fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1): - Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation (jti denylist + tokens_valid_from) still enforced. - Change-password now requires min_length=12. - SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream. Removed dead fail-open get_stream_user helper. Egress (V5.1.1, V9.1.1/V14.1.3): - Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/ metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE. - UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now defaults True. Hardening (V13.1.3, V4.1.4, V13.1.2): - Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create (20/min), host-delete (20/min) via the existing slowapi limiter. - Correct false 'global auth middleware' comment; document enroll-bundle proxy trust. Correctness (BUG-7..11): - BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling); BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities; BUG-11 normalize naive timestamps to UTC. Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for every fix; unanimous adversarial review.
2026-06-10 12:32:15 -04:00
parent 6a8af315fb
commit d80e6aa6d1
37 changed files with 1414 additions and 121 deletions
--- a/decnet/web/router/auth/api_sse_ticket.py
+++ b/decnet/web/router/auth/api_sse_ticket.py
@@ -0,0 +1,39 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""Mint a single-use, short-lived SSE stream ticket (V3.1.1).
+
+EventSource cannot send an Authorization header, so SSE auth used to ride in
+``?token=<JWT>`` — leaking the full-lifetime bearer into access/proxy logs,
+browser history, and Referer. This endpoint lets an already-authenticated
+client (gated by the NORMAL header JWT via ``require_viewer``) exchange that
+header credential for an opaque ``secrets.token_urlsafe(32)`` ticket, valid for
+60s and single-use, which it then passes to the SSE endpoint as ``?ticket=``.
+The JWT never appears in any URL.
+
+The ticket store lives in-process (decnet.web.dependencies); multi-process
+deployments need a shared store — out of scope, see that module's note.
+"""
+from fastapi import APIRouter, Depends
+
+from decnet.telemetry import traced as _traced
+from decnet.web.dependencies import mint_sse_ticket, require_viewer, _SSE_TICKET_TTL
+from decnet.web.db.models.auth import SSETicketResponse
+
+router = APIRouter()
+
+
+@router.post(
+    "/auth/sse-ticket",
+    tags=["Authentication"],
+    response_model=SSETicketResponse,
+    responses={
+        400: {"description": "Malformed request body"},
+        401: {"description": "Missing or invalid credentials"},
+        403: {"description": "Authenticated but not authorized"},
+    },
+)
+@_traced("api.sse_ticket")
+async def mint_stream_ticket(user: dict = Depends(require_viewer)) -> SSETicketResponse:
+    """Exchange the presented header JWT for a single-use 60s SSE ticket bound to
+    this user's uuid + role. Any authenticated (viewer or admin) user may mint."""
+    ticket = mint_sse_ticket(user["uuid"], user["role"])
+    return SSETicketResponse(ticket=ticket, expires_in=int(_SSE_TICKET_TTL))