Remove credential logging and dead OAuth code#24
Open
kvmgithub wants to merge 1 commit into
Open
Conversation
Registration requests logged the authorization code and PKCE verifier to stderr, and license decryption logged the audiobook AES key; both are readable via logcat on Android. Error messages no longer embed full API response bodies, the unused OAuthWebView component (Math.random serial generation, mixedContentMode=always) is deleted, and the registration test fixture uses synthetic account data. Refs Promises#22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
This PR addresses the security findings from #22 that are fixable without
architectural changes. The two critical/high findings were credential
material being written to stderr, which is readable via
adb logcatby anyapp with debug access on the device.
Fixes #22
What changed
Credential logging removed (findings 1, 2)
auth.rs: device registration no longer logs the request body, whichcontained the OAuth authorization code and PKCE verifier.
license.rs: license decryption no longer logs the decrypted voucherJSON (the audiobook AES key/IV) or the key/IV lengths. The voucher parse
error no longer embeds the decrypted JSON either.
Error messages no longer reflect API response bodies (finding 7)
client.rs: JSON parse errors report only line/column instead of an800-character response excerpt; the body stays in the non-displayed
response_bodydebug field.Dead OAuth component deleted (findings 5, 8)
src/components/OAuthWebView.tsxwas an unused leftover: nothing importedit. Deleting it removes both the
mixedContentMode="always"setting andthe
Math.random()-based serial/PKCE generators the issue flagged. Thelive login flow in
LoginScreen.tsxdoes not setmixedContentMode(theWebView default blocks mixed content) and gets its OAuth material from the
Rust core.
Test fixture PII replaced (finding 6)
test_fixtures/registration_response.jsonnow uses synthetic account ids,device serials, and names; the registration and integration tests assert
the synthetic values.
Findings not addressed here, and why
OpenID/oa2 flow, which does not send a state parameter, and the
callback is only consumed from navigation events inside the app's own
WebView — the app registers no deep link for the callback URL, so there
is no external entry point to inject a forged callback. Code injection
is additionally blocked by PKCE: a code minted for another session fails
the verifier check at token exchange. Sending a state value Amazon may
not echo risks breaking login across marketplaces for no measurable gain.
real hardening options but are feature-sized changes (Android Keystore
integration, pinning rotation strategy) that deserve their own focused
PRs rather than riding along here.
User-visible behavior
None. Log output is quieter and error alerts no longer contain raw API
response dumps.
Validation
npm run typecheckcargo test -p rust-core(lib + integration suites, all green)download verified manually on device