senke
|
51984e9a1f
|
feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities
Backend API CI / test-unit (push) Failing after 0s
Backend API CI / test-integration (push) Failing after 0s
- OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001)
- Remove PasswordService.GenerateJWT (VEZA-SEC-002)
- Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005)
- Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006)
- Waveform: ValidateExecPath before exec (VEZA-SEC-007)
|
2026-02-26 19:34:45 +01:00 |
|
senke
|
32348bebce
|
feat(developer): add API keys backend (Lot C)
- Migration 082: api_keys table (user_id, name, prefix, hashed_key, scopes, last_used_at, expires_at)
- APIKey model, APIKeyService (Create, List, Delete, ValidateAPIKey)
- APIKeyHandler: GET/POST/DELETE /api/v1/developer/api-keys
- AuthMiddleware: X-API-Key and Bearer vza_* accepted as alternative to JWT
- CSRF: skip for API key auth (stateless)
- Key format: vza_ prefix, SHA-256 hashed storage
|
2026-02-20 00:18:36 +01:00 |
|
senke
|
f8aa42df20
|
[BE-TEST-017] be-test: Add security tests for authorization
- Created comprehensive authorization test suite
- Tests verify unauthorized access is blocked (401/403)
- Tests cover: no token, invalid token, expired token
- Tests verify role-based access control (admin, creator, regular user)
- Tests verify ownership checks and admin override
- Tests verify token version mismatch protection
Phase: PHASE-5
Priority: P2
Progress: 138/267 (51.69%)
|
2025-12-25 02:00:56 +01:00 |
|