Week 1 Day 2-3: Complete remaining security fixes (SEC-6 through SEC-13)

Security Improvements:
- SEC-6: Remove password logging - write to secure file instead
- SEC-7: Add CSP headers for XSS prevention
- SEC-9: Explicitly configure Argon2id password hashing
- SEC-11: Restrict CORS to specific origins (production + localhost)
- SEC-12: Implement comprehensive security headers
- SEC-13: Explicit JWT expiration enforcement

Completed Features:
✓ Password credentials written to .admin-credentials file (600 permissions)
✓ CSP headers prevent XSS attacks
✓ Argon2id explicitly configured (Algorithm::Argon2id)
✓ CORS restricted to connect.azcomputerguru.com + localhost
✓ Security headers: X-Frame-Options, X-Content-Type-Options, etc.
✓ JWT expiration strictly enforced (validate_exp=true, leeway=0)

Files Created:
- server/src/middleware/security_headers.rs
- WEEK1_DAY2-3_SECURITY_COMPLETE.md

Files Modified:
- server/src/main.rs (password file write, CORS, security headers)
- server/src/auth/jwt.rs (explicit expiration validation)
- server/src/auth/password.rs (explicit Argon2id)
- server/src/middleware/mod.rs (added security_headers)

Week 1 Progress: 10/13 items complete (77%)
Compilation: SUCCESS (53 warnings, 0 errors)
Risk Level: CRITICAL → LOW/MEDIUM

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

projects/msp-tools/guru-connect/server/src/main.rs

@@ -28,7 +28,8 @@ use axum::{
 };
 use std::net::SocketAddr;
 use std::sync::Arc;
-use tower_http::cors::{Any, CorsLayer};
+use tower_http::cors::{Any, CorsLayer, AllowOrigin};
+use axum::http::{Method, HeaderValue};
 use tower_http::trace::TraceLayer;
 use tower_http::services::ServeDir;
 use tracing::{info, Level};
@@ -133,12 +134,35 @@ async fn main() -> Result<()> {
                         ];
                         let _ = db::set_user_permissions(db.pool(), user.id, &perms).await;
 
-                        info!("========================================");
-                        info!("  INITIAL ADMIN USER CREATED");
-                        info!("  Username: admin");
-                        info!("  Password: {}", password);
-                        info!("  (Change this password after first login!)");
-                        info!("========================================");
+                        // SEC-6: Write credentials to secure file instead of logging
+                        let creds_file = ".admin-credentials";
+                        match std::fs::write(creds_file, format!("Username: admin\nPassword: {}\n\nWARNING: Change this password immediately after first login!\nDelete this file after copying the password.\n", password)) {
+                            Ok(_) => {
+                                // Set restrictive permissions (Unix only)
+                                #[cfg(unix)]
+                                {
+                                    use std::os::unix::fs::PermissionsExt;
+                                    let _ = std::fs::set_permissions(creds_file, std::fs::Permissions::from_mode(0o600));
+                                }
+
+                                info!("========================================");
+                                info!("  INITIAL ADMIN USER CREATED");
+                                info!("  Credentials written to: {}", creds_file);
+                                info!("  (Read file, change password, then delete file)");
+                                info!("========================================");
+                            }
+                            Err(e) => {
+                                // Fallback to logging if file write fails (but warn about security)
+                                tracing::warn!("Could not write credentials file: {}", e);
+                                info!("========================================");
+                                info!("  INITIAL ADMIN USER CREATED");
+                                info!("  Username: admin");
+                                info!("  Password: {}", password);
+                                info!("  WARNING: Password logged due to file write failure!");
+                                info!("  (Change this password immediately!)");
+                                info!("========================================");
+                            }
+                        }
                     }
                     Err(e) => {
                         tracing::error!("Failed to create initial admin user: {}", e);
@@ -266,13 +290,29 @@ async fn main() -> Result<()> {
         .fallback_service(ServeDir::new("static").append_index_html_on_directories(true))
 
         // Middleware
+        .layer(axum_middleware::from_fn(middleware::add_security_headers))  // SEC-7 & SEC-12
         .layer(TraceLayer::new_for_http())
-        .layer(
-            CorsLayer::new()
-                .allow_origin(Any)
-                .allow_methods(Any)
-                .allow_headers(Any),
-        );
+        // SEC-11: Restricted CORS configuration
+        .layer({
+            let cors = CorsLayer::new()
+                // Allow requests from the production domain and localhost (for development)
+                .allow_origin([
+                    "https://connect.azcomputerguru.com".parse::<HeaderValue>().unwrap(),
+                    "http://localhost:3002".parse::<HeaderValue>().unwrap(),
+                    "http://127.0.0.1:3002".parse::<HeaderValue>().unwrap(),
+                ])
+                // Allow only necessary HTTP methods
+                .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS])
+                // Allow common headers needed for API requests
+                .allow_headers([
+                    axum::http::header::AUTHORIZATION,
+                    axum::http::header::CONTENT_TYPE,
+                    axum::http::header::ACCEPT,
+                ])
+                // Allow credentials (cookies, auth headers)
+                .allow_credentials(true);
+            cors
+        });
 
     // Start server
     let addr: SocketAddr = listen_addr.parse()?;