Skip to content

fix: critical auth fixes (C2, C3, C4, H1)#17

Closed
my-claude-utils wants to merge 1 commit intomainfrom
security/critical-auth-fixes
Closed

fix: critical auth fixes (C2, C3, C4, H1)#17
my-claude-utils wants to merge 1 commit intomainfrom
security/critical-auth-fixes

Conversation

@my-claude-utils
Copy link
Owner

@my-claude-utils my-claude-utils commented Mar 15, 2026

Summary

  • C2: Bootstrap tokens are now one-time use (deleted from DB after JWT exchange). Press Enter in terminal to regenerate a new QR code with a fresh token.
  • C3: Pre-commit hook rejects staged .env files to prevent credential leaks. Auto-installed via prepare script.
  • C4: WebSocket connections verified against allowed origins (localhost, Vite dev, tunnel URL). Non-browser clients (no origin header) still allowed.
  • H1: CORS Access-Control-Allow-Origin is now dynamic (checks against allowed origins set) instead of wildcard *. Includes Vary: Origin header.

Test plan

  • npx turbo run typecheck lint build passes
  • Start agent, scan QR, authenticate successfully
  • Press Enter in terminal, new QR appears with new token
  • Old QR/token no longer works (returns 401)
  • Check CORS headers are not wildcard
  • Try WS connection from disallowed origin (should be rejected)

🤖 Generated with Claude Code

@my-claude-utils
fix: critical auth fixes (C2, C3, C4, H1)
4aa5d29 
- C2: One-time bootstrap tokens (deleted after JWT exchange) + Enter key regeneration
- C3: Pre-commit hook to reject staged .env files
- C4: WebSocket origin verification (verifyClient callback)
- H1: Dynamic CORS (restricted to allowed origins, no more wildcard)
@my-claude-utils
Copy link
Owner Author

my-claude-utils commented Mar 16, 2026

Included in consolidated PR to main

cshumac added a commit to cshumac/clsh that referenced this pull request Mar 21, 2026
@cshumac
fix: increase scrypt N to 2^17, remove client hash storage (Findings m…
2b509df 
…y-claude-utils#14,my-claude-utils#17)

- Increase scrypt N from 16384 (2^14) to 131072 (2^17) per OWASP recommendation
- New hash format `scrypt:<N>$salt$key` encodes the cost parameter
- Backward-compatible verification of legacy `scrypt$salt$key` hashes (N=16384)
- Remove clientHash handling from POST /api/auth/password/setup
- Add tests for new format, N value, and legacy hash verification
@cshumac cshumac mentioned this pull request Mar 21, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@my-claude-utils