14 Commits

Author	SHA1	Message	Date
vk	0639c1a656	Fix all tests (vibe-kanban bba3e2c9) ... Fixe alle tests. Frage mich, wenn du nicht weißt, was zu tun ist.	2026-02-11 23:15:49 +01:00
vk	9faae15212	[P1 Security] Rate Limiting für API-Routes und Livewire-Actions (vibe-kanban e1f85c61) ... ## Security Audit: Fehlendes Rate Limiting ### Problem Die Anwendung hat **kein Rate Limiting** auf API-Routes oder Livewire-Actions. Das ermöglicht: - Brute-Force-Angriffe auf Authentication-Endpoints - Denial-of-Service durch massenhaftes Aufrufen von API-Endpoints - Vote-Manipulation durch schnelle, wiederholte Requests - Ressourcen-Erschöpfung durch unkontrollierte Datenbankabfragen ### Betroffene Endpoints **API-Routes (`routes/api.php`):** ```php Route::get('/nostr/profile/{key}', GetProfile::class); // kein Rate Limit Route::get('/members/{year}', GetPaidMembers::class); // kein Rate Limit ``` **Kritische Livewire-Actions (kein Throttling):** - Voting auf ProjectProposals (`association/project-support/show`) - Login via Nostr (`handleNostrLogin`) - ProjectProposal-Erstellung - Election Voting ### Lösung **1. API Rate Limiting in `bootstrap/app.php`:** Nutze Laravel 12's Middleware-Konfiguration um Rate Limiting zu aktivieren: ```php ->withMiddleware(function (Middleware $middleware) { $middleware->api(prepend: [ \Illuminate\Routing\Middleware\ThrottleRequests::class.':api', ]); }) ``` Und definiere den `api` Rate Limiter in `app/Providers/AppServiceProvider.php`: ```php use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Support\Facades\RateLimiter; public function boot(): void { RateLimiter::for('api', function (Request $request) { return Limit::perMinute(60)->by($request->ip()); }); } ``` **2. Livewire Action Throttling:** Nutze Livewire's `#[Throttle]` Attribut auf sensiblen Actions. Suche in der Livewire-Dokumentation nach der korrekten v4-Syntax mit `search-docs`: - `queries: ['throttle', 'rate limiting']` - `packages: ['livewire/livewire']` Wende Throttling an auf: - Vote-Submit-Methoden in den ProjectSupport-Components - Login-Handler (`handleNostrLogin` in `WithNostrAuth` Trait) - ProjectProposal Create/Update Actions **3. Zusätzlicher Custom Rate Limiter für Voting:** ```php RateLimiter::for('voting', function (Request $request) { return Limit::perMinute(10)->by($request->ip()); }); ``` ### Betroffene Dateien - `bootstrap/app.php` – Middleware-Konfiguration (Rate Limit Middleware hinzufügen) - `app/Providers/AppServiceProvider.php` – RateLimiter Definitionen - `routes/api.php` – Rate Limit Middleware anwenden - `app/Livewire/Traits/WithNostrAuth.php` – Throttle auf `handleNostrLogin` - Livewire-Components in `app/Livewire/Association/ProjectSupport/` – Throttle auf Vote/Create Actions ### Vorgehen 1. `search-docs` nutzen für: `['rate limiting', 'throttle']` (Laravel) und `['throttle']` (Livewire) 2. Rate Limiter in AppServiceProvider definieren 3. API-Middleware in `bootstrap/app.php` konfigurieren 4. Livewire-Actions mit Throttle versehen 5. Pest-Tests schreiben, die verifizieren dass Rate Limiting greift (429 Response bei Überschreitung) 6. `vendor/bin/pint --dirty` und `php artisan test --compact` ### Akzeptanzkriterien - API-Routes geben HTTP 429 nach 60 Requests/Minute zurück - Voting-Actions sind auf max. 10/Minute limitiert - Login-Attempts sind throttled - Tests verifizieren Rate Limiting Verhalten	2026-02-11 21:13:36 +01:00
HolgerHatGarKeineNode	2957e89c79	🔒 Add #[Locked] attribute to Livewire components to enhance security against client-side state tampering	2026-02-03 22:49:42 +01:00
HolgerHatGarKeineNode	4a425da923	🎨 Update color palette: replace gray with zinc across Blade templates for improved design consistency and accessibility. ... 🛠 Refactor forms: rename NostrAuth method for clarity and enhance Flux button usage for cleaner and reusable components. ✨ Add `WithNostrAuth` trait: refactor `show` template logic, streamline project-support handling, and improve layout readability.	2026-01-20 14:58:02 +01:00
HolgerHatGarKeineNode	a6c8fb6435	✨ Refactor project-support forms: add admin-only fields, improve Flux form components, and enhance layout for consistency. 🛠️ Remove redundant NostrAuth methods and streamline authorization logic.	2026-01-20 00:49:28 +01:00
HolgerHatGarKeineNode	6edcf014a6	🗑️ Remove unused and outdated Blade views, refactor access restriction messages with Flux callout components, and update related Livewire tests for improved maintainability and UX.	2026-01-18 23:10:37 +01:00
HolgerHatGarKeineNode	18f8dd99e3	🚀 Integrate Flux modals and toasts into Blade templates, refactor delete confirmation logic, and replace deprecated WireUI notifications for improved UX.	2026-01-18 20:47:12 +01:00
HolgerHatGarKeineNode	b090336c4f	🛠️ Refactor migrations, models, configs, and Blade files to apply consistent formatting, remove unnecessary lines, and improve readability.	2026-01-18 19:50:04 +01:00
HolgerHatGarKeineNode	0694a2d837	✨ Add Livewire Flux components and new tests for project proposal and editing forms	2026-01-18 15:19:00 +01:00
HolgerHatGarKeineNode	30e78711c9	✨ Add reusable Blade components for inputs and layouts: FilePond, navigation groups, and notification buttons	2026-01-18 13:23:20 +01:00
HolgerHatGarKeineNode	22c8ad3588	🗑️ Remove unused Blade templates and components across navigation, layouts, and details, streamlining unused sections like admin, association, courses, events, and dark-mode toggle.	2026-01-18 01:45:02 +01:00
HolgerHatGarKeineNode	00216409b4	🗑️ Remove unused Livewire components and Blade views related to elections, member management, changelog, project support, and meetups.	2026-01-18 01:33:24 +01:00
HolgerHatGarKeineNode	a73587b9e8	🛠️ Refactor and streamline Blade templates for project support and elections, including improved conditionals and structure cleanup ... 🛠️ Replace `shell_exec` with `Process` in Changelog Livewire component for safer command execution	2026-01-17 23:54:06 +01:00
HolgerHatGarKeineNode	0abbe69868	🗑️ Remove election-related blade files no longer in use	2026-01-17 23:26:05 +01:00