anti
d80e6aa6d1
Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1): - Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation (jti denylist + tokens_valid_from) still enforced. - Change-password now requires min_length=12. - SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream. Removed dead fail-open get_stream_user helper. Egress (V5.1.1, V9.1.1/V14.1.3): - Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/ metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE. - UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now defaults True. Hardening (V13.1.3, V4.1.4, V13.1.2): - Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create (20/min), host-delete (20/min) via the existing slowapi limiter. - Correct false 'global auth middleware' comment; document enroll-bundle proxy trust. Correctness (BUG-7..11): - BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling); BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities; BUG-11 normalize naive timestamps to UTC. Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for every fix; unanimous adversarial review.
63 lines
2.3 KiB
Python
63 lines
2.3 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
import asyncio
|
|
from datetime import datetime, timedelta, timezone
|
|
from typing import Optional, Any
|
|
import jwt
|
|
import bcrypt
|
|
|
|
from decnet.env import DECNET_JWT_SECRET, DECNET_JWT_EXP_MINUTES
|
|
|
|
SECRET_KEY: str = DECNET_JWT_SECRET
|
|
ALGORITHM: str = "HS256"
|
|
ACCESS_TOKEN_EXPIRE_MINUTES: int = DECNET_JWT_EXP_MINUTES
|
|
|
|
# Pinned issuer/audience/type so a token signed with DECNET_JWT_SECRET for any
|
|
# OTHER purpose (or by a future co-tenant of the secret) is not accepted by the
|
|
# dashboard verifier. Issuance stamps these; _decode_payload requires + verifies
|
|
# them. Keep these two modules in lockstep — they are a single trust contract.
|
|
JWT_ISSUER: str = "decnet"
|
|
JWT_AUDIENCE: str = "decnet-dashboard"
|
|
JWT_TYPE: str = "access"
|
|
|
|
|
|
def verify_password(plain_password: str, hashed_password: str) -> bool:
|
|
return bcrypt.checkpw(
|
|
plain_password.encode("utf-8")[:72],
|
|
hashed_password.encode("utf-8")
|
|
)
|
|
|
|
|
|
def get_password_hash(password: str) -> str:
|
|
# Use a cost factor of 12 (default for passlib/bcrypt)
|
|
_salt: bytes = bcrypt.gensalt(rounds=12)
|
|
_hashed: bytes = bcrypt.hashpw(password.encode("utf-8")[:72], _salt)
|
|
return _hashed.decode("utf-8")
|
|
|
|
|
|
async def averify_password(plain_password: str, hashed_password: str) -> bool:
|
|
# bcrypt is CPU-bound and ~250ms/call; keep it off the event loop.
|
|
return await asyncio.to_thread(verify_password, plain_password, hashed_password)
|
|
|
|
|
|
async def ahash_password(password: str) -> str:
|
|
return await asyncio.to_thread(get_password_hash, password)
|
|
|
|
|
|
def create_access_token(data: dict[str, Any], expires_delta: Optional[timedelta] = None) -> str:
|
|
_to_encode: dict[str, Any] = data.copy()
|
|
_expire: datetime
|
|
if expires_delta:
|
|
_expire = datetime.now(timezone.utc) + expires_delta
|
|
else:
|
|
_expire = datetime.now(timezone.utc) + timedelta(minutes=15)
|
|
|
|
_to_encode.update({"exp": _expire})
|
|
_to_encode.update({"iat": datetime.now(timezone.utc)})
|
|
# Pin issuer / audience / token-type so the verifier can reject tokens
|
|
# minted for any other purpose with the same shared secret.
|
|
_to_encode.setdefault("iss", JWT_ISSUER)
|
|
_to_encode.setdefault("aud", JWT_AUDIENCE)
|
|
_to_encode.setdefault("typ", JWT_TYPE)
|
|
_encoded_jwt: str = jwt.encode(_to_encode, SECRET_KEY, algorithm=ALGORITHM)
|
|
return _encoded_jwt
|