mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-14 13:55:19 +02:00
b290620cf9
* Declare ext-intl and ext-zip as explicit composer requirements DataExportService uses ZipArchive directly and the Dutch-locale format_datetime Twig filter needs real ext-intl (the polyfill only supports en), but composer.json only declared ext-ctype/ext-iconv. Adding them lets `composer check-platform-reqs` catch a missing extension before a runtime crash. * Add authorization checks to PrepareEliminationController index and viewElimination had no IsGranted guard, unlike every other backoffice/elimination controller, so any authenticated user could prepare or overwrite another season's elimination screens. * Prevent formula injection in spreadsheet exports Answer/candidate text starting with =, +, -, or @ was written to XLSX exports as a live formula rather than plain text. Since seasons can have multiple owners, a co-owner could plant a formula that runs (and can exfiltrate data) when another owner opens the export in Excel. * Add rate limiting to login and season-code entry points Neither /login nor the public season-code guess form (POST /) had any throttling, making both an unlimited brute-force/enumeration oracle. Adds symfony/rate-limiter and enables login_throttling on the main firewall, plus a dedicated per-IP rate limiter on the season-code form. * Add unique constraint to prevent double-submit score inflation A candidate could submit two concurrent POSTs for the same question before either committed, since GivenAnswer had no unique constraint and the "next question" check was subject to a TOCTOU race — each insert was then counted as a correct answer. * Address CodeRabbit review findings Include a Retry-After header on the season-code rate limit, correct stale line references in the security audit doc, and fix a stray comma in the reset-password email.
52 lines
1.9 KiB
YAML
52 lines
1.9 KiB
YAML
security:
|
|
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
|
|
password_hashers:
|
|
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
|
|
|
|
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
|
|
providers:
|
|
tvdt_user_provider:
|
|
entity:
|
|
class: Tvdt\Entity\User
|
|
property: email
|
|
firewalls:
|
|
dev:
|
|
# Ensure dev tools and static assets are always allowed
|
|
pattern: ^/(_profiler|_wdt|assets|build)/
|
|
security: false
|
|
main:
|
|
lazy: true
|
|
provider: tvdt_user_provider
|
|
form_login:
|
|
login_path: tvdt_login_login
|
|
check_path: tvdt_login_login
|
|
enable_csrf: true
|
|
default_target_path: tvdt_backoffice_index
|
|
logout:
|
|
path: tvdt_login_logout
|
|
remember_me:
|
|
secret: '%kernel.secret%'
|
|
lifetime: 604800 # 1 week in seconds
|
|
login_throttling:
|
|
max_attempts: 5
|
|
|
|
access_control:
|
|
- { path: ^/admin, roles: ROLE_ADMIN }
|
|
- { path: ^/backoffice/releases$, roles: PUBLIC_ACCESS }
|
|
- { path: ^/backoffice, roles: IS_AUTHENTICATED }
|
|
|
|
when@test:
|
|
security:
|
|
password_hashers:
|
|
# Password hashers are resource-intensive by design to ensure security.
|
|
# In tests, it's safe to reduce their cost to improve performance.
|
|
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
|
|
algorithm: auto
|
|
cost: 4 # Lowest possible value for bcrypt
|
|
time_cost: 3 # Lowest possible value for argon
|
|
memory_cost: 10 # Lowest possible value for argon
|
|
firewalls:
|
|
main:
|
|
login_throttling:
|
|
max_attempts: 2
|