Security audit: fix IDOR, add rate limiting, HMAC auth, token hashing, XSS sanitization

Critical: Add ownership checks to all order routes (IDOR fix). High: Redis rate limiting on auth endpoints, HMAC-signed internal service calls replacing header-presence-only checks, nh3 HTML sanitization on ghost_sync and product import, internal auth on market API endpoints, SHA-256 hashed OAuth grant/code tokens. Medium: SECRET_KEY production guard, AP signature enforcement, is_admin param removal, cart_sid validation, SSRF protection on remote actor fetch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 13:30:27 +00:00
parent 404449fcab
commit c015f3f02f
27 changed files with 607 additions and 33 deletions
--- a/shared/browser/app/csrf.py
+++ b/shared/browser/app/csrf.py
@@ -57,10 +57,13 @@ async def protect() -> None:
    if _is_exempt_endpoint():
        return

-    # Internal service-to-service calls are already gated by header checks
-    # and only reachable on the Docker overlay network.
+    # Internal service-to-service calls — validate HMAC signature
    if request.headers.get("X-Internal-Action") or request.headers.get("X-Internal-Data"):
-        return
+        from shared.infrastructure.internal_auth import validate_internal_request
+        if validate_internal_request():
+            return
+        # Reject unsigned internal requests
+        abort(403, "Invalid internal request signature")

    session_token = qsession.get("csrf_token")
    if not session_token: