hzhang
3f5f813c65
Addresses findings from the security audit: - H1: add check_project_role to the legacy misc.py create endpoints (milestones=mgr, tasks/supports/meetings=dev) that previously required only authentication — closing a cross-project write bypass available to any logged-in user or agent API key. - M2: comments are always attributed to the authenticated caller; the client-supplied author_id is dropped (no author spoofing). - M3: API keys are stored as SHA-256 hashes (key_hash) plus a short key_prefix for display — never plaintext. Lookup hashes the presented key; listings never expose the secret. Includes an idempotent migration for existing deployments. - M5: the OIDC session cookie's Secure flag is env-driven via SESSION_COOKIE_SECURE (default True; set false for plain-HTTP dev). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
26 KiB
26 KiB