afauth v0.6.1 — security patch
Two High-severity hardening fixes to how the agent runtime handles redirects and attestation audiences. Upgrading is recommended for anyone running afauth against untrusted or third-party services.
Fixes
- Cross-origin redirect credential leak. The signed-request, discovery, and trust-attestor HTTP clients followed cross-host redirects, and Go's default redirect policy does not strip custom headers on a host change — so a service (or on-path attacker) that returned a
30xto another origin would receive the liveAFAuth-AttestationJWT andSignatureheader. All three clients now refuse cross-origin redirects. - Attestation audience confused-deputy. Auto-attest minted an attestation audience-bound to
service_didtaken verbatim from an unauthenticated discovery document — a host advertisingservice_did=did:web:bank.comcould harvest a token replayable against the realbank.com. Auto-attest now requires adid:webservice DID to be anchored at the host that served its discovery document before minting; non-did:webaudiences (which carry no DNS anchor) emit a warning instead.
No CLI flags or commands changed — existing identities, links, and config carry over unchanged.
Install
brew install AFAuthHQ/tap/afauth # or: brew upgrade afauthPrebuilt binaries for macOS / Linux / Windows × amd64 / arm64 are attached below.