Skip to content

fix: close Task 5 auth security findings#34

Merged
Alex-ghost599 merged 7 commits into
developfrom
fix--auth-security-review
Jul 15, 2026
Merged

fix: close Task 5 auth security findings#34
Alex-ghost599 merged 7 commits into
developfrom
fix--auth-security-review

Conversation

@Alex-ghost599

@Alex-ghost599 Alex-ghost599 commented Jul 15, 2026

Copy link
Copy Markdown
Owner

Problem

PR #24 的 GitHub Advanced Security 与独立 validation-only 审核发现 OAuth 协议、origin、secret redaction、identity owner、refresh rotation、callback、retry 和 config error 边界仍有阻塞缺口。

Changes

  • 对齐飞书 current OAuth v2 exact contract 与 Task-only scope allowlist
  • 在 token 持久化前验证 canonical union/open identity owner
  • 固定官方 credential origins,关闭任意 header/request-id 泄密
  • 增加 refresh transaction marker、callback deadline/path/state、bounded backoff
  • 将完整 config FD 生命周期收敛为 typed safe errors
  • 拒绝 NaN/Inf/超大 retry delay 配置

Verification

  • uv run pytest -v — 187 passed
  • uv run ruff format --check .
  • uv run ruff check .
  • uv run mypy src scripts
  • uv build && uv run twine check dist/*
  • uv run pip-audit
  • uv run python scripts/privacy_scan.py --history
  • gitleaks — no leaks
  • independent final validation-only re-review — Approved, 0 findings

Remaining risk

未使用真实 tenant/credential;真实租户 OAuth E2E 仍需要独立显式授权。本 PR 只证明官方 contract 对齐、synthetic transport 与安全状态机。

Closes #28

@Alex-ghost599
Alex-ghost599 changed the base branch from feat--secure-auth-context to develop July 15, 2026 11:09
@Alex-ghost599
Alex-ghost599 merged commit b8ad2da into develop Jul 15, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant