auth: Sprint 02 — auth hardening (Pydantic models, challenge binding, admin gates)
- Add max_length validation to LoginRequest (username 128, password 1024) - Replace raw request.json() with Pydantic models in RBAC override/update endpoints - Replace raw request.json() with Pydantic models in passkey register/login/delete - Bind passkey challenges to session-bound challenge_id (prevents cross-session replay) - Gate audit log and security log endpoints behind admin role - Fix fragile opc_db.json.dumps() → import json directly - Add COOKIE_SECURE=False startup warning (suppress with ALLOW_INSECURE_COOKIES) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -51,6 +51,14 @@ async def lifespan(app: FastAPI):
|
||||
# Startup
|
||||
print("=== Application Startup ===")
|
||||
|
||||
# Warn if cookies are not marked Secure (must be behind TLS-terminating proxy)
|
||||
import auth_service as auth_svc
|
||||
|
||||
if not auth_svc.COOKIE_SECURE and not os.environ.get("ALLOW_INSECURE_COOKIES"):
|
||||
print("WARNING: COOKIE_SECURE=False — auth cookies not marked Secure. "
|
||||
"This requires a TLS-terminating reverse proxy (e.g. Caddy) in front. "
|
||||
"Set ALLOW_INSECURE_COOKIES=true to suppress this warning.")
|
||||
|
||||
# Initialize OPC database
|
||||
from db import opc_db
|
||||
|
||||
|
||||
Reference in New Issue
Block a user