oatpp-authkit

History

Uwe Schuster 9976efe1de #16 (audit L-1..L-8): fix the low-severity findings L-1 RequireRole: guard std::stoi on the bundle id — a non-numeric/out-of-range value now yields a clean 401 instead of an uncaught exception → 500. AuthPrincipal::id documented as numeric-only (carry UUIDs in username). L-2 SmtpTransport: require TLS (CURLUSESSL_ALL) for non-loopback relays so a stripped STARTTLS can't downgrade credentials/body to cleartext; localhost relay stays opportunistic. L-3 AuditLog: escapeJson now escapes all control chars (RFC 8259) so a newline in a field can't forge/corrupt the audit JSON; SKIP_FIELDS gains credential names (password/passwordHash/tlsCertDn/apiKey/token/secret) so secrets never land in changed_fields. L-4 ws/Hub: consume the thread_local auth handoff once, up front, and clear it unconditionally — a stale value can't attach to a later connection on a reused worker thread. L-5 TemporalRepository: default id generator draws 128 bits from the platform CSPRNG (std::random_device) per call instead of a once-seeded mt19937_64, so entity_ids aren't predictable from observed output. L-6 AuthInterceptor: expired-session sweep is now a lock-free atomic timer and exception-isolated; documented that resolveBySessionHash() must enforce expiry at query time (the sweep is GC only). L-7 new util/ConstantTime.hpp (constantTimeEquals) + TokenHasher doc requiring a >=256-bit cryptographic hash. L-8 IQueryable: likeEscape + Field::likeContains/likePrefix emit `LIKE ? ESCAPE '\'` with %/_/\ escaped for untrusted terms; documented the compile-time identifier-source invariant. Tests: new test_constant_time; likeEscape/likeContains/likePrefix cases added to test_queryable. All 20 ctest targets pass. README + header docs updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-29 14:03:01 +02:00
..
oatpp-authkit	#16 (audit L-1..L-8): fix the low-severity findings	2026-05-29 14:03:01 +02:00

Uwe Schuster 9976efe1de #16 (audit L-1..L-8): fix the low-severity findings

L-1 RequireRole: guard std::stoi on the bundle id — a non-numeric/out-of-range
    value now yields a clean 401 instead of an uncaught exception → 500.
    AuthPrincipal::id documented as numeric-only (carry UUIDs in username).
L-2 SmtpTransport: require TLS (CURLUSESSL_ALL) for non-loopback relays so a
    stripped STARTTLS can't downgrade credentials/body to cleartext; localhost
    relay stays opportunistic.
L-3 AuditLog: escapeJson now escapes all control chars (RFC 8259) so a newline
    in a field can't forge/corrupt the audit JSON; SKIP_FIELDS gains credential
    names (password/passwordHash/tlsCertDn/apiKey/token/secret) so secrets never
    land in changed_fields.
L-4 ws/Hub: consume the thread_local auth handoff once, up front, and clear it
    unconditionally — a stale value can't attach to a later connection on a
    reused worker thread.
L-5 TemporalRepository: default id generator draws 128 bits from the platform
    CSPRNG (std::random_device) per call instead of a once-seeded mt19937_64,
    so entity_ids aren't predictable from observed output.
L-6 AuthInterceptor: expired-session sweep is now a lock-free atomic timer and
    exception-isolated; documented that resolveBySessionHash() must enforce
    expiry at query time (the sweep is GC only).
L-7 new util/ConstantTime.hpp (constantTimeEquals) + TokenHasher doc requiring a
    >=256-bit cryptographic hash.
L-8 IQueryable: likeEscape + Field::likeContains/likePrefix emit
    `LIKE ? ESCAPE '\'` with %/_/\ escaped for untrusted terms; documented the
    compile-time identifier-source invariant.

Tests: new test_constant_time; likeEscape/likeContains/likePrefix cases added to
test_queryable. All 20 ctest targets pass. README + header docs updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-29 14:03:01 +02:00

oatpp-authkit

#16 (audit L-1..L-8): fix the low-severity findings

2026-05-29 14:03:01 +02:00