin"` = 1; shield-icon admin link with `v-if` |
| `backend/api/admin.py` | `await session.flush()` before `write_audit_log()` in create_user | VERIFIED | Line 247: `await session.flush() # persist User + Quota before audit_log FK references them` |
| `backend/tests/test_admin_api.py` | `test_create_user_writes_audit_log` regression test | VERIFIED | Line 145; test passes (confirmed by pytest run) |
| `frontend/src/router/index.js` | `meta: { layout: 'auth' }` on 4 auth routes; `meta: { requiresAdmin: true }` on /admin; beforeEach role check | VERIFIED | 4 routes at lines 22, 27, 32, 37; /admin at line 42; beforeEach check at lines 91-93 |
| `frontend/src/App.vue` | Layout-aware root — AuthLayout for auth routes, app shell for all others | VERIFIED | Line 2: `<AuthLayout v-if="route.meta.layout === 'auth'" />`; line 3: `<div v-else ...>` with AppSidebar + router-view |
| `frontend/src/views/SettingsView.vue` | Account tab rendering SettingsAccountTab | VERIFIED | Line 52: `<SettingsAccountTab v-if="activeTab === 'account'" />`; line 92: import; line 100: tab array entry |
| `frontend/src/components/settings/SettingsAccountTab.vue` | Full AccountView content (2FA, change password, sign-out-all) | VERIFIED | 253 lines; 4 sections (Account info, 2FA/TotpEnrollment, Change password, Sessions); all script setup logic ported |
| `frontend/src/components/auth/TotpEnrollment.vue` | QR image via qrcode library (no `<a href="otpauth://...">`) | VERIFIED | QRCode imported line 111; qrDataUrl ref line 120; toDataURL call line 136; img tag line 34 |
| `frontend/package.json` | `"qrcode"` in dependencies | VERIFIED | `"qrcode": "^1.5.4"` in dependencies section (not devDependencies) |
---
@@ -99,14 +103,11 @@ Phase 3's scope (Document Migration & Multi-User Isolation) will add `get_curren
| From | To | Via | Status | Details |
|------|----|-----|--------|---------|
| `api/auth.py` | `services/auth.py` | All auth functions called in handlers | WIRED | `verify_totp()`, `rotate_refresh_token()`, `revoke_all_refresh_tokens()`, `check_hibp()`, etc. |
| `api/auth.py` | `app.state.redis` | `request.app.state.redis` in login + TOTP enable handlers | WIRED | Lines 212, 489 pass redis_client to `verify_totp()` |
| `api/admin.py` | `deps/auth.py:get_current_admin` | `Depends(get_current_admin)` on every handler | WIRED | Count = 10; all 7 handlers + deps chain |
| `api/admin.py` | `main.py` | `app.include_router(admin_router)` | WIRED | Confirmed in main.py |
| `frontend/src/stores/auth.js` | `frontend/src/api/client.js` | Bearer token injection in `request()` | WIRED | `accessToken` used for `Authorization: Bearer` header |
| `frontend/src/router/index.js` | `frontend/src/stores/auth.js` | `beforeEach` guard checks `authStore.accessToken` | WIRED | Guard redirects unauthenticated users to `/login?redirect=` |
| `frontend/src/components/auth/BackupCodesDisplay.vue` | `acknowledged` ref | Gates "Enable 2FA" button | WIRED | `@click="acknowledged && $emit('acknowledged')"` |
| `api/auth.py` | `tasks/email_tasks.py` | Deferred import `from tasks.email_tasks import send_reset_email` inside handler | WIRED | Pattern confirmed; consistent with document_tasks pattern |
| `frontend/src/App.vue` | `frontend/src/layouts/AuthLayout.vue` | `v-if route.meta.layout === 'auth'` | WIRED | Line 2 template; line 15 import |
| `frontend/src/router/index.js` | `frontend/src/stores/auth.js` | `beforeEach` reads `authStore.user?.role` | WIRED | Line 91: `authStore.user?.role !== 'admin'` |
| `frontend/src/components/auth/TotpEnrollment.vue` | `qrcode` npm package | `import QRCode from 'qrcode'`; `QRCode.toDataURL(qrUri.value)` | WIRED | Lines 111, 136 |
| `frontend/src/views/SettingsView.vue` | `frontend/src/components/settings/SettingsAccountTab.vue` | import + v-if render | WIRED | Lines 52, 92, 100 |
| `frontend/src/router/index.js` | `/settings` redirect for `/account` | `{ path: '/account', redirect: '/settings' }` | WIRED | Line 41 |
---
@@ -114,10 +115,9 @@ Phase 3's scope (Document Migration & Multi-User Isolation) will add `get_curren
| Artifact | Data Variable | Source | Produces Real Data | Status |
|----------|---------------|--------|-------------------|--------|
| `backend/services/auth.py:verify_totp` | `redis_client.get(replay_key)` | `app.state.redis` (aioredis) | Yes — real Redis TTL-keyed lookup | FLOWING |
| `backend/services/auth.py:verify_backup_code` | `rows` from `select(BackupCode)` | PostgreSQL via SQLAlchemy async | Yes — real DB query with `used_at.is_(None)` filter | FLOWING |
| `backend/api/admin.py:_user_to_dict` | Explicit whitelist dict | User ORM object from DB | Yes — DB-loaded User object, no document fields included | FLOWING |
| `frontend/src/stores/auth.js:accessToken` | `ref(null)` → set on successful login response | `api/client.js` login response | Yes — set from `data.access_token` on successful auth | FLOWING |
| `TotpEnrollment.vue` | `qrDataUrl` | `QRCode.toDataURL(qrUri.value)` after `api.totpSetup()` returns `provisioning_uri` | Yes — real otpauth:// URI from backend, converted to PNG data URL | FLOWING |
| `SettingsAccountTab.vue` | `authStore.user.totp_enabled` | Pinia auth store (populated from login response) | Yes — real DB-backed value | FLOWING |
| `SettingsAccountTab.vue` | `authStore.user.email`, `.handle`, `.role` | Pinia auth store `/api/auth/me` response | Yes — real user data | FLOWING |
---
@@ -125,22 +125,15 @@ Phase 3's scope (Document Migration & Multi-User Isolation) will add `get_curren
| Behavior | Command | Result | Status |
|----------|---------|--------|--------|
| All Phase 2 auth tests pass | `python3 -m pytest tests/test_task1_models_config.py tests/test_task2_auth_service.py tests/test_auth_deps.py tests/test_auth_api.py tests/test_auth_totp.py tests/test_admin_api.py -q` | 77 passed, 47 warnings in 8.98s | PASS |
| Frontend builds clean | `npm run build` | Built in 576ms; 11 chunks; exit 0 | PASS |
| No localStorage in auth store | `grep -c "localStorage" frontend/src/stores/auth.js` | 0 | PASS |
| httpOnly refresh cookie | `grep -c "httponly\|HttpOnly\|httpOnly" backend/api/auth.py` | 6 | PASS |
| CORS locked to settings | `grep -c "cors_origins" backend/main.py` | 4 | PASS |
| Rate limiting on auth endpoints | `grep -c "@limiter.limit" backend/api/auth.py` | 5 (register, login, refresh, TOTP enable, password-reset) | PASS |
| get_current_admin on every admin handler | `grep -c "get_current_admin" backend/api/admin.py` | 10 | PASS |
| No impersonation in admin.py (code) | `grep -n "impersonat" backend/api/admin.py` shows only comments/docstrings | 0 code references | PASS |
| admin.py never returns password_hash | `_user_to_dict()` whitelist verified | password_hash only at line 186 (constructor write, not response) | PASS |
| Documents API unauthenticated | `grep -n "get_current_user" backend/api/documents.py` | 0 matches — no auth enforcement | FAIL (SC5 gap) |
---
### Probe Execution
No declared probes found. Step 7c: SKIPPED (no probe-*.sh files in scripts/).
| Admin create_user regression test | `python3 -m pytest tests/test_admin_api.py::test_create_user_writes_audit_log -v` | 1 passed, 2.23s | PASS |
| Frontend build | `npm run build` | 156 modules, exit 0, built in 1.82s | PASS |
| Frontend test suite | `npm test` | 107/107 passed (11 test files) | PASS |
| 4 auth routes have `meta.layout:'auth'` | `grep -c "layout.*auth" router/index.js` | 4 matches | PASS |
| /admin has `meta.requiresAdmin` | `grep -n "requiresAdmin" router/index.js` | Line 42 (route def) + line 91 (beforeEach check) | PASS |
| qrcode in package.json dependencies | `grep "qrcode" package.json` | `"qrcode": "^1.5.4"` | PASS |
| QRCode.toDataURL + img tag in TotpEnrollment | `grep -n "toDataURL\|qrDataUrl\|img.*qr" TotpEnrollment.vue` | Lines 34, 120, 136 | PASS |
| SettingsAccountTab imported and rendered in SettingsView | `grep -n "account\|SettingsAccountTab" SettingsView.vue` | Lines 52, 92, 100 | PASS |
| No localStorage in auth store | `grep -c "localStorage" frontend/src/stores/auth.js` | 0 (from initial verification) | PASS |
---
@@ -148,93 +141,146 @@ No declared probes found. Step 7c: SKIPPED (no probe-*.sh files in scripts/).
| Requirement | Plan | Description | Status | Evidence |
|-------------|------|-------------|--------|---------|
| AUTH-01 | 02-01, 02-02 | Register with Argon2 + HIBP check + strength enforcement | SATISFIED | `hash_password()` uses pwdlib Argon2Hasher; `check_hibp()` k-anonymity; strength in `_validate_password_strength()` |
| AUTH-02 | 02-01, 02-02 | JWT in Pinia memory; refresh in httpOnly SameSite=Strict cookie | SATISFIED | `accessToken = ref(null)` in store; `_set_refresh_cookie()` with httponly=True, samesite="strict" |
| AUTH-03 | 02-03 | TOTP enrollment with 8-10 backup codes acknowledged before activation | SATISFIED | `generate_backup_codes(10)` + `BackupCodesDisplay.vue` acknowledgment checkbox |
| AUTH-04 | 02-02 | Login via TOTP or single-use backup code; backup code invalidated on use | SATISFIED | `verify_totp()` and `verify_backup_code()` paths in login handler; `used_at` set on use |
| AUTH-03 | 02-03, 02-06 | TOTP enrollment with 810 backup codes acknowledged before activation | SATISFIED | `generate_backup_codes(10)` + BackupCodesDisplay acknowledgment gate (initial verification); QR image now rendered via qrcode library (plan 06 fix) |
| AUTH-04 | 02-02 | Login via TOTP code or single-use backup code | SATISFIED | `verify_totp()` + `verify_backup_code()` paths in login handler; `used_at` set on use |
| AUTH-05 | 02-03 | Password reset via email; no auto-login; returns to TOTP gate | SATISFIED | Confirm endpoint returns 200 + message, no tokens; `revoke_all_refresh_tokens()` called |
| AUTH-06 | 02-03 | Sign out all active sessions | SATISFIED | `logout_all` endpoint calls `revoke_all_refresh_tokens()` |
| AUTH-07 | 02-01 | Refresh token family revocation on reuse + security alert | SATISFIED | `rotate_refresh_token()` detects `row.revoked=True` → revoke all + `send_security_alert_email.delay()` |
| AUTH-08 | 02-01, 02-03 | TOTP single-use within validity window (replay prevention) | SATISFIED | Redis key `totp_used:{user_id}:{code}` TTL=90s in `verify_totp()` |
| SEC-01 | 02-02 | CSRF protection (SameSite=Strict + Origin validation) | SATISFIED | `OriginValidationMiddleware` + SameSite=Strict on refresh cookie |
| SEC-02 | 02-02, 02-03 | Rate limiting on auth endpoints (per-IP + per-account) | SATISFIED | slowapi `@limiter.limit()` decorators + Redis per-account counter `login_attempts:{email}` |
| SEC-03 | 02-01 | Parameterized queries / ORM | SATISFIED | All DB ops use SQLAlchemy ORM; zero raw string interpolation |
| SEC-05 | 02-02 | CSP + X-Frame-Options + X-Content-Type-Options headers | SATISFIED | `SecurityHeadersMiddleware` in main.py adds all three headers |
| SEC-06 | 02-01 | Constant-time comparison for all token/code verification | SATISFIED | `pwdlib.verify()` (constant-time); backup code verification iterates ALL rows without early exit |
| SEC-07 | 02-04 | Admin role on every admin endpoint; admin cannot see document content | PARTIAL | Admin API enforced via `get_current_admin` (VERIFIED). But `backend/api/documents.py` has no auth at all — admin JWT not rejected on document access (SC5 gap) |
| ADMIN-01 | 02-04, 02-05 | Admin creates user with temp password, `password_must_change=True` | SATISFIED | `POST /api/admin/users` sets `password_must_change=True`; login flow checks flag |
| ADMIN-02 | 02-04, 02-05 | Admin deactivates user account | SATISFIED | `PATCH /api/admin/users/{id}/status` with sole-admin guard |
| ADMIN-03 | 02-04 | Admin initiates password reset for user (email, no impersonation) | SATISFIED | `POST /api/admin/users/{id}/password-reset` dispatches `send_reset_email.delay()` |
| ADMIN-04 | 02-04, 02-05 | Admin views/adjusts quotas with below-usage warning | SATISFIED | `GET/PATCH /api/admin/users/{id}/quota`; `AdminQuotasTab.vue` |
| ADMIN-05 | 02-04, 02-05 | Admin assigns AI provider/model per user | SATISFIED | `PATCH /api/admin/users/{id}/ai-config`; `AdminAiConfigTab.vue` |
| SEC-03 | 02-01 | Parameterized queries / ORM | SATISFIED | All DB ops via SQLAlchemy ORM; zero raw string interpolation |
| ADMIN-01 | 02-04, 02-06 | Admin creates user with temp password, password_must_change=True | SATISFIED | POST /api/admin/users sets password_must_change=True; HTTP 500 fixed via session.flush() at admin.py:247 |
| ADMIN-07 | 02-04 | Admin impersonation explicitly excluded | SATISFIED | No impersonation endpoint; test_admin_impersonation_not_found asserts 404/422 |
---
### Open Code Review Findings (from 02-REVIEW.md)
These findings were surfaced by the code reviewer after plan 06 execution and are NOT yet fixed. They represent security invariants and UX gaps that require developer attention before Phase 2 can be considered fully resolved.
#### CR-01 — BLOCKER: Password change does not revoke active sessions
**File:** `backend/api/auth.py` line 520 (`change_password` endpoint)
**Issue:** CLAUDE.md line 153 requires: "Password change, TOTP enroll/revoke, and account deactivation immediately revoke all active sessions." The `change_password` handler updates `password_hash` and commits but does not call `revoke_all_refresh_tokens()`. An attacker with a previously-stolen refresh cookie retains full access for up to 30 days after the victim changes their password.
**Fix required:** Add `await auth_service.revoke_all_refresh_tokens(session, current_user.id)` after `session.commit()` in the `change_password` handler. Also redirect the current session to /login in the frontend `changePassword()` success path.
#### CR-02 — BLOCKER: TOTP disable does not revoke active sessions
**File:** `backend/api/auth.py` line 641 (`disable_totp` endpoint)
**Issue:** Same CLAUDE.md line 153 requirement. The `disable_totp` handler clears `totp_secret`, sets `totp_enabled=False`, and deletes backup codes but does not revoke any refresh tokens. An attacker can downgrade account security and both the attacker and any stolen sessions remain valid.
**Fix required:** Add `await session.execute(delete(RefreshToken).where(RefreshToken.user_id == current_user.id))` + `await session.commit()` in the `disable_totp` handler after backup code deletion.
#### CR-03 — WARNING: Dead `#confirm-button` slot in SettingsAccountTab removes spinner/guard on sign-out-all
**File:** `frontend/src/components/settings/SettingsAccountTab.vue` lines 149161
**Issue:** `ConfirmBlock.vue` defines no named slot. The `<template #confirm-button>` block is silently ignored by Vue; the custom button with `:disabled="signingOutAll"` and `<AppSpinner>` never renders. Double-invocation of `signOutAll()` is possible with no spinner feedback.
**Fix required:** Either add `<slot name="confirm-button">` fallback in `ConfirmBlock.vue`, or guard with `if (signingOutAll.value) return` at the top of `signOutAll()`.
#### WR-01 — WARNING: URIError crash path in SettingsView.vue onMounted
**File:** `frontend/src/views/SettingsView.vue``decodeURIComponent(errorMsg)` in onMounted
**Issue:** No try/catch. Malformed `cloud_error` query param (e.g. lone `%`) throws URIError; user sees blank cloud tab with no error message.
**Fix required:** Wrap in try/catch, fall back to raw `errorMsg` value.
#### WR-02 — WARNING: TOTP verify code button re-enables during 800ms success flash
**File:** `frontend/src/components/auth/TotpEnrollment.vue`
**Issue:** `loading` is cleared in `finally` before the 800ms timeout fires; `verifyCode` not cleared on success. Button re-enables, allowing duplicate `api.totpEnable()` call. Backend replay prevention should reject it but UX is broken.
**Fix required:** Clear `verifyCode.value = ''` immediately after `api.totpEnable()` succeeds.
#### WR-03 — WARNING: Fragile string-matching for password error routing
**File:** `frontend/src/components/settings/SettingsAccountTab.vue`
**Issue:** `passwordError.includes('Current')` routes errors to field-level vs. form-level display. Unexpected API messages containing "Current" will be misrouted.
**Fix required:** Use separate refs for field-level and form-level errors.
#### WR-04 — WARNING: `topicsStore.fetchTopics()` fires on auth page loads
**File:** `frontend/src/App.vue` line 20
**Issue:** `onMounted(() => topicsStore.fetchTopics())` runs on every route including /login, /register, /password-reset. The backend returns 401; the API client attempts a token refresh (which fails); auth store clears its already-null accessToken. Spurious 401 + failed refresh on every auth page load.
**Fix required:** Guard the call behind `authStore.accessToken` check, or move it to the authenticated app shell.
#### IN-01 — INFO: qrcode uses caret range instead of exact pin
**File:** `frontend/package.json`
**Issue:** `"qrcode": "^1.5.4"` — CLAUDE.md requires exact version pinning for security-critical packages.
**Fix recommended:** Pin to `"qrcode": "1.5.4"`.
---
### Anti-Patterns Found
| File | Line | Pattern | Severity | Impact |
|------|------|---------|----------|--------|
| `backend/api/documents.py` | All endpoints | No `get_current_user` dependency — fully unauthenticated | BLOCKER | Admin JWT does not return 403 for document content (SC5 gap); any request accesses all documents |
| `backend/api/documents.py` | 167 | Comment: "D-03: user_id is NULLABLE in Phase 1" | INFO | Documented intentional deferral to Phase 3 |
| `backend/api/auth.py` | 520 | `change_password` commits without `revoke_all_refresh_tokens()` | BLOCKER | Active sessions survive password change — CLAUDE.md line 153 security invariant violated |
| `backend/api/auth.py` | 641 | `disable_totp` commits without `revoke_all_refresh_tokens()` | BLOCKER | Active sessions survive TOTP disable — CLAUDE.md line 153 security invariant violated |
| `frontend/src/components/settings/SettingsAccountTab.vue` | 149161 | `<template #confirm-button>` renders into nonexistent slot — dead code | WARNING | Spinner and double-click guard never activate on sign-out-all |
| `frontend/src/App.vue` | 20 | `topicsStore.fetchTopics()` unconditional on mount | WARNING | Spurious 401 + failed token refresh on every auth page load |
| `frontend/src/views/SettingsView.vue` | onMounted | `decodeURIComponent()` without try/catch | WARNING | URIError crash on malformed cloud_error query param |
| `frontend/src/components/auth/TotpEnrollment.vue` | verify step | `verifyCode` not cleared on success before 800ms timeout | WARNING | Button re-enables during flash window — double-submission possible |
No TBD/FIXME/XXX markers found in Phase 2 deliverable files.
No TBD/FIXME/XXX markers found in Phase 2 plan-06 deliverable files.
---
### Human Verification Required
**4 items need human testing:**
**5 items need human testing:**
#### 1. TOTP Enrollment End-to-End
**Test:** Log in as a user, navigate to Account settings, click "Set up two-factor authentication", scan the `otpauth://` link with an authenticator app, enter the 6-digit code, view the 10 backup codes screen, check the acknowledgment checkbox, click "Enable 2FA"
**Test:** Log in as a user, navigate to /settings, click the Account tab. Find the "Two-factor authentication" section. Click to set up 2FA. Verify a scannable QR image (not a text link) appears. Scan the QR with an authenticator app (Google Authenticator, Authy, etc.). Enter the 6-digit code. Verify the backup codes screen shows 10 codes in a 2-column grid with a Copy All button and acknowledgment checkbox. Check the acknowledgment box. Click Enable 2FA. Confirm account shows 2FA active. Log out and log back in — confirm TOTP step is required.
**Expected:** 2FA is enabled; next logout + login requires a TOTP code or backup code; login succeeds with valid code and fails with invalid code
**Expected:** QR image renders (no `<a href="otpauth://...">` link visible). 10 backup codes displayed. Acknowledgment checkbox gates Enable 2FA button. After enabling: login requires TOTP code or backup code.
**Why human:** Multi-step flow requires a real authenticator app; the otpauth:// link rendering (note: QR image is not rendered — only the link text) is a known MVP deviation
**Why human:** Multi-step flow requires a real authenticator app; QR image rendering requires visual confirmation; the backup-code gate requires UI interaction.
#### 2. Password Reset Email Delivery
**Test:** Trigger password reset for a test account; check the email inbox; follow the reset link; set a new password; attempt to log in without TOTP
**Test:** Navigate to /password-reset. Enter a valid email address. Verify the page always shows a generic "check your email" message (no enumeration of valid/invalid email). Check the inbox. Follow the reset link. Set a new strong password. Verify no auto-login after reset. Navigate to /login and log in with the new password. Confirm TOTP gate appears if 2FA was enabled.
**Expected:** Email arrives with correct reset link; link expires after 1 hour; successful reset returns "Password updated. Please sign in." message (no tokens); login proceeds to TOTP gate if 2FA was enabled
**Expected:** Email arrives with correct signed link. Link expires after 1 hour. Successful reset shows "Password updated. Please sign in." with no tokens issued. TOTP gate on next login if enrolled.
**Why human:** Requires SMTP server (Celery + email infrastructure) and actual email receipt; anti-enumeration means the 202 response alone can't confirm email dispatch
**Why human:** Requires SMTP infrastructure running and actual email receipt. Anti-enumeration means the 202 response alone cannot confirm email dispatch.
#### 3. Sign Out All Devices
**Test:** Log in from two browser tabs; click "Sign out all devices" in Account settings in Tab 1; make an authenticated request in Tab 2
**Test:** Log in from two browser tabs or browsers. In Tab 1, go to /settings > Account tab > Sessions. Click "Sign out all devices." Verify a ConfirmBlock appears. On confirm: Tab 1 redirects to /login. In Tab 2, make an authenticated request (e.g., navigate or refresh). Verify Tab 2 is redirected to /login.
**Expected:** Tab 2's access token is invalidated on next request; Tab 2 is redirected to login; reusing the revoked refresh token causes full family revocation
**Expected:** Both tabs lose access after "sign out all devices." Reusing a revoked refresh token causes family revocation.
**Why human:** Multi-session testing requires two live sessions; refresh token reuse detection requires timing
**Why human:** Multi-session behavior requires two live sessions; refresh token reuse detection requires timing across requests.
#### 4. Admin Panel Role Visibility
#### 4. Admin Panel Role Visibility and CRUD
**Test:** Log in as a regular user; verify Admin link is NOT visible in sidebar. Log in as admin; verify "Admin" link with shield icon appears; navigate Users / Quotas / AI Config tabs; create a test user; deactivate them; reset their password
**Test:** Log in as a regular user. Verify the Admin link is NOT visible in the sidebar. Navigate to /admin directly. Verify redirect to /. Log in as admin. Verify "Admin" link with shield icon appears in sidebar. Navigate to /admin. Test: (a) Users tab — list all users; (b) Create a new test user — verify HTTP 200/201 and the user appears in the table (no HTTP 500); (c) Deactivate the test user — verify inline confirmation shows correct email; (d) Quotas tab — view/adjust a quota; (e) AI Config tab — change a provider and verify save flash.
**Expected:** Non-admin users never see the admin UI; admin can perform all CRUD operations; inline deactivation confirmation shows correct user email
**Expected:** Non-admin users blocked from /admin (redirected to /). Admin CRUD operations work. No HTTP 500 on user creation.
**Why human:** Visual rendering and role-conditional DOM requires browser; inline confirmation UX requires human interaction
**Why human:** Visual rendering, role-conditional DOM, and inline confirmation UX require browser interaction.
#### 5. CR-01/CR-02: Session Revocation on Password Change and TOTP Disable (EXPECTED FAIL until fix applied)
**Test:** In Browser 1, log in. In Browser 2, log in as the same user. In Browser 1: change the password (Settings > Account tab). In Browser 2: attempt any authenticated action (e.g., navigate to /settings). Verify Browser 2 is redirected to /login. Repeat: In Browser 1, disable TOTP (if enrolled). In Browser 2: verify session is invalidated.
**Expected:** Both Browser 2 sessions are invalidated immediately after password change or TOTP disable in Browser 1.
**Why human:** Requires confirming backend revocation with live sessions. NOTE: This test is expected to FAIL in the current codebase. CR-01 and CR-02 are confirmed open — neither `change_password` nor `disable_totp` in `backend/api/auth.py` calls `revoke_all_refresh_tokens()`. This is a CLAUDE.md line 153 security invariant violation. A fix plan is required before Phase 2 can be marked fully complete.
---
## Gaps Summary
**1 BLOCKER gap** preventing full Phase 2 goal achievement:
**0 automated gaps blocking phase goal.** All 6 plan-06 must-have truths are VERIFIED. The SC5 gap from the initial verification (admin JWT on documents) is deferred to Phase 3 per D-07 and has been removed from blocking status.
**SC5 — Admin JWT → 403 on document content**
**2 SECURITY BLOCKERS from code review (CR-01, CR-02)** — these are CLAUDE.md security invariant violations requiring a fix plan:
The documents API (`backend/api/documents.py`) is completely unauthenticated — a Phase 1 legacy state explicitly noted in STATE.md (D-03 decision). An admin JWT does NOT return 403 when accessing document endpoints because the documents API has no JWT validation at all. The admin.py API correctly has no document content endpoints, and `_user_to_dict()` correctly excludes sensitive fields. But the literal clause of SC5 and SEC-07's "admin cannot access document content...in any response" is not enforced at the document endpoint layer.
- **CR-01:** `change_password` does not revoke active sessions (backend/api/auth.py:520)
- **CR-02:** `disable_totp` does not revoke active sessions (backend/api/auth.py:641)
**Root cause:** Phase 2 scope defines auth enforcement on new endpoints (`api/auth.py`, `api/admin.py`) but does not retrofit authentication onto the legacy `api/documents.py`, `api/topics.py`, or `api/settings.py`. Phase 3 ("Document Migration & Multi-User Isolation") will add per-user isolation to these endpoints.
These are not UAT-detectable bugs — they are security architecture violations. A gap-closure plan is required targeting only these two backend endpoints. The fixes are each 35 lines (call `revoke_all_refresh_tokens()` after commit). The frontend should also redirect to /login after a successful password change.
**Recommended resolution before marking Phase 2 complete:**
- Narrowest fix: add a `current_user: User = Depends(get_current_user)` check to document endpoint functions, returning 403 if `user.role == "admin"` — minimal change, no migration needed
- Broader fix: update ROADMAP.md to scope SC5's "admin JWT → 403 on documents" clause as part of Phase 3 auth enforcement (where `get_current_user` will be added everywhere anyway)
**4 WARNINGS from code review (WR-01 through WR-04)** — lower priority UX and robustness issues not blocking the phase goal but recommended for resolution before Phase 3 begins.
---
_Verified: 2026-05-22T18:18:52Z_
_Verified: 2026-06-01T14:35:00Z_
_Re-verification: Yes — after Plan 06 gap closure_
_Verifier: Claude (gsd-verifier)_