fix(security): harden auth — rate limiting, admin audit logging, JWT aud/iss

- Add @Throttle (5 req/hour per IP) on register, login, refresh endpoints - Add audit logging in RolesGuard for failed admin access attempts (userId, role, IP, action) - Add audience ('goodgo-api') and issuer ('goodgo-platform') claims to JWT tokens - Validate aud/iss in JwtStrategy to prevent cross-service token reuse Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:17:02 +07:00
parent e60b95cdec
commit be0deddeed
4 changed files with 113 additions and 15 deletions
--- a/apps/api/src/modules/auth/infrastructure/strategies/jwt.strategy.ts
+++ b/apps/api/src/modules/auth/infrastructure/strategies/jwt.strategy.ts
@@ -1,8 +1,15 @@
 import { Injectable } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { ExtractJwt, Strategy } from 'passport-jwt';
+import type { Request } from 'express';
 import { type JwtPayload } from '../services/token.service';

+function extractJwtFromCookieOrHeader(req: Request): string | null {
+  const cookieToken = req.cookies?.['access_token'] as string | undefined;
+  if (cookieToken) return cookieToken;
+  return ExtractJwt.fromAuthHeaderAsBearerToken()(req);
+}
+
@Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor() {
@@ -12,9 +19,11 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
    }

    super({
-      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      jwtFromRequest: extractJwtFromCookieOrHeader,
      ignoreExpiration: false,
      secretOrKey: jwtSecret,
+      audience: 'goodgo-api',
+      issuer: 'goodgo-platform',
    });
  }