trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction used by rate limiting and audit logs; validates proxy IP before trusting X-Forwarded-For / X-Real-IP headers - TOTP replay protection via counter-based validation to reject reused codes within the same time step (±30s) - RateLimit middleware updated to extract client IP from proxy headers without IP spoofing risk - New tests for ClientIP proxy logic (spoofed headers, fallback) and extended rate-limit proxy coverage - HTMX error banner script integrated into web UI base - .gitignore updated for mciasdb build artifact Security: resolves CRIT-01 (TOTP replay attack) and DEF-03 (proxy-unaware rate limiting); gRPC TOTP enrollment aligned with REST via StorePendingTOTP Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 17:44:01 -07:00
parent f262ca7b4e
commit ec7c966ad2
31 changed files with 799 additions and 250 deletions
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -200,19 +200,31 @@ func parsePHC(phc string) (ArgonParams, []byte, []byte, error) {
 // ValidateTOTP checks a 6-digit TOTP code against a raw TOTP secret (bytes).
 // A ±1 time-step window (±30s) is allowed to accommodate clock skew.
 //
+// Returns (true, counter, nil) on a valid code where counter is the HOTP
+// counter value that matched.  The caller MUST pass this counter to
+// db.CheckAndUpdateTOTPCounter to prevent replay attacks within the validity
+// window (CRIT-01).
+//
 // Security:
 //   - Comparison uses crypto/subtle.ConstantTimeCompare to resist timing attacks.
 //   - Only RFC 6238-compliant HOTP (HMAC-SHA1) is implemented; no custom crypto.
 //   - A ±1 window is the RFC 6238 recommendation; wider windows increase
 //     exposure to code interception between generation and submission.
-func ValidateTOTP(secret []byte, code string) (bool, error) {
+//   - The returned counter enables replay prevention: callers store it and
+//     reject any future code that does not advance past it (RFC 6238 §5.2).
+func ValidateTOTP(secret []byte, code string) (bool, int64, error) {
 	if len(code) != 6 {
-		return false, nil
+		return false, 0, nil
 	}

 	now := time.Now().Unix()
 	step := int64(30) // RFC 6238 default time step in seconds

+	// Security: evaluate all three counters with constant-time comparisons
+	// before returning.  Early-exit would leak which counter matched via
+	// timing; we instead record the match and continue, returning at the end.
+	var matched bool
+	var matchedCounter int64
 	for _, counter := range []int64{
 		now/step - 1,
 		now / step,
@@ -220,14 +232,21 @@ func ValidateTOTP(secret []byte, code string) (bool, error) {
 	} {
 		expected, err := hotp(secret, uint64(counter)) //nolint:gosec // G115: counter is Unix time / step, always non-negative
 		if err != nil {
-			return false, fmt.Errorf("auth: compute TOTP: %w", err)
+			return false, 0, fmt.Errorf("auth: compute TOTP: %w", err)
 		}
 		// Security: constant-time comparison to prevent timing attack.
+		// We deliberately do NOT break early so that all three comparisons
+		// always execute, preventing a timing side-channel on which counter
+		// slot matched.
 		if subtle.ConstantTimeCompare([]byte(code), []byte(expected)) == 1 {
-			return true, nil
+			matched = true
+			matchedCounter = counter
 		}
 	}
-	return false, nil
+	if matched {
+		return true, matchedCounter, nil
+	}
+	return false, 0, nil
 }

 // hotp computes an HMAC-SHA1-based OTP for a given counter value.