warpbox/TO-DO.md

# WarpBox Security TO-DO

## 1) High Priority (Do Next)

- [ ] Persist IP bans across restarts
  - Current: bans stored in-memory (`lib/security/guard.go`)
  - Target: durable store in `DBDir` (similar style to `activity`/`alerts`)
  - Include: startup load, expiry cleanup, atomic writes, corruption-safe fallback

- [ ] Add trusted proxy CIDR config
  - Current: forwarded headers trusted only when remote hop is private/local (`lib/server/ip.go`)
  - Risk: heuristic-only trust model
  - Target:
    - `WARPBOX_TRUSTED_PROXY_CIDRS` setting
    - trust `X-Forwarded-For` only when `RemoteAddr` in trusted CIDR
    - fallback to direct remote IP otherwise

- [ ] Add CIDR/range support for whitelists
  - Current: exact IP match only (`WARPBOX_SECURITY_IP_WHITELIST`, `WARPBOX_SECURITY_ADMIN_IP_WHITELIST`)
  - Target: support exact IP + CIDR entries
  - Include strict parser + validation errors in settings save

- [ ] Add unban / ban edit API audit trail hardening
  - Ensure all manual ban/unban/ban-until actions always write:
    - activity event
    - alert (or policy-based selective alerting)
  - Add tests for these paths

## 2) Medium Priority

- [ ] GeoIP integration for security detail pane
  - Current: placeholder fields in `/admin/security`
  - Target: wire geoipfast provider for country/region/ASN fields
  - Add caching + timeout/failure-safe behavior

- [ ] Expand malicious path detection rules
  - Current: simple substring checks in `handleNoRoute`
  - Target:
    - rule list/pattern config
    - normalize URL + decode checks
    - classify severity by signature group

- [ ] Add global abuse score per IP
  - Combine signals:
    - failed admin auth
    - malicious path scans
    - upload abuse
  - Use score to escalate ban duration automatically

- [ ] Ban duration policy ladder
  - Current: fixed `WARPBOX_SECURITY_BAN_SECONDS`
  - Target:
    - progressive durations (e.g., 30m, 2h, 24h)
    - reset after quiet period

- [ ] Add security settings validation UX
  - Ensure invalid values (negative, malformed lists, invalid CIDR) rejected with clear UI errors
  - Add server tests for malformed security override payloads

## 3) Admin UX Follow-Ups

- [ ] Add dedicated “Active Bans” page-level controls
  - bulk unban
  - filter/sort by expiry and IP
  - copy IP and quick search in activity/alerts

- [ ] Add “why banned” detail
  - link ban entry to latest triggering events and alerts
  - show counts in active windows (login/scan/upload)

- [ ] Add optional confirmation modal for destructive security actions
  - unban all / bulk unban / long custom bans

## 4) Testing & QA

- [ ] Add unit tests for `lib/security/guard.go`
  - `Ban`, `BanUntil`, `Unban`, `BanList` expiry pruning
  - login/scan threshold behavior
  - upload rate limiting behavior

- [ ] Add tests for real-IP resolution edge cases (`lib/server/ip.go`)
  - direct client
  - trusted proxy chain
  - spoofed forwarding headers from untrusted remote

- [ ] Add integration tests for security endpoints
  - `/admin/security/actions` ban/ban_until/unban
  - `/admin/alerts/actions`
  - admin login brute-force auto-ban flow

- [ ] Add concurrency/race test pass in CI
  - run `go test ./... -race` in workflow (where Go toolchain available)

## 5) Operational / Deployment

- [ ] Document reverse-proxy setup requirements
  - Caddy / ingress config examples for forwarding headers
  - guidance for trusted proxy CIDRs

- [ ] Add security runbook
  - how to investigate alerts
  - how to ban/unban safely
  - how to tune thresholds for low/high traffic environments

- [ ] Add metrics hooks (future)
  - counts: blocked requests, bans issued, unbans, alert volume
  - expose to Prometheus-compatible endpoint later

## 6) Nice-to-Have (Later)

- [ ] Optional external enforcement bridge (fail2ban-compatible log format)
- [ ] Webhook notifications for high-severity security alerts
- [ ] Per-account/API-key limits once account system matures