|
|
801a63f8bb
|
fix(security): close critical auth/SSRF/RBAC holes
Verified locally end-to-end (before: exploitable, after: blocked).
- config: refuse to start on weak/default/short SECRET_KEY (was
trivially forgeable JWT -> full admin)
- deps: add reusable require_admin dependency (JWT or API key)
- api-keys: require admin to mint/list/revoke; mask key on list
(was unauthenticated -> instant admin API key)
- webhooks: whole router now admin-only (was fully unauthenticated
CRUD + readable logs)
- webhook delivery: validate URL scheme + reject hosts resolving to
private/loopback/link-local/reserved IPs; disable redirects
(was a readable SSRF primitive)
- rbac: implement a real project-role hierarchy in check_project_role
(was a no-op: any member, even guest, passed admin/mgr gates)
- misc: auth on delete_milestone (+ensure_can_edit_milestone),
worklog create/delete (force caller user_id, owner-only delete),
/activity and /export/tasks (were unauthenticated data exposure)
- tasks: auth + ensure_can_edit_task on assign_task and batch_assign
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
2026-05-16 16:53:14 +01:00 |
|
|
|
f60dc68b22
|
refactor: split monolithic main.py into FastAPI routers (v0.2.0)
- app/api/deps.py: shared auth dependencies
- app/api/routers/auth.py: login, me
- app/api/routers/issues.py: CRUD, transition, assign, relations, tags, batch, search
- app/api/routers/projects.py: CRUD, members, worklog summary
- app/api/routers/users.py: CRUD, worklogs
- app/api/routers/comments.py: CRUD
- app/api/routers/webhooks.py: CRUD, logs, retry
- app/api/routers/misc.py: API keys, activity, milestones, notifications, worklogs, export, dashboard
- main.py: 1165 lines → 51 lines
- Version bump to 0.2.0
|
2026-02-23 15:14:46 +00:00 |
|
