hack-house

Trilltechnician/hack-house

Fork 0

Commit Graph

Author	SHA1	Message	Date
leetcrypt	2c4a4f9a22	harden(ft,auth,net): cap transfers/frames, evict stale SRP, distrust XFF Some checks are pending CI / rust client (hh) (macos-latest) (push) Waiting to run Details CI / rust client (hh) (ubuntu-latest) (push) Waiting to run Details CI / rust coverage (push) Waiting to run Details CI / python server (3.10) (push) Waiting to run Details CI / python server (3.11) (push) Waiting to run Details CI / python server (3.12) (push) Waiting to run Details CI / headless e2e smoke (push) Waiting to run Details CI / dependency audit (push) Waiting to run Details CI / secret scanning (push) Waiting to run Details M1: enforce the declared transfer size (clamped to MAX_SIZE) on chunk receipt in both the Rust and Python clients — a malicious sender can no longer grow the receive buffer unboundedly. M2: only honor X-Forwarded-For when TRUST_PROXY is set, so a direct client can't spoof a source IP to dodge the per-IP rate limiter. M3: evict unverified SRP sessions after a 60s TTL on each new handshake, preventing half-finished auths from exhausting memory. M4: drop WS frames larger than 256 KB before they hit the store or broadcast, bounding per-message memory and flood blast radius. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-06-05 06:59:16 -07:00
mirai	5cbe355660	feat: add SRP authentication, improve security - Replace RSA key exchange with SRP (Secure Remote Password) - Password never transmitted over network - Add unit tests for endpoints - Fix datetime.UTC compatibility for Python < 3.11 - Fix logger.exception usage - Update README with new auth flow diagram	2026-01-02 23:09:00 +03:00

Author

SHA1

Message

Date

leetcrypt

2c4a4f9a22

harden(ft,auth,net): cap transfers/frames, evict stale SRP, distrust XFF

CI / rust client (hh) (macos-latest) (push) Waiting to run

Details

CI / rust client (hh) (ubuntu-latest) (push) Waiting to run

Details

CI / rust coverage (push) Waiting to run

Details

CI / python server (3.10) (push) Waiting to run

Details

CI / python server (3.11) (push) Waiting to run

Details

CI / python server (3.12) (push) Waiting to run

Details

CI / headless e2e smoke (push) Waiting to run

Details

CI / dependency audit (push) Waiting to run

Details

CI / secret scanning (push) Waiting to run

Details

M1: enforce the declared transfer size (clamped to MAX_SIZE) on chunk
receipt in both the Rust and Python clients — a malicious sender can no
longer grow the receive buffer unboundedly.
M2: only honor X-Forwarded-For when TRUST_PROXY is set, so a direct
client can't spoof a source IP to dodge the per-IP rate limiter.
M3: evict unverified SRP sessions after a 60s TTL on each new handshake,
preventing half-finished auths from exhausting memory.
M4: drop WS frames larger than 256 KB before they hit the store or
broadcast, bounding per-message memory and flood blast radius.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-06-05 06:59:16 -07:00

mirai

5cbe355660

feat: add SRP authentication, improve security

- Replace RSA key exchange with SRP (Secure Remote Password)
- Password never transmitted over network
- Add unit tests for endpoints
- Fix datetime.UTC compatibility for Python < 3.11
- Fix logger.exception usage
- Update README with new auth flow diagram

2026-01-02 23:09:00 +03:00

2 Commits