senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2059 commits 37 branches 94 tags 1.5 GiB
Commit graph

7 commits

Author SHA1 Message Date
senke
2df921abd5 v0.9.1 2026-03-05 19:22:31 +01:00
senke
51984e9a1f feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details 
- OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001)
- Remove PasswordService.GenerateJWT (VEZA-SEC-002)
- Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005)
- Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006)
- Waveform: ValidateExecPath before exec (VEZA-SEC-007)
 2026-02-26 19:34:45 +01:00
senke
32348bebce feat(developer): add API keys backend (Lot C) 
- Migration 082: api_keys table (user_id, name, prefix, hashed_key, scopes, last_used_at, expires_at)
- APIKey model, APIKeyService (Create, List, Delete, ValidateAPIKey)
- APIKeyHandler: GET/POST/DELETE /api/v1/developer/api-keys
- AuthMiddleware: X-API-Key and Bearer vza_* accepted as alternative to JWT
- CSRF: skip for API key auth (stateless)
- Key format: vza_ prefix, SHA-256 hashed storage
 2026-02-20 00:18:36 +01:00
senke
759154e660 fix(auth): add Redis lock for concurrent refresh token requests 2026-02-14 18:29:37 +01:00
senke
1ebbb06315 [FE-PAGE-015] fe-page: Add Analytics page 2025-12-25 11:25:06 +01:00
senke
f8aa42df20 [BE-TEST-017] be-test: Add security tests for authorization 
- Created comprehensive authorization test suite
- Tests verify unauthorized access is blocked (401/403)
- Tests cover: no token, invalid token, expired token
- Tests verify role-based access control (admin, creator, regular user)
- Tests verify ownership checks and admin override
- Tests verify token version mismatch protection

Phase: PHASE-5
Priority: P2
Progress: 138/267 (51.69%)
 2025-12-25 02:00:56 +01:00
senke
6e4a3578c9 [BE-TEST-016] be-test: Add security tests for injection attacks 
- Created comprehensive security test suite for SQL injection, XSS, and command injection
- Added 30+ SQL injection test payloads
- Added 50+ XSS test payloads
- Added 30+ command injection test payloads
- Tests verify GORM parameterized queries protection
- Tests verify input sanitization utilities
- Added README documentation for security tests

Phase: PHASE-5
Priority: P2
Progress: 137/267 (51.31%)
 2025-12-25 01:57:59 +01:00