senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2174 commits 37 branches 94 tags 1.5 GiB
Commit graph

12 commits

Author SHA1 Message Date
senke
71c15c2590 fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings 
Security fixes implemented:

CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
  returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
  tags to "-" so they are never serialized in API responses

HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
  SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
  with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
  context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
  settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
  header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
  and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check

MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)

Updated REMEDIATION_MATRIX: 14 findings marked  CORRIGÉ.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 05:40:53 +01:00
senke
c96be67cbc feat(auth): v0.911 Keystone - OAuth and auth integration tests 
- Add access token blacklist on logout (VEZA-SEC-006)
- Extend OAuthService for mock provider injection in tests
- Add oauth_google_test.go: full OAuth Google flow with mocked provider
- Add oauth_github_test.go: OAuth GitHub flow with PKCE verification
- Add token_refresh_test.go: E2E refresh via httpOnly cookies
- Add logout_blacklist_test.go: E2E logout + token blacklist
- Fix testutils import path in resume_upload_test, track_quota_test
- Fix CreatorID -> UserID in track_quota_test
- Add test:integration script to package.json

Release: v0.911 Keystone
 2026-02-27 09:58:53 +01:00
senke
4c0be12465 release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET 
- PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL
- CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest
- OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS
- CHAT_JWT_SECRET must differ from JWT_SECRET in production
- Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens
- Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
 2026-02-26 19:49:15 +01:00
senke
6e204cc98a feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities 
- OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001)
- Remove PasswordService.GenerateJWT (VEZA-SEC-002)
- Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005)
- Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006)
- Waveform: ValidateExecPath before exec (VEZA-SEC-007)
 2026-02-26 19:34:45 +01:00
senke
6a1686aad8 feat(auth): add OAuth Spotify provider (A1) 2026-02-20 14:48:08 +01:00
senke
d86b27efdc fix(audit-1.8,1.9): implement OAuth user lookup, add cargo audit to CI 
- 1.8: Implement GetUserByOAuthID in database.go via federated_identities join
- 1.8: Use OAuth ID lookup first in oauth_service getOrCreateUser
- 1.9: Add cargo audit step to chat-ci.yml and stream-ci.yml

Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.8, 1.9
 2026-02-15 14:22:27 +01:00
senke
a5b347ec9c stabilisation commit 2026-01-04 01:44:23 +01:00
senke
d0fe8c8ad7 stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
senke
d33c351ac6 refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
okinrev
8caa2fd7ca STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
okinrev
94dac54d40 P0 UUID Phase A: migrations + backend Go UUID refactor 2025-12-04 02:15:48 +01:00
okinrev
2425c15b09 adding initial backend API (Go) 2025-12-03 20:29:37 +01:00