art-dag/mono
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security audit: fix IDOR, add rate limiting, HMAC auth, token hashing, XSS sanitization

Browse Source 
Critical: Add ownership checks to all order routes (IDOR fix).
High: Redis rate limiting on auth endpoints, HMAC-signed internal
service calls replacing header-presence-only checks, nh3 HTML
sanitization on ghost_sync and product import, internal auth on
market API endpoints, SHA-256 hashed OAuth grant/code tokens.
Medium: SECRET_KEY production guard, AP signature enforcement,
is_admin param removal, cart_sid validation, SSRF protection on
remote actor fetch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
2026-02-26 13:30:27 +00:00
parent 404449fcab
commit c015f3f02f
27 changed files with 607 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
shared/models/oauth_code.py
View File

@@ -1,4 +1,5 @@
from __future__ import annotations
import hashlib
from datetime import datetime
from sqlalchemy import String, Integer, DateTime, ForeignKey, func, Index
from sqlalchemy.orm import Mapped, mapped_column, relationship
@@ -6,21 +7,28 @@ from shared.db.base import Base
class OAuthCode(Base):
"""Short-lived authorization code issued during OAuth flow.
The ``code`` column is retained during migration but new codes store
only ``code_hash``. Lookups should use ``code_hash``.
"""
__tablename__ = "oauth_codes"
id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
code: Mapped[str] = mapped_column(String(128), unique=True, index=True, nullable=False)
code: Mapped[str | None] = mapped_column(String(128), nullable=True)
code_hash: Mapped[str | None] = mapped_column(String(64), unique=True, nullable=True, index=True)
user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
client_id: Mapped[str] = mapped_column(String(64), nullable=False)
redirect_uri: Mapped[str] = mapped_column(String(512), nullable=False)
expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
used_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
grant_token: Mapped[str | None] = mapped_column(String(128), nullable=True)
grant_token_hash: Mapped[str | None] = mapped_column(String(64), nullable=True)
created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
user = relationship("User", backref="oauth_codes")
__table_args__ = (
Index("ix_oauth_code_code", "code", unique=True),
Index("ix_oauth_code_code_hash", "code_hash", unique=True),
Index("ix_oauth_code_user", "user_id"),
)

14
shared/models/oauth_grant.py
View File

@@ -1,21 +1,31 @@
from __future__ import annotations
import hashlib
from datetime import datetime
from sqlalchemy import String, Integer, DateTime, ForeignKey, func, Index
from sqlalchemy.orm import Mapped, mapped_column, relationship
from shared.db.base import Base
def hash_token(token: str) -> str:
"""SHA-256 hash a token for secure DB storage."""
return hashlib.sha256(token.encode()).hexdigest()
class OAuthGrant(Base):
"""Long-lived grant tracking each client-app session authorization.
Created when the OAuth authorize endpoint issues a code. Tied to the
account session that issued it (``issuer_session``) so that logging out
on one device revokes only that device's grants.
The ``token`` column is retained during migration but new grants store
only ``token_hash``. Lookups should use ``token_hash``.
"""
__tablename__ = "oauth_grants"
id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
token: Mapped[str] = mapped_column(String(128), unique=True, nullable=False)
token: Mapped[str | None] = mapped_column(String(128), nullable=True)
token_hash: Mapped[str | None] = mapped_column(String(64), unique=True, nullable=True, index=True)
user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
client_id: Mapped[str] = mapped_column(String(64), nullable=False)
issuer_session: Mapped[str] = mapped_column(String(128), nullable=False, index=True)
@@ -26,7 +36,7 @@ class OAuthGrant(Base):
user = relationship("User", backref="oauth_grants")
__table_args__ = (
Index("ix_oauth_grant_token", "token", unique=True),
Index("ix_oauth_grant_token_hash", "token_hash", unique=True),
Index("ix_oauth_grant_issuer", "issuer_session"),
Index("ix_oauth_grant_device", "device_id", "client_id"),
)