Aligns the default CSP, X-Frame-Options, HSTS and Permissions-Policy with
docs/security-baseline.md:
- script-src/style-src drop 'unsafe-inline' and the unpkg.com allowance
- img-src narrows from 'self' data: https: → 'self' data:
- connect-src narrows from 'self' wss: ws: → 'self'
- frame-ancestors flips from 'self' → 'none'
- X-Frame-Options flips from SAMEORIGIN → DENY
- HSTS keeps max-age=63072000 but drops includeSubDomains by default
(apex-clobbering hazard noted in audit #1)
- Permissions-Policy header added with the baseline sensor allowlist
Adds a CspOverride struct + ctor so consumers that genuinely need a
relaxation (Swagger UI subtree, cross-origin connect, …) can flip
individual directives without forking the interceptor. Empty fields
inherit the strict baseline.
Bumps to 0.3.6 (alongside owner's pending #4 + #5 + #6 work).
Closes#3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New virtual hook on IRuntimeConfig, defaulting to isLoopback() so existing
consumers keep their current behaviour. AuthInterceptor now consults
certAuthTrusted() (instead of isLoopback() directly) to decide whether to
honour an inbound X-SSL-Client-DN header.
Operators with an SSH tunnel to a loopback bind, or a non-TLS proxy that
forwards X-SSL-Client-DN from untrusted clients, can now override the
hook to require additional gating (e.g. an env var, a TLS-only port).
Bump to 0.3.5 (additive — no consumer break).
Closes#5
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
AuthInterceptor previously returned application/json for every rejection,
which is wrong for browser navigation: the user followed a /set-password
link and saw a raw {"status":"Unauthorized"} blob.
Add wantsJson() negotiation (path /api/* OR X-Requested-With OR Accept
prefers application/json over text/html) and an IAuthPolicy hook
unauthenticatedRedirect(path) that lets consumers bounce browser
navigations to a landing/login page. JSON callers (fetch/axios) still
get JSON 401/403. Default policy returns nullopt → minimal HTML error
page, never raw JSON to a browser.
Same hook covers both 401 and 403 (decision Option A on the issue) so
consumers wire one redirect target for both unauth and forbidden cases.
Bootstrap a minimal test harness (decision Option T2): CMake option
OATPP_AUTHKIT_BUILD_TESTS gates enable_testing() + a tests subdir.
Adds test_negotiation covering wantsJson + urlEncode. No third-party
test framework — assertions use <cassert> + a tiny REQUIRE macro so the
suite stays dependency-free for future tests.
Closes#2
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Request-target from getStartingLine().path includes the query string
(e.g. "/set-password?token=abc"), causing exact-match public-path
checks like `path == "/set-password"` in IAuthPolicy::isPublicPath
to fail and the request to be rejected with 401.
Strip the query string once at the top of intercept() so policies
and access logs see clean paths.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pure libcurl SMTP + MIME transport, DTO-free so it drops into any
consumer that can cough up host/port/from/user/pass. Callers adapt
their own settings row/DTO to `oatpp_authkit::mail::SmtpConfig`.
Closes the email-service half of #447 (tracked under fewo-webapp #454).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Brings the generic audit-log helper (timestamp + actor + action + entity
+ changed_fields JSON) into the shared library so every consumer picks
up the same shape without reimplementing it. The table is now named
`audit_log` (was `command_log` in fewo-webapp); consumers copy
`AuditLog::CREATE_TABLE_SQL` into their schema.sql so class name and
table name stay in one source of truth.
Legacy data on fewo-webapp migrates via a one-shot
`INSERT INTO audit_log SELECT … FROM command_log; DROP TABLE command_log;`
statement in that project's schema.sql.
Closes#449 (fewo-webapp half follows in separate commits).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lifted from fewo-webapp src/ws/ — zero fewo-webapp domain coupling in
the public surface. Classes renamed WSHub→Hub, WSListener→Listener and
namespaced under oatpp_authkit::ws.
Features:
- 64 KB per-message cap (rejects fragmented frames exceeding the buffer)
- 500-socket cap
- Detached housekeeper thread pinging idle sockets >90 s, closing >180 s
- Per-socket SocketInfo (userId, role, property scopes) populated via
thread_local handoff from the HTTP controller that served the upgrade
Consumers construct a Hub and pass it to oatpp's
HttpConnectionHandler::setSocketInstanceListener. No other integration
required.
Unblocks fewo-webapp #452.
Lifted from fewo-webapp (src/App.cpp). 15-line helper that speaks the
systemd notification protocol directly — no libsystemd link — for
Type=notify services.
Silent no-op when NOTIFY_SOCKET is unset so the same binary runs
unchanged under systemd or as a plain background process.
Supports Linux abstract-namespace sockets.
Unblocks fewo-webapp #451 and its twin extractions for derived projects.
The four clean-lift headers (SecurityHeadersInterceptor,
BodySizeLimitInterceptor, JsonErrorHandler, RateLimiter) were copied
verbatim in v0.1.0 and left in the global namespace — consumers that
adopt the library alongside existing same-named classes (e.g. fewo-webapp
during the #417 swap) would hit ODR clashes.
Wrap them in the same namespace the v0.2 auth seams use. Patch bump; no
API surface change beyond the qualifier.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Ports the fewo-webapp AuthInterceptor + requireAdmin onto three abstract
interfaces so consumer apps plug in their own user store, public paths,
and runtime config without forking:
auth/AuthPrincipal.hpp library-owned {id, username, role} value
auth/IAuthBackend.hpp resolveBy{Session,ApiKey,Cert}, hasActiveUsers,
deleteExpiredSessions
auth/IAuthPolicy.hpp isPublicPath, adminRoles, readonlyRoles,
setupModeActive (defaults: admin/readonly,
no public paths, setup off)
auth/IRuntimeConfig.hpp bindAddress, isLoopback
auth/AuthInterceptor.hpp intercept() running the same 6-step ladder as
fewo's original (public → setup → cert DN →
session/API key → CSRF → readonly)
auth/RequireRole.hpp requireUser + requireAdmin helpers reading
bundle data (config-driven role sets, not
hard-coded 'admin')
TokenHasher is passed in so the library doesn't prescribe SHA-256 vs.
whatever. Bundle keys match fewo's existing controllers so the consumer
migration in #418 is a straightforward adapter swap.
Smoke-compiled against oatpp 1.3.0 headers.
Closes fewo-webapp#413
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
