HarborForge.Backend

zhi/HarborForge.Backend

Fork 0

Commit Graph

Author	SHA1	Message	Date
hzhang	d2b83ad58d	fix(projects): perm-gate create + apikey-via-Bearer + introspect with apikey Three coupled fixes so non-admin agents (e.g. nav, role=mgr) can actually create projects through hf-cli with their API key: 1. POST /projects no longer hardcodes is_admin. It checks the global `project.create` perm via role_permissions (admin still wins via is_admin short-circuit). Permission-denied 403 message names the exact perm. 2. /auth/me/permissions now uses get_current_user_or_apikey (was get_current_user JWT-only). This is what hf-cli hits to populate its local permission cache that drives the "not permitted" gate; previously every API-key-authed agent saw all commands as gated. 3. get_current_user_or_apikey now also accepts an API key delivered via Authorization: Bearer (in addition to X-API-Key). hf-cli only knows Bearer; trying to JWT-decode an API key string would fail — so on decode failure, fall through to the API key lookup. Keeps X-API-Key behavior unchanged. 4. init_bootstrap: add `project.create` to DEFAULT_PERMISSIONS and to _MGR_PERMISSIONS so admin (auto-all) + mgr both get it on seed. Bug came to light when manager-agent reported `hf project list`/`create` returned `not permitted`. Root cause: hf-cli calls /auth/me/permissions with the API key via Bearer header → 401 → state.Known=false → every command in the surface is gated false locally. Even after the local gate, POST /projects would still 403 due to the hardcoded admin check. All four steps above are required end-to-end. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 22:09:34 +01:00
hzhang	801a63f8bb	fix(security): close critical auth/SSRF/RBAC holes Verified locally end-to-end (before: exploitable, after: blocked). - config: refuse to start on weak/default/short SECRET_KEY (was trivially forgeable JWT -> full admin) - deps: add reusable require_admin dependency (JWT or API key) - api-keys: require admin to mint/list/revoke; mask key on list (was unauthenticated -> instant admin API key) - webhooks: whole router now admin-only (was fully unauthenticated CRUD + readable logs) - webhook delivery: validate URL scheme + reject hosts resolving to private/loopback/link-local/reserved IPs; disable redirects (was a readable SSRF primitive) - rbac: implement a real project-role hierarchy in check_project_role (was a no-op: any member, even guest, passed admin/mgr gates) - misc: auth on delete_milestone (+ensure_can_edit_milestone), worklog create/delete (force caller user_id, owner-only delete), /activity and /export/tasks (were unauthenticated data exposure) - tasks: auth + ensure_can_edit_task on assign_task and batch_assign Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 16:53:14 +01:00
Zhi	f60dc68b22	refactor: split monolithic main.py into FastAPI routers (v0.2.0) - app/api/deps.py: shared auth dependencies - app/api/routers/auth.py: login, me - app/api/routers/issues.py: CRUD, transition, assign, relations, tags, batch, search - app/api/routers/projects.py: CRUD, members, worklog summary - app/api/routers/users.py: CRUD, worklogs - app/api/routers/comments.py: CRUD - app/api/routers/webhooks.py: CRUD, logs, retry - app/api/routers/misc.py: API keys, activity, milestones, notifications, worklogs, export, dashboard - main.py: 1165 lines → 51 lines - Version bump to 0.2.0	2026-02-23 15:14:46 +00:00

Author

SHA1

Message

Date

hzhang

d2b83ad58d

fix(projects): perm-gate create + apikey-via-Bearer + introspect with apikey

Three coupled fixes so non-admin agents (e.g. nav, role=mgr) can
actually create projects through hf-cli with their API key:

1. POST /projects no longer hardcodes is_admin. It checks the global
   `project.create` perm via role_permissions (admin still wins via
   is_admin short-circuit). Permission-denied 403 message names the
   exact perm.

2. /auth/me/permissions now uses get_current_user_or_apikey (was
   get_current_user JWT-only). This is what hf-cli hits to populate
   its local permission cache that drives the "not permitted" gate;
   previously every API-key-authed agent saw all commands as gated.

3. get_current_user_or_apikey now also accepts an API key delivered
   via Authorization: Bearer (in addition to X-API-Key). hf-cli only
   knows Bearer; trying to JWT-decode an API key string would fail —
   so on decode failure, fall through to the API key lookup. Keeps
   X-API-Key behavior unchanged.

4. init_bootstrap: add `project.create` to DEFAULT_PERMISSIONS and to
   _MGR_PERMISSIONS so admin (auto-all) + mgr both get it on seed.

Bug came to light when manager-agent reported `hf project list`/`create`
returned `not permitted`. Root cause: hf-cli calls /auth/me/permissions
with the API key via Bearer header → 401 → state.Known=false → every
command in the surface is gated false locally. Even after the local
gate, POST /projects would still 403 due to the hardcoded admin check.
All four steps above are required end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 22:09:34 +01:00

hzhang

801a63f8bb

fix(security): close critical auth/SSRF/RBAC holes

Verified locally end-to-end (before: exploitable, after: blocked).

- config: refuse to start on weak/default/short SECRET_KEY (was
  trivially forgeable JWT -> full admin)
- deps: add reusable require_admin dependency (JWT or API key)
- api-keys: require admin to mint/list/revoke; mask key on list
  (was unauthenticated -> instant admin API key)
- webhooks: whole router now admin-only (was fully unauthenticated
  CRUD + readable logs)
- webhook delivery: validate URL scheme + reject hosts resolving to
  private/loopback/link-local/reserved IPs; disable redirects
  (was a readable SSRF primitive)
- rbac: implement a real project-role hierarchy in check_project_role
  (was a no-op: any member, even guest, passed admin/mgr gates)
- misc: auth on delete_milestone (+ensure_can_edit_milestone),
  worklog create/delete (force caller user_id, owner-only delete),
  /activity and /export/tasks (were unauthenticated data exposure)
- tasks: auth + ensure_can_edit_task on assign_task and batch_assign

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 16:53:14 +01:00

Zhi

f60dc68b22

refactor: split monolithic main.py into FastAPI routers (v0.2.0)

- app/api/deps.py: shared auth dependencies
- app/api/routers/auth.py: login, me
- app/api/routers/issues.py: CRUD, transition, assign, relations, tags, batch, search
- app/api/routers/projects.py: CRUD, members, worklog summary
- app/api/routers/users.py: CRUD, worklogs
- app/api/routers/comments.py: CRUD
- app/api/routers/webhooks.py: CRUD, logs, retry
- app/api/routers/misc.py: API keys, activity, milestones, notifications, worklogs, export, dashboard
- main.py: 1165 lines → 51 lines
- Version bump to 0.2.0

2026-02-23 15:14:46 +00:00

3 Commits