hzhang
3f5f813c65
Addresses findings from the security audit: - H1: add check_project_role to the legacy misc.py create endpoints (milestones=mgr, tasks/supports/meetings=dev) that previously required only authentication — closing a cross-project write bypass available to any logged-in user or agent API key. - M2: comments are always attributed to the authenticated caller; the client-supplied author_id is dropped (no author spoofing). - M3: API keys are stored as SHA-256 hashes (key_hash) plus a short key_prefix for display — never plaintext. Lookup hashes the presented key; listings never expose the secret. Includes an idempotent migration for existing deployments. - M5: the OIDC session cookie's Secure flag is env-driven via SESSION_COOKIE_SECURE (default True; set false for plain-HTTP dev). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
19 lines
870 B
Python
19 lines
870 B
Python
from sqlalchemy import Column, Integer, String, DateTime, Boolean, ForeignKey
|
|
from sqlalchemy.sql import func
|
|
from app.core.config import Base
|
|
|
|
|
|
class APIKey(Base):
|
|
__tablename__ = "api_keys"
|
|
|
|
id = Column(Integer, primary_key=True, index=True)
|
|
# The raw key is never stored — only its SHA-256 hash. `key_prefix` holds
|
|
# the first few chars for human-readable display/masking in listings.
|
|
key_hash = Column(String(64), unique=True, nullable=False, index=True)
|
|
key_prefix = Column(String(16), nullable=True)
|
|
name = Column(String(100), nullable=False) # e.g. "agent-zhi", "agent-lyn"
|
|
user_id = Column(Integer, ForeignKey("users.id"), nullable=False)
|
|
is_active = Column(Boolean, default=True)
|
|
created_at = Column(DateTime(timezone=True), server_default=func.now())
|
|
last_used_at = Column(DateTime(timezone=True), nullable=True)
|