madapes/madbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cffdf8af8684ea9f759905a47634f2d8364e726c
madbase/M0_TODO.md
Vlad Durnea cffdf8af86
Some checks failed
CI/CD Pipeline / unit-tests (push) Failing after 1m16s
Details
CI/CD Pipeline / integration-tests (push) Failing after 2m32s
Details
CI/CD Pipeline / lint (push) Successful in 5m22s
Details
CI/CD Pipeline / e2e-tests (push) Has been skipped
Details
CI/CD Pipeline / build (push) Has been skipped
Details
wip:milestone 0 fixes
2026-03-15 12:35:42 +02:00

2.2 KiB
Raw Blame History

M0 Security Hardening - Working Tasks

SECTION 0.1 - Secrets & Credential Hygiene ✓ COMPLETE ✓ 0.1.1 Remove secret logging from auth/src/middleware.rs (line 46, 49) ✓ 0.1.2 Remove secret logging from gateway/src/middleware.rs (line 139) ✓ 0.1.3 Remove token logging from auth/src/handlers.rs (lines 81-84, 297-300) ✓ 0.1.4 Make JWT_SECRET required with 32-char minimum (common/src/config.rs) ✓ 0.1.5 Make ADMIN_PASSWORD required (control_plane/src/lib.rs) ✓ 0.1.6 Remove hardcoded S3 credentials (storage/src/backend.rs) ✓ 0.1.7 Remove Serialize derive from Config (common/src/config.rs)

SECTION 0.2 - Authentication & Authorization ✓ COMPLETE ✓ 0.2.1 Fix admin auth middleware - proper session validation (gateway/src/admin_auth.rs) ✓ 0.2.2 Admin password required with sessions (control_plane/src/lib.rs) □ 0.2.3 Add API key auth to control-plane-api (control-plane-api/src/lib.rs) □ 0.2.4 Verify function deploy/invoke auth enforcement

SECTION 0.3 - Injection & Input Sanitization (IN PROGRESS) 0.3.1 Fix SQL injection in SET LOCAL role (data_api/src/handlers.rs) 0.3.2 Fix SQL injection in SET LOCAL role (storage/src/handlers.rs) 0.3.3 Fix SQL injection in table browser (control_plane/src/lib.rs) 0.3.4 Fix JavaScript injection in Deno runtime (functions/src/deno_runtime.rs) 0.3.5 Fix path traversal in TUS uploads (storage/src/tus.rs)

SECTION 0.4 - Token & Session Security □ 0.4.1 Gate token issuance on email confirmation (auth/src/handlers.rs signup) □ 0.4.2 Check confirmation on login (auth/src/handlers.rs login) □ 0.4.3 Validate OAuth CSRF state (auth/src/oauth.rs) □ 0.4.4 Fix OAuth account takeover (auth/src/oauth.rs)

SECTION 0.5 - CORS & Transport Security □ 0.5.1 Restrict CORS origins in gateway/src/control.rs □ 0.5.2 Restrict CORS origins in gateway/src/worker.rs □ 0.5.3 Stop exposing secrets in API responses (control_plane/src/lib.rs)

FINAL TESTING □ Verify no secret logging with rg □ Test JWT_SECRET requirement □ Test ADMIN_PASSWORD requirement □ Test S3_ACCESS_KEY requirement □ Test admin auth rejection □ Test SQL injection blocking □ Test OAuth CSRF validation □ Test signup confirmation gating □ Test unconfirmed login rejection

Reference in New Issue View Git Blame Copy Permalink