fix(security): patch cryptography CVEs, upgrade pip at build, harden /auth/upgrade
- requirements: cryptography >=46.0.7 (was pinned <46, which excluded the fix for the CVEs pip-audit flagged in our Fernet/crypto library). pip-audit now clean. - Dockerfile: upgrade pip before installing deps (patches installer-level CVEs). - auth: /auth/upgrade now defaults to the least-privileged read scope; only an explicit access=write requests the write scope.
This commit is contained in:
parent
94a51b1b43
commit
c12e776706
3 changed files with 6 additions and 5 deletions
|
|
@ -213,13 +213,14 @@ def current_user(request: Request, db: Session = Depends(get_db)) -> User:
|
|||
|
||||
@router.get("/upgrade")
|
||||
async def upgrade(
|
||||
request: Request, access: str = "write", user: User = Depends(current_user)
|
||||
request: Request, access: str = "read", user: User = Depends(current_user)
|
||||
):
|
||||
"""Incremental consent for the onboarding wizard. `access=read` grants YouTube
|
||||
read-only (enough to build the feed); `access=write` additionally grants management
|
||||
(unsubscribe). The shared callback stores whatever Google returns, so `can_read` /
|
||||
`can_write` flip on once granted."""
|
||||
scope = READ_SCOPES if access == "read" else WRITE_SCOPES
|
||||
`can_write` flip on once granted. Anything other than an explicit `write` defaults to
|
||||
the least-privileged read scope."""
|
||||
scope = WRITE_SCOPES if access == "write" else READ_SCOPES
|
||||
return await oauth.google.authorize_redirect(
|
||||
request,
|
||||
settings.oauth_redirect_url,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue