Loose ends to finish the auth security round: - register + password-reset-request had an enumeration TIMING oracle: an already- registered email skipped the create path (hash + row writes + email scheduling) and responded measurably faster than a new one. Move the whole lookup+create (register) and lookup+token+email (reset) into a background task with its own DB session, so the endpoint returns in the same time for any valid email regardless of whether it exists. Verified: existing vs new now ~equal (was 34ms vs 82ms on register); accounts/tokens still created off-path. - messages_ws re-implemented resolved_user_id's per-tab wallet-gated account resolution. Generalize resolved_user_id to take any HTTPConnection (Request OR WebSocket) and call it from the WS — one shared, wallet-gated resolution. Behavior-identical (unit-checked). |
||
|---|---|---|
| .. | ||
| alembic | ||
| app | ||
| alembic.ini | ||
| Dockerfile | ||
| entrypoint.sh | ||
| log_config.json | ||
| requirements.txt | ||
| ruff.toml | ||