Security audit: fix IDOR, add rate limiting, HMAC auth, token hashing, XSS sanitization

Critical: Add ownership checks to all order routes (IDOR fix). High: Redis rate limiting on auth endpoints, HMAC-signed internal service calls replacing header-presence-only checks, nh3 HTML sanitization on ghost_sync and product import, internal auth on market API endpoints, SHA-256 hashed OAuth grant/code tokens. Medium: SECRET_KEY production guard, AP signature enforcement, is_admin param removal, cart_sid validation, SSRF protection on remote actor fetch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 13:30:27 +00:00
parent 404449fcab
commit c015f3f02f
27 changed files with 607 additions and 33 deletions
--- a/shared/infrastructure/data_client.py
+++ b/shared/infrastructure/data_client.py
@@ -13,6 +13,8 @@ import os

 import httpx

+from shared.infrastructure.internal_auth import sign_internal_headers
+
 log = logging.getLogger(__name__)

 # Re-usable async client (created lazily, one per process)
@@ -66,10 +68,11 @@ async def fetch_data(
    base = _internal_url(app_name)
    url = f"{base}/internal/data/{query_name}"
    try:
+        headers = {DATA_HEADER: "1", **sign_internal_headers(app_name)}
        resp = await _get_client().get(
            url,
            params=params,
-            headers={DATA_HEADER: "1"},
+            headers=headers,
            timeout=timeout,
        )
        if resp.status_code == 200: