auth: Sprint 02 — auth hardening (Pydantic models, challenge binding, admin gates)

- Add max_length validation to LoginRequest (username 128, password 1024)
- Replace raw request.json() with Pydantic models in RBAC override/update endpoints
- Replace raw request.json() with Pydantic models in passkey register/login/delete
- Bind passkey challenges to session-bound challenge_id (prevents cross-session replay)
- Gate audit log and security log endpoints behind admin role
- Fix fragile opc_db.json.dumps() → import json directly
- Add COOKIE_SECURE=False startup warning (suppress with ALLOW_INSECURE_COOKIES)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Gan, Jimmy
2026-05-03 13:45:42 +08:00
parent 323ae474a8
commit 1a37f34401
7 changed files with 101 additions and 62 deletions
+5 -4
View File
@@ -3,6 +3,7 @@ Agent Executor Service - Executes agent tasks and manages their lifecycle
"""
import asyncio
import json
import logging
import os
from datetime import datetime
@@ -270,8 +271,8 @@ class AgentExecutor:
WHERE id = $4
""",
"completed",
opc_db.json.dumps(result),
opc_db.json.dumps(result.get("actions", [])),
json.dumps(result),
json.dumps(result.get("actions", [])),
execution_id,
)
@@ -304,8 +305,8 @@ class AgentExecutor:
WHERE id = $4
""",
"pending_approval",
opc_db.json.dumps(result),
opc_db.json.dumps(result.get("actions", [])),
json.dumps(result),
json.dumps(result.get("actions", [])),
execution_id,
)