11 KiB
11 KiB
PRD: Platform Audit Remediation Plan (2026-05-24)
Scope
- Source audit:
09 - Audits/Platform Logical Audit - 2026-05-24.md - Target: backend hardening and consistency fixes first, then doc/runtime alignment.
- Assessed date: 2026-05-24
Audit validity check (code-backed vs docs-only)
-
Code-confirmed valid findings:
- Unauthenticated financial/auth-sensitive routes are exposed (
/api/payment/*,/api/ai/*, legacy notification routes). - Passkey flow uses stubbed credential handling and in-memory challenge storage.
PaymentCoordinatordoes not currently enforce dispute holds.- Web3 verifier relies primarily on
receipt.status. - Socket.IO user-room joins are client-controlled.
- Rate limiting is explicitly disabled in
backend/src/app.ts.
- Unauthenticated financial/auth-sensitive routes are exposed (
-
Partially validated / inconsistent findings:
- Dispute module appears absent in the checked backend tree (
backend/srcdoes not containservices/dispute/routes/disputeRoutes/controllers/disputeController), so many dispute-specific audit checks cannot be confirmed against code but indicate a documentation-runtime mismatch. - The REST/API/flow docs mention endpoints that differ from available implementation in some places; these should be normalized as part of a separate alignment pass.
- Dispute module appears absent in the checked backend tree (
PRD 1: Secure unauthenticated endpoints and data-owner enforcement (P0)
Problem
backend/src/services/payment/decentralizedPaymentRoutes.tsexposes mutation endpoints (/save,/update,/verify,/verify-all-pending) without auth.backend/src/services/ai/aiRoutes.tshas public generation endpoints (/generate,/analyze,/translate,/assist) with no auth.backend/src/services/notification/routes.tslets clients specifyuserIdand mutate/read without ownership checks, and routes are mounted publicly viaapp.use("/api", notificationRoutes)inbackend/src/app.ts.
Acceptance criteria
- Every endpoint in
decentralizedPaymentRoutes.ts,aiRoutes.ts, and legacynotificationRoutes.tsrequires:authenticateToken- owner/admin role check where applicable
- Notification endpoints do not accept arbitrary
userId; deriveuserIdfrom authenticated principal. - Payment history and mutation endpoints enforce requestor ownership or admin/authorized role.
Risk assessment
- Threat: Financial/private data tampering or privacy breach by unauthenticated callers.
- Likelihood: High.
- Impact: Critical (funding fraud, PII leakage, cost abuse).
- Mitigation: Introduce router-level middleware and standardized auth helper.
- Residual risk: Medium if any integration jobs call these endpoints (document required with service tokens or service role).
Delivery plan
- Add route-level
authenticateTokento all routes in files above. - Introduce ownership guard utilities for:
history/:userIdand payment listing/history filters- notification queries/updates
- Restrict AI calls to authenticated users with per-user rate budget.
- Add audit logs for denied access and suspicious payloads.
- Update API docs for auth requirements.
Owner / dependencies
- Owner: Backend security + payments teams.
- Depends on: token standards in
backend/src/shared/middleware/auth.
PRD 2: Production-grade Passkey/WebAuthn flow (P0)
Problem
backend/src/services/auth/passkeyService.tsstores passkey challenge data in an in-memoryMapand inserts'simulated-public-key'during registration.- Refresh token is generated on authentication but never persisted to
user.refreshTokens[], making token rotation behavior inconsistent with the rest of auth flows.
Acceptance criteria
- Replace stubbed registration/verification with real WebAuthn verification.
- Back challenges by shared storage (Redis or equivalent), not in-process memory.
- Persist verified refresh tokens and rotate according to normal auth policy.
- Reject reused/expired challenges and malformed assertions with deterministic errors.
Risk assessment
- Threat: Credential spoofing, replay attacks, and broken session continuity.
- Likelihood: High.
- Impact: Critical (account takeover / authentication bypass).
- Mitigation: Add
@simplewebauthn/server(or equivalent) + Redis-backed nonce store + strict verification. - Residual risk: Medium (device/browser compatibility edge-cases).
Delivery plan
- Replace
verifyRegistrationandverifyAuthenticationwith attestation/assertion verification. - Swap
storedChallengesmap for distributed storage with TTL. - Add persistent refresh token append in passkey login flow.
- Add regression tests for sign-in/sign-up and challenge expiry.
Owner / dependencies
- Owner: Auth team.
- Depends on: Redis infra, passkey frontend challenge handling.
PRD 3: Enforce dispute hold before payout/release operations (P1)
Problem
- No dispute implementation files are present in the checked backend for enforcement paths, yet escrow release can still proceed in payment logic without a blocking hold.
backend/src/services/marketplace/routes.tsrelease endpoint (/purchase-requests/:id/release-payment) executes without a dispute gate.backend/src/services/payment/paymentCoordinator.tsapplies sequencing and dedupe logic but has no dispute state guard.
Acceptance criteria
- Introduce explicit hold mechanism on
Payment(or newdisputeStatus/holdReasonfield). - All release/refund flows check hold state before state mutation.
- Release endpoint returns clear 409/423 response when disputed.
- Backfill/reporting distinguishes dispute-blocked payments.
Risk assessment
- Threat: Funds released before dispute resolution.
- Likelihood: Medium (documented behavior gap).
- Impact: Critical (financial loss / trust erosion).
- Mitigation: Centralize payout/refund state checks in coordinator and services, not UI-only logic.
- Residual risk: Medium (existing open disputes may need manual reconciliation).
Delivery plan
- Add
disputed/disputeHoldReasonfields (and migration plan) toPayment. - Add hold checks in:
backend/src/services/marketplace/routes.tsadmin release flowbackend/src/services/payment/shkeeper/shkeeperService.tsand payout flowsbackend/src/services/payment/paymentCoordinator.tsbefore completion transitions.
- Create an internal service contract for setting/releasing hold after dispute open/resolve.
- Add guard tests for blocked release and allowed release post-override.
Owner / dependencies
- Owner: Escrow/payment platform team.
- Depends on: dispute subsystem availability / status source-of-truth.
PRD 4: Strengthen DePay/Web3 verification semantics (P1)
Problem
backend/src/services/payment/decentralizedPaymentService.tsverifies onlyreceipt.status === '0x1', without validating destination token, recipient, and amount mapping.
Acceptance criteria
- Verification loads the transaction receipt + logs + token-decoding and validates:
- correct recipient address (
toAddress) - expected token contract (
token) - minimum amount with decimals.
- correct recipient address (
- Reject/flag ambiguous payloads and store verifier evidence in
Payment.metadata. - Add idempotency/duplicate handling for repeated verification requests.
Risk assessment
- Threat: Fraudulent transaction proofing and false-positive confirmations.
- Likelihood: Medium.
- Impact: High (unauthorized balance movement/false completion).
- Mitigation: Strict recipient/token/amount checks + explicit failure reason mapping.
- Residual risk: Medium (chain/protocol variance).
Delivery plan
- Extend verifier schema for expected transfer contract/address/decimals.
- Decode ERC-20
Transferevent and compare against expected values. - Mark and persist
verificationFingerprintto prevent replay/double-processing. - Return canonical failure reasons for observability.
Owner / dependencies
- Owner: Payments + blockchain service team.
- Depends on: RPC/provider reliability and token ABI metadata.
PRD 5: Lock Socket.IO user room joins to authenticated context (P2)
Problem
backend/src/app.tsallowsjoin-user-room,join-buyer-room, andjoin-seller-roomevents from arbitrary input IDs with no identity binding.
Acceptance criteria
- Server derives room membership from validated
socketidentity after token handshake. - Reject mismatched room join attempts with server-side authorization checks.
- Preserve real-time event behavior for legitimate users.
Risk assessment
- Threat: Event channel interception and privacy leakage.
- Likelihood: Medium.
- Impact: High (notifications/messages for wrong user).
- Mitigation: Server-authorized socket-to-user mapping and middleware verification.
- Residual risk: Low (requires active socket auth and client migration).
Delivery plan
- Add token validation middleware on socket connection.
- Replace client-sent ID room joins with authenticated identity joins.
- Add per-room join/emit checks in critical publishers.
- Add monitoring for room-join failures and suspicious activity.
Owner / dependencies
- Owner: Real-time platform team.
- Depends on: frontend socket auth handshake updates.
PRD 6: Re-enable and scope rate limiting for public-sensitive paths (P2)
Problem
backend/src/app.tshas comments and code indicating rate limiting is disabled globally.
Acceptance criteria
- Re-enable limiter at edge level with sensible defaults.
- Use stricter quotas for auth/financial/AI endpoints.
- Keep lightweight paths (public listings, static read APIs) at higher budgets.
Risk assessment
- Threat: Brute-force/log abuse, AI cost exhaustion, webhook abuse.
- Likelihood: High.
- Impact: Medium-High (operational availability and cost).
- Mitigation: Endpoint-tiered limiter with trusted network exceptions and observability.
- Residual risk: Medium (false positives on legitimate spikes).
Delivery plan
- Restore global limiter with default relaxed values.
- Add stricter route-level windows for
/api/auth/*,/api/payment/*,/api/ai/*. - Add alerts on repeated 429s and limit misconfigurations.
Owner / dependencies
- Owner: Platform infrastructure/security team.
Documentation and API alignment follow-up (P2)
- Where docs refer to
backend/src/services/dispute/*andbackend/src/services/dispute/disputeRoutes.ts, either implement that module or update architecture/API/docs to current repository reality. - Normalize enum/action naming across:
02 - Data Models/*03 - API Reference/*04 - Flows/*
Delivery sequencing suggestion
- PRD 1 (security/auth)
- PRD 6 (rate limiting)
- PRD 2 (passkeys)
- PRD 4 (verification trust)
- PRD 5 (socket hardening)
- PRD 3 (dispute hold controls)
- Documentation/API alignment