Apps/ImageApi
1
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity

Implement critical security improvements for authentication #45

Merged
cameron merged 6 commits from feature/security-improvements into master 2026-01-02 22:01:40 +00:00
Conversation 0 Commits 6 Files Changed 8 +434 -174
cameron commented 2025-12-27 04:55:37 +00:00
Owner
Copy Link

This commit addresses several security vulnerabilities in the authentication
and authorization system:

  1. JWT Encoding Panic Fix (Critical)

    • Replace .unwrap() with proper error handling in JWT token generation
    • Prevents server crashes from encoding failures
    • Returns HTTP 500 with error logging instead of panicking

  2. Rate Limiting for Login Endpoint (Critical)

    • Add actix-governor dependency (v0.5)
    • Configure rate limiter: 2 requests/sec with burst of 5
    • Protects against brute-force authentication attacks

  3. Strengthen Password Requirements

    • Minimum length increased from 6 to 12 characters
    • Require uppercase, lowercase, numeric, and special characters
    • Add comprehensive validation with clear error messages

  4. Fix Token Parsing Vulnerability

    • Replace unsafe split().last().unwrap_or() pattern
    • Use strip_prefix() for proper Bearer token validation
    • Return InvalidToken error for malformed Authorization headers

  5. Improve Authentication Logging

    • Sanitize error messages to avoid leaking user existence
    • Change from "User not found or incorrect password" to "Failed login attempt"

All changes tested and verified with existing test suite (65/65 tests passing).

This commit addresses several security vulnerabilities in the authentication and authorization system: 1. JWT Encoding Panic Fix (Critical) - Replace .unwrap() with proper error handling in JWT token generation - Prevents server crashes from encoding failures - Returns HTTP 500 with error logging instead of panicking 2. Rate Limiting for Login Endpoint (Critical) - Add actix-governor dependency (v0.5) - Configure rate limiter: 2 requests/sec with burst of 5 - Protects against brute-force authentication attacks 3. Strengthen Password Requirements - Minimum length increased from 6 to 12 characters - Require uppercase, lowercase, numeric, and special characters - Add comprehensive validation with clear error messages 4. Fix Token Parsing Vulnerability - Replace unsafe split().last().unwrap_or() pattern - Use strip_prefix() for proper Bearer token validation - Return InvalidToken error for malformed Authorization headers 5. Improve Authentication Logging - Sanitize error messages to avoid leaking user existence - Change from "User not found or incorrect password" to "Failed login attempt" All changes tested and verified with existing test suite (65/65 tests passing).
cameron added 1 commit 2025-12-27 04:55:38 +00:00
Implement critical security improvements for authentication 2c52cffd65 
This commit addresses several security vulnerabilities in the authentication
and authorization system:

1. JWT Encoding Panic Fix (Critical)
   - Replace .unwrap() with proper error handling in JWT token generation
   - Prevents server crashes from encoding failures
   - Returns HTTP 500 with error logging instead of panicking

2. Rate Limiting for Login Endpoint (Critical)
   - Add actix-governor dependency (v0.5)
   - Configure rate limiter: 2 requests/sec with burst of 5
   - Protects against brute-force authentication attacks

3. Strengthen Password Requirements
   - Minimum length increased from 6 to 12 characters
   - Require uppercase, lowercase, numeric, and special characters
   - Add comprehensive validation with clear error messages

4. Fix Token Parsing Vulnerability
   - Replace unsafe split().last().unwrap_or() pattern
   - Use strip_prefix() for proper Bearer token validation
   - Return InvalidToken error for malformed Authorization headers

5. Improve Authentication Logging
   - Sanitize error messages to avoid leaking user existence
   - Change from "User not found or incorrect password" to "Failed login attempt"

All changes tested and verified with existing test suite (65/65 tests passing).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
cameron added 1 commit 2025-12-29 17:28:27 +00:00
Fix memory date priority 9cb923df9e
cameron added 1 commit 2025-12-29 19:29:37 +00:00
Fix warnings 54e23a29b3
cameron added 1 commit 2025-12-29 23:50:03 +00:00
Fix Memories Week span sorting 2d02f00e7d
cameron added 1 commit 2025-12-30 00:51:30 +00:00
Bump to 0.4.1 2d915518e2
cameron added 1 commit 2025-12-30 02:54:34 +00:00
Add filename date to metadata if available 4d9addaf22
cameron merged commit 878465fea9 into master 2026-01-02 22:01:40 +00:00
cameron deleted branch feature/security-improvements 2026-01-02 22:01:40 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
cameron
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Apps/ImageApi#45
Delete Branch "feature/security-improvements"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?