siftlode/backend
npeter83 f7fa516332 fix(auth): close SA5 timing oracles on register/reset + dedup messages_ws
Loose ends to finish the auth security round:
- register + password-reset-request had an enumeration TIMING oracle: an already-
  registered email skipped the create path (hash + row writes + email scheduling) and
  responded measurably faster than a new one. Move the whole lookup+create (register)
  and lookup+token+email (reset) into a background task with its own DB session, so the
  endpoint returns in the same time for any valid email regardless of whether it exists.
  Verified: existing vs new now ~equal (was 34ms vs 82ms on register); accounts/tokens
  still created off-path.
- messages_ws re-implemented resolved_user_id's per-tab wallet-gated account resolution.
  Generalize resolved_user_id to take any HTTPConnection (Request OR WebSocket) and call
  it from the WS — one shared, wallet-gated resolution. Behavior-identical (unit-checked).
2026-07-12 04:13:11 +02:00
..
alembic feat(auth): SA4 — server-side session revocation via per-user session epoch 2026-07-12 03:00:16 +02:00
app fix(auth): close SA5 timing oracles on register/reset + dedup messages_ws 2026-07-12 04:13:11 +02:00
alembic.ini feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
Dockerfile feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
entrypoint.sh harden(auth): SA3 review follow-ups — IPv6-mapped match + no-proxy-headers guardrail 2026-07-12 03:49:08 +02:00
log_config.json chore: rename remaining subfeed references to siftlode 2026-06-21 06:53:12 +02:00
requirements.txt feat(downloads): Deno JS runtime + web/android clients to complete the POT setup 2026-07-03 22:46:32 +02:00
ruff.toml chore(hygiene): Phase 4 guardrails — noUnusedLocals/Parameters + dead-code sweep 2026-07-12 02:15:52 +02:00