2c52cffd65
This commit addresses several security vulnerabilities in the authentication and authorization system: 1. JWT Encoding Panic Fix (Critical) - Replace .unwrap() with proper error handling in JWT token generation - Prevents server crashes from encoding failures - Returns HTTP 500 with error logging instead of panicking 2. Rate Limiting for Login Endpoint (Critical) - Add actix-governor dependency (v0.5) - Configure rate limiter: 2 requests/sec with burst of 5 - Protects against brute-force authentication attacks 3. Strengthen Password Requirements - Minimum length increased from 6 to 12 characters - Require uppercase, lowercase, numeric, and special characters - Add comprehensive validation with clear error messages 4. Fix Token Parsing Vulnerability - Replace unsafe split().last().unwrap_or() pattern - Use strip_prefix() for proper Bearer token validation - Return InvalidToken error for malformed Authorization headers 5. Improve Authentication Logging - Sanitize error messages to avoid leaking user existence - Change from "User not found or incorrect password" to "Failed login attempt" All changes tested and verified with existing test suite (65/65 tests passing). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1.5 KiB
1.5 KiB