|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (8 fixed, 19 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (9 fixed, 18 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -415,6 +415,22 @@
|
|
|
is not attached. `getUser/{id}` allows enumeration (F17), and
|
|
|
combined with F3 a leaked service token gets unlimited writes.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `9849779`. The `/api/v1/auth/*` route group now
|
|
|
+ attaches `RateLimitMiddleware` alongside `TokenAuthenticationMiddleware` and
|
|
|
+ `AuditContextMiddleware`. Per-token-id token-bucket — same limiter
|
|
|
+ the public group uses — caps a burst at `API_RATE_LIMIT_PER_SECOND
|
|
|
+ × 2` (default 60/s, capacity 120) per service token. The bucket
|
|
|
+ bails out gracefully when no principal is present (auth failure)
|
|
|
+ so it doesn't stack with `TokenAuthenticationMiddleware`'s 401
|
|
|
+ path. Caps the enumeration speed of `GET /users/{id}` (a residual
|
|
|
+ exposure tracked by F17), and bounds amplification of any
|
|
|
+ service-token-leak abuse against `upsert-local` / `upsert-oidc`.
|
|
|
+ Regression tests in
|
|
|
+ `api/tests/Integration/Public/RateLimitTest.php`
|
|
|
+ (`testAuthGetUserRouteIsRateLimited`,
|
|
|
+ `testAuthUpsertLocalRouteIsRateLimited`) burst the auth endpoints
|
|
|
+ past capacity under a tight FixedClock+limiter and assert the
|
|
|
+ expected 429 ceiling.
|
|
|
|
|
|
### F15 — `MaintenanceController::seedDemo` requires no confirmation token
|
|
|
- **File:** `api/src/Application/Admin/MaintenanceController.php:279-288`
|
chiappa