Fix 7 critical security bugs and 1 high-severity data loss bug

- CSRF: HMAC-signed double-submit cookie (server-bound, not raw compare)
- Keychain: execFileSync with arg arrays to prevent command injection
- Caddy config: always use structured generation, never accept raw config
- Templates: replace {{GENERATED_SECRET}} with crypto.randomBytes
- Caddyfile removal: move regex inside ctx.caddy.modify() to fix TOCTOU race
- Credentials: proper-lockfile for all file operations, fix key rotation
  to decrypt with old key before generating new key
- Service removal: filter by ID only, not AND with appTemplate

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dashcaddy-api/csrf-protection.js

@@ -1,22 +1,36 @@
 /**
  * CSRF Protection Module
- * Implements double-submit cookie pattern for stateless CSRF protection
+ * Implements HMAC-signed double-submit cookie pattern for stateless CSRF protection.
+ * The cookie contains a random nonce; the header must carry the HMAC signature
+ * of that nonce computed with a server-side secret. An attacker who can inject
+ * a cookie still cannot forge the matching header without the secret.
  */
 
 const crypto = require('crypto');
+const cryptoUtils = require('./crypto-utils');
 
 const CSRF_TOKEN_LENGTH = 32;
 const CSRF_COOKIE_NAME = 'dashcaddy_csrf';
 const CSRF_HEADER_NAME = 'x-csrf-token';
 
 /**
- * Generate a cryptographically secure CSRF token
- * @returns {string} Base64URL-encoded random token
+ * Generate a cryptographically secure CSRF nonce
+ * @returns {string} Base64URL-encoded random nonce
  */
 function generateToken() {
   return crypto.randomBytes(CSRF_TOKEN_LENGTH).toString('base64url');
 }
 
+/**
+ * Compute HMAC signature for a CSRF nonce using the server-side encryption key
+ * @param {string} nonce - The random nonce to sign
+ * @returns {string} Base64URL-encoded HMAC signature
+ */
+function signToken(nonce) {
+  const key = cryptoUtils.loadOrCreateKey();
+  return crypto.createHmac('sha256', key).update(nonce).digest('base64url');
+}
+
 /**
  * Parse cookie header string into object
  * @param {string} cookieHeader - Cookie header value
@@ -35,25 +49,23 @@ function parseCookie(cookieHeader) {
 }
 
 /**
- * Middleware to set CSRF cookie on all requests
- * Generates and sets a new token if none exists
+ * Middleware to set CSRF cookie on all requests.
+ * Always generates a fresh nonce server-side (never trusts client-supplied values).
+ * The cookie holds the nonce; JavaScript must read it and send the HMAC signature
+ * in the x-csrf-token header. The /api/csrf-token endpoint provides the signature.
  */
 function csrfCookieMiddleware(req, res, next) {
-  const cookies = parseCookie(req.headers.cookie);
-  let csrfToken = cookies[CSRF_COOKIE_NAME];
+  // Always generate a fresh server-side nonce
+  const csrfNonce = generateToken();
 
-  // Generate new token if none exists
-  if (!csrfToken) {
-    csrfToken = generateToken();
-  }
+  // Store nonce + signature on request so endpoints can access them
+  req.csrfToken = signToken(csrfNonce);
+  req.csrfNonce = csrfNonce;
 
-  // Store token on request so endpoints can access it
-  req.csrfToken = csrfToken;
-
-  // Set cookie (SameSite=Strict for additional protection)
-  res.cookie(CSRF_COOKIE_NAME, csrfToken, {
-    httpOnly: false, // Must be readable by JavaScript for sending in headers
-    secure: false,   // Set to true in production with HTTPS
+  // Set cookie with the nonce (SameSite=Strict for additional protection)
+  res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
+    httpOnly: false, // Must be readable by JavaScript for signing
+    secure: true,
     sameSite: 'strict',
     path: '/',
     maxAge: 24 * 60 * 60 * 1000 // 24 hours
@@ -95,16 +107,21 @@ function csrfValidationMiddleware(req, res, next) {
     return next();
   }
 
-  // Get token from cookie
+  // Get nonce from cookie
   const cookies = parseCookie(req.headers.cookie);
-  const cookieToken = cookies[CSRF_COOKIE_NAME];
+  const cookieNonce = cookies[CSRF_COOKIE_NAME];
 
-  // Get token from header (case-insensitive)
+  // Get signed token from header (case-insensitive)
   const headerToken = req.headers[CSRF_HEADER_NAME] ||
                       req.headers[CSRF_HEADER_NAME.toLowerCase()];
 
-  // Validate both tokens exist
-  if (!cookieToken) {
+  // Skip CSRF for API key-authenticated requests (API keys are not sent automatically by browsers)
+  if (req.headers['x-api-key'] || (req.headers.authorization && req.headers.authorization.startsWith('Bearer '))) {
+    return next();
+  }
+
+  // Validate both values exist
+  if (!cookieNonce) {
     console.warn(`[CSRF] Missing CSRF cookie: ${method} ${req.path} from ${req.ip}`);
     return res.status(403).json({
       success: false,
@@ -122,22 +139,21 @@ function csrfValidationMiddleware(req, res, next) {
     });
   }
 
-  // Validate tokens match using constant-time comparison
+  // Validate that the header token is the correct HMAC signature of the cookie nonce
   try {
-    const cookieBuffer = Buffer.from(cookieToken, 'base64url');
+    const expectedSig = signToken(cookieNonce);
+    const expectedBuffer = Buffer.from(expectedSig, 'base64url');
     const headerBuffer = Buffer.from(headerToken, 'base64url');
 
-    // Ensure buffers are same length
-    if (cookieBuffer.length !== headerBuffer.length) {
+    if (expectedBuffer.length !== headerBuffer.length) {
       throw new Error('Token length mismatch');
     }
 
-    // Constant-time comparison
-    if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
+    if (!crypto.timingSafeEqual(expectedBuffer, headerBuffer)) {
       throw new Error('Token mismatch');
     }
 
-    // Tokens match - request is valid
+    // Signature valid — request is authentic
     next();
 
   } catch (err) {
@@ -155,6 +171,7 @@ module.exports = {
   CSRF_COOKIE_NAME,
   CSRF_HEADER_NAME,
   generateToken,
+  signToken,
   parseCookie,
   csrfCookieMiddleware,
   csrfValidationMiddleware