fix(auth): security hardening — token encryption, timing, adoption + isolation
From the auth /security-review (contained fixes; architectural SA3 proxy-trust + SA4 session-revocation deferred to the user): - SB1: encrypt the OAuth access_token at rest (was plaintext while refresh_token was encrypted) — a ~1h Google bearer credential. New security.decrypt_optional() falls back to a refresh for legacy plaintext tokens; column is unbounded String. E2E-verified: token refreshed → stored as Fernet ciphertext → 319-subscription YouTube sync succeeded. - SA5: password_login is no longer a timing/enumeration oracle — it always runs argon2 (against a decoy hash for unknown/passwordless emails), so response time can't reveal whether an account exists. - SB2: Google login only ADOPTS+activates a pre-existing password account when Google actually attests email_verified (defense-in-depth against takeover); and the email sync won't overwrite with a value another account owns (avoids a 500). - demo_login clears the wallet first (demo can't switch to / act as a real account via the multi-account header); switch_account rejects a suspended target (which would otherwise clear the whole session on the next request). Re-review clean; ruff clean; localdev boots; YouTube auth path E2E-verified.
This commit is contained in:
parent
f5fac09833
commit
e92751dbce
4 changed files with 51 additions and 8 deletions
|
|
@ -63,6 +63,10 @@ def switch_account(
|
|||
raise HTTPException(status_code=404, detail="That account no longer exists.")
|
||||
if not is_allowed(db, u.email):
|
||||
raise HTTPException(status_code=403, detail="That account no longer has access.")
|
||||
if u.is_suspended:
|
||||
# Don't make a suspended account the active one — the next request's current_user would
|
||||
# see the suspension and clear the WHOLE wallet session, logging out every account here.
|
||||
raise HTTPException(status_code=403, detail="That account is suspended.")
|
||||
request.session["user_id"] = target
|
||||
return {"ok": True, "user_id": target}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue