Apps/ImageApi
1
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity
Files
9cb923df9e2059c15de25a51499de167f11bd42e
ImageApi/Cargo.toml
Cameron 2c52cffd65 Implement critical security improvements for authentication 
This commit addresses several security vulnerabilities in the authentication
and authorization system:

1. JWT Encoding Panic Fix (Critical)
   - Replace .unwrap() with proper error handling in JWT token generation
   - Prevents server crashes from encoding failures
   - Returns HTTP 500 with error logging instead of panicking

2. Rate Limiting for Login Endpoint (Critical)
   - Add actix-governor dependency (v0.5)
   - Configure rate limiter: 2 requests/sec with burst of 5
   - Protects against brute-force authentication attacks

3. Strengthen Password Requirements
   - Minimum length increased from 6 to 12 characters
   - Require uppercase, lowercase, numeric, and special characters
   - Add comprehensive validation with clear error messages

4. Fix Token Parsing Vulnerability
   - Replace unsafe split().last().unwrap_or() pattern
   - Use strip_prefix() for proper Bearer token validation
   - Return InvalidToken error for malformed Authorization headers

5. Improve Authentication Logging
   - Sanitize error messages to avoid leaking user existence
   - Change from "User not found or incorrect password" to "Failed login attempt"

All changes tested and verified with existing test suite (65/65 tests passing).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-26 23:53:54 -05:00

51 lines
1.5 KiB
TOML
Raw Blame History

[package]
name = "image-api"
version = "0.4.0"
authors = ["Cameron Cordes <cameronc.dev@gmail.com>"]
edition = "2024"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[profile.release]
lto = "thin"
[dependencies]
actix = "0.13.1"
actix-web = "4"
actix-rt = "2.6"
tokio = { version = "1.42.0", features = ["default", "process", "sync"] }
actix-files = "0.6"
actix-cors = "0.7"
actix-multipart = "0.7.2"
actix-governor = "0.5"
futures = "0.3.5"
jsonwebtoken = "9.3.0"
serde = "1"
serde_json = "1"
diesel = { version = "2.2.10", features = ["sqlite"] }
diesel_migrations = "2.2.0"
chrono = "0.4"
clap = { version = "4.5", features = ["derive"] }
dialoguer = "0.11"
dotenv = "0.15"
bcrypt = "0.17.1"
image = { version = "0.25.5", default-features = false, features = ["jpeg", "png", "rayon"] }
infer = "0.16"
walkdir = "2.4.0"
rayon = "1.5"
path-absolutize = "3.1"
log = "0.4"
env_logger = "0.11.5"
actix-web-prom = "0.9.0"
prometheus = "0.13"
lazy_static = "1.5"
anyhow = "1.0"
rand = "0.8.5"
opentelemetry = { version = "0.31.0", features = ["default", "metrics", "tracing"] }
opentelemetry_sdk = { version = "0.31.0", features = ["default", "rt-tokio-current-thread", "metrics"] }
opentelemetry-otlp = { version = "0.31.0", features = ["default", "metrics", "tracing", "grpc-tonic"] }
opentelemetry-stdout = "0.31.0"
opentelemetry-appender-log = "0.31.0"
tempfile = "3.20.0"
regex = "1.11.1"
exif = { package = "kamadak-exif", version = "0.6.1" }
Reference in New Issue View Git Blame Copy Permalink