Conversation
Update dependency versions (uuid -> 1.22.0, libc -> 0.2.183) and remove chrono/getrandom from the wasm feature set. Enhance SQL parser to recognize CURRENT_USER / CURRENT_ROLE keywords and rewrite them to KDB_CURRENT_*() for DataFusion (adds regexes and a unit test). Improve example apps: add vite env types, compute stable sort keys and sort/cap rows for chat and activity examples to ensure deterministic ordering. Revise link/ README and Dart SDK README to reflect current SDK shape, usage, and init/connect patterns; adjust crate feature lists. Misc: update related generated SDK artifacts and native libs.
Add first-class refresh-token cookie support and switch several UI lists to realtime subscriptions. Backend/auth: create and expose refresh cookie helpers (create_refresh_cookie, create_refresh_logout_cookie, extract_refresh_token) and refactor cookie building into build_token_cookie/build_expired_cookie. Login, refresh and logout handlers now set/clear both auth and refresh cookies, and cookie secure flag respects request scheme (https). Add extract_refresh_or_bearer_token to prefer refresh-cookie extraction and fall back to Bearer header. Re-export new helpers from the auth crate. SQL/parser/core: improve SQL parsing for context-functions by attempting to parse the original SQL first and only applying normalization as a fallback (preserving original errors). Simplify executor parsing path by parsing the raw SQL directly. Core tests: introduce a test AppContext and update tests to use SqlExecutor and the app-level session context for end-to-end verification. UI: switch AuditLogList and LiveQueryList to use subscribeRows (realtime row subscriptions) with new subscription query builders (buildAuditLogsSubscriptionQuery, buildLiveQueriesSubscriptionQuery). Add loading/error state, refresh controls and row mapping logic. Update API client to treat /auth/refresh as a no-auth endpoint. Update authSlice.checkAuth to call refresh(), set client token and populate auth state from the refresh response. Overall this change adds refresh-token lifecycle handling across the stack and introduces realtime subscriptions for audit/log and live-queries lists.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // Create HttpOnly cookie | ||
| let cookie_config = CookieConfig { | ||
| secure: config.cookie_secure, | ||
| secure: config.cookie_secure && req.connection_info().scheme() == "https", |
Check failure
Code scanning / CodeQL
Uncontrolled allocation size High
Copilot Autofix
AI about 2 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
| pub async fn logout_handler(req: HttpRequest, config: web::Data<AuthSettings>) -> HttpResponse { | ||
| let cookie_config = CookieConfig { | ||
| secure: config.cookie_secure, | ||
| secure: config.cookie_secure && req.connection_info().scheme() == "https", |
Check failure
Code scanning / CodeQL
Uncontrolled allocation size High
Copilot Autofix
AI about 2 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
| // Create new cookie | ||
| let cookie_config = CookieConfig { | ||
| secure: config.cookie_secure, | ||
| secure: config.cookie_secure && req.connection_info().scheme() == "https", |
Check failure
Code scanning / CodeQL
Uncontrolled allocation size High
Copilot Autofix
AI about 2 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
| }, | ||
| ), | ||
| ) | ||
| .finish(); |
Check failure
Code scanning / CodeQL
'Secure' attribute is not set to true High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix this issue we must ensure that the Secure attribute is always set to true for these authentication cookies, regardless of external configuration. That means we should not rely on a caller-provided bool to decide whether auth cookies are secure. Instead, hardcode .secure(true) in the builders and, if necessary, explicitly set the flag on the resulting Cookie instances as well.
The best minimal change without altering external behavior other than enforcing security is to change the two places where we currently pass config.secure into .secure(...) and replace them with .secure(true). This guarantees that both the token cookie (build_token_cookie) and the expired/deletion cookie (build_expired_cookie) are always Secure, even if CookieConfig.secure is false. The rest of the configuration (path, same_site, domain, expiry) remains untouched, so functionality other than enforcing HTTPS-only cookies is preserved. No new imports or helper methods are needed; we only modify the .secure(...) calls on lines 39 and 66 in backend/crates/kalamdb-auth/src/helpers/cookie.rs.
| @@ -36,7 +36,7 @@ | ||
| let mut cookie = Cookie::build(name, value) | ||
| .path(config.path.clone()) | ||
| .http_only(true) | ||
| .secure(config.secure) | ||
| .secure(true) | ||
| .same_site(config.same_site) | ||
| .expires( | ||
| cookie::time::OffsetDateTime::from_unix_timestamp(expiry.timestamp()).unwrap_or_else( | ||
| @@ -63,7 +63,7 @@ | ||
| let mut cookie = Cookie::build(name, "") | ||
| .path(config.path.clone()) | ||
| .http_only(true) | ||
| .secure(config.secure) | ||
| .secure(true) | ||
| .same_site(config.same_site) | ||
| .expires(cookie::time::OffsetDateTime::UNIX_EPOCH) | ||
| .finish(); |
| .secure(config.secure) | ||
| .same_site(config.same_site) | ||
| .expires(cookie::time::OffsetDateTime::UNIX_EPOCH) | ||
| .finish(); |
Check failure
Code scanning / CodeQL
'Secure' attribute is not set to true High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix this class of issue you must ensure that any cookies used for authentication or other sensitive data are always created with the Secure attribute set to true, so that browsers only send them over HTTPS. This means avoiding any configuration or runtime path where secure might be false for such cookies.
For this specific code, the simplest and safest fix without changing observable functionality (beyond tighter security) is to hard‑code .secure(true) in both build_token_cookie and build_expired_cookie instead of depending on config.secure. That guarantees that both the “normal” auth cookies and the “expired” (logout) cookies are always marked Secure. The CookieConfig struct can still retain the secure field if it’s used elsewhere, but it will no longer influence these critical auth cookies. No new imports or helper methods are required; this is a one‑line change in each builder chain inside backend/crates/kalamdb-auth/src/helpers/cookie.rs.
Concretely:
- In
build_token_cookie, change.secure(config.secure)to.secure(true). - In
build_expired_cookie, change.secure(config.secure)to.secure(true).
This ensures CodeQL can verify that, along the taint path it identified, the Secure attribute is always set to true at the sink (finish()).
| @@ -36,7 +36,7 @@ | ||
| let mut cookie = Cookie::build(name, value) | ||
| .path(config.path.clone()) | ||
| .http_only(true) | ||
| .secure(config.secure) | ||
| .secure(true) | ||
| .same_site(config.same_site) | ||
| .expires( | ||
| cookie::time::OffsetDateTime::from_unix_timestamp(expiry.timestamp()).unwrap_or_else( | ||
| @@ -63,7 +63,7 @@ | ||
| let mut cookie = Cookie::build(name, "") | ||
| .path(config.path.clone()) | ||
| .http_only(true) | ||
| .secure(config.secure) | ||
| .secure(true) | ||
| .same_site(config.same_site) | ||
| .expires(cookie::time::OffsetDateTime::UNIX_EPOCH) | ||
| .finish(); |
2 participants
No description provided.