HarborForge.Backend

zhi/HarborForge.Backend

Fork 0

Commit Graph

Author	SHA1	Message	Date
hzhang	801a63f8bb	fix(security): close critical auth/SSRF/RBAC holes Verified locally end-to-end (before: exploitable, after: blocked). - config: refuse to start on weak/default/short SECRET_KEY (was trivially forgeable JWT -> full admin) - deps: add reusable require_admin dependency (JWT or API key) - api-keys: require admin to mint/list/revoke; mask key on list (was unauthenticated -> instant admin API key) - webhooks: whole router now admin-only (was fully unauthenticated CRUD + readable logs) - webhook delivery: validate URL scheme + reject hosts resolving to private/loopback/link-local/reserved IPs; disable redirects (was a readable SSRF primitive) - rbac: implement a real project-role hierarchy in check_project_role (was a no-op: any member, even guest, passed admin/mgr gates) - misc: auth on delete_milestone (+ensure_can_edit_milestone), worklog create/delete (force caller user_id, owner-only delete), /activity and /export/tasks (were unauthenticated data exposure) - tasks: auth + ensure_can_edit_task on assign_task and batch_assign Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 16:53:14 +01:00
zhi	c1288b5fa9	feat: wizard config volume integration - entrypoint.sh: wait for config file before starting uvicorn - config.py: resolve DB URL from wizard config volume - init_wizard.py: read config from file instead of HTTP - Dockerfile: use entrypoint.sh	2026-03-06 13:46:38 +00:00
root	fd980c0344	refactor: move all files to root (no nested backend/)	2026-02-21 08:25:37 +00:00

Author

SHA1

Message

Date

hzhang

801a63f8bb

fix(security): close critical auth/SSRF/RBAC holes

Verified locally end-to-end (before: exploitable, after: blocked).

- config: refuse to start on weak/default/short SECRET_KEY (was
  trivially forgeable JWT -> full admin)
- deps: add reusable require_admin dependency (JWT or API key)
- api-keys: require admin to mint/list/revoke; mask key on list
  (was unauthenticated -> instant admin API key)
- webhooks: whole router now admin-only (was fully unauthenticated
  CRUD + readable logs)
- webhook delivery: validate URL scheme + reject hosts resolving to
  private/loopback/link-local/reserved IPs; disable redirects
  (was a readable SSRF primitive)
- rbac: implement a real project-role hierarchy in check_project_role
  (was a no-op: any member, even guest, passed admin/mgr gates)
- misc: auth on delete_milestone (+ensure_can_edit_milestone),
  worklog create/delete (force caller user_id, owner-only delete),
  /activity and /export/tasks (were unauthenticated data exposure)
- tasks: auth + ensure_can_edit_task on assign_task and batch_assign

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 16:53:14 +01:00

zhi

c1288b5fa9

feat: wizard config volume integration

- entrypoint.sh: wait for config file before starting uvicorn
- config.py: resolve DB URL from wizard config volume
- init_wizard.py: read config from file instead of HTTP
- Dockerfile: use entrypoint.sh

2026-03-06 13:46:38 +00:00

root

fd980c0344

refactor: move all files to root (no nested backend/)

2026-02-21 08:25:37 +00:00

3 Commits