Trilltechnician/hack-house
1
2
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
611b797166
hack-house/cmd_chat/server
History
leetcrypt e7bacc93da fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 
CRITICAL fixes:
- Auto-generated self-signed TLS certs (HTTPS/WSS by default)
- Removed session_key from /srp/verify response (was sent in plaintext)
- Replaced with HMAC-SHA256 ws_token for WebSocket authentication

HIGH fixes:
- WebSocket auth now validates ws_token via hmac.compare_digest()
- /clear endpoint requires Bearer admin_token (printed at server start)
- Password no longer required as CLI arg — supports env var + getpass prompt
- Removed user_ip from Message model (no longer broadcast to clients)

MEDIUM fixes:
- Rate limiter on /srp/init and /srp/verify (10 req/min/IP)
- MessageStore capped at 1000 messages (prevents RAM DoS)
- access_log disabled (was leaking request metadata)

LOW fixes:
- Username sanitization against rich markup injection
- Dead code removed from helpers.py

All 79 tests passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-25 20:30:40 -07:00
..
factory.py fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 2026-05-25 20:30:40 -07:00
helpers.py fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 2026-05-25 20:30:40 -07:00
managers.py NO LOGS 2026-01-03 12:00:52 +03:00
models.py fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 2026-05-25 20:30:40 -07:00
routes.py feat: add SRP authentication, improve security 2026-01-02 23:09:00 +03:00
server.py fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 2026-05-25 20:30:40 -07:00
srp_auth.py feat: add SRP authentication, improve security 2026-01-02 23:09:00 +03:00
stores.py fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 2026-05-25 20:30:40 -07:00
views.py fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 2026-05-25 20:30:40 -07:00