|
| 1 | +### Quick orientation — cbsecurity (ColdBox module) |
| 2 | + |
| 3 | +This repository is a ColdBox module that provides a request firewall, annotation-driven security, JWT handling, CSRF integration, and security headers. |
| 4 | + |
| 5 | +Keep guidance short and actionable. Prefer small, verifiable edits and reference the real files below. |
| 6 | + |
| 7 | +1) Big picture |
| 8 | +- ColdBox module: entrypoint and wiring in `ModuleConfig.cfc` and `models/CBSecurity.cfc`. |
| 9 | +- Runtime protection happens in the `cbsecurity.interceptors.Security` interceptor (`interceptors/Security.cfc`) which: |
| 10 | + - loads and normalizes rules via `helpers/RulesLoader` (see `models/util/RulesLoader.cfc`), |
| 11 | + - delegates validation to a Validator (default: `models/validators/AuthValidator.cfc`) via `ruleValidator()` and `annotationValidator()`, |
| 12 | + - processes rule actions (redirect/override/block) and emits interception events (`cbSecurity_onInvalidAuthentication`, etc.). |
| 13 | + |
| 14 | +2) Where to make changes |
| 15 | +- Business logic & APIs: `models/` (e.g. `models/jwt/JwtService.cfc`, `models/CBSecurity.cfc`). |
| 16 | +- Request enforcement: `interceptors/Security.cfc` (rule matching, IP/HTTP method validation, event overrides). |
| 17 | +- Validation strategies: `models/validators/*` — to change how auth/authorization decisions are made. |
| 18 | +- Module defaults & wiring: `ModuleConfig.cfc` and `box.json` for dependencies and scripts. |
| 19 | + |
| 20 | +3) Developer workflows (how to run, test, build) |
| 21 | +- Install deps and test harness: `box install` at repo root, then `cd test-harness && box install` (or use `box install` from root — `box.json` has `install:dependencies`). |
| 22 | +- Run local server for integration/test harness: `box server start server-lucee@5.json` (see `box.json` scripts `start:lucee` / `start:2023`). |
| 23 | +- Run tests: this repo uses TestBox. The package `box.json` test runner is configured to `http://localhost:60299/tests/runner.cfm` and `build/Build.cfc` calls `testbox run`. Start the server, then open that URL or run `box testbox run runner=http://localhost:60299/tests/runner.cfm`. |
| 24 | +- Useful npm-like tasks are defined in `box.json` under `scripts` (e.g. `box task run taskFile=build/Build.cfc` used by CI). In VSCode use the Task `Run CommandBox Task`. |
| 25 | + |
| 26 | +4) Patterns & conventions to follow |
| 27 | +- Validators expose `ruleValidator(rule, controller)` and `annotationValidator(securedValue, controller)`. Return shape: { allow:boolean, type: "authentication"|"authorization", messages:[] }. |
| 28 | +- Rules normalized by `RulesLoader` and stored in `properties.firewall.rules.inline`. Rule keys often used: `securelist`, `whitelist`, `httpMethods`, `allowedIPs`, `action`, `redirect`, `overrideEvent`. |
| 29 | +- When modifying or adding handlers, prefer ColdBox handler metadata (annotations) for security: see `test-harness/handlers/*` and `handlers/Jwt.cfc` for examples. |
| 30 | +- JWT integration relies on `models/jwt/JwtService.cfc` + `models/jwt/storages/*` and `jwt-cfml` dependency; preserve token storage API when changing. |
| 31 | + |
| 32 | +5) Events & integration points |
| 33 | +- Interceptor announces: `cbSecurity_onInvalidAuthentication`, `cbSecurity_onInvalidAuthorization`, `cbSecurity_onFirewallBlock` and many JWT lifecycle events (see `ModuleConfig.cfc` interceptorSettings). |
| 34 | +- Modules can register rules in their `ModuleConfig.cfc` and are merged into the global rules by `interceptors/Security.cfc` (see `registerModule()` / `postModuleLoad`). |
| 35 | + |
| 36 | +6) Tests & test-harness specifics |
| 37 | +- Test harness lives in `test-harness/`. It contains a minimal ColdBox app and TestBox specs (`test-harness/tests/specs/*`). Use it to run integration specs locally. |
| 38 | +- Runner: `test-harness/tests/runner.cfm` expects a running CF server on port 60299. Start via `box server start` using one of `server-*.json` files. |
| 39 | + |
| 40 | +7) Small, high-value tasks for AI agents |
| 41 | +- Add a focused unit test for a validator method in `test-harness/tests/specs/unit/`. |
| 42 | +- When changing behavior in `Security.cfc`, update `test-harness/tests/specs/integration/*` to cover rule matching and invalid action flows. |
| 43 | +- Preserve WireBox IDs and signatures when changing services (e.g. `authenticationService@cbauth`, `CacheStorage@cbstorages`). |
| 44 | + |
| 45 | +8) Safety and CI |
| 46 | +- CI uses the `build/Build.cfc` and `box.json` scripts. Do not modify CI scripts without updating `box.json` and `build/Build.cfc`. |
| 47 | + |
| 48 | +If anything above is unclear or missing (local server ports, preferred validator override patterns, or CI details), tell me which area to expand and I will iterate. |
0 commit comments