Conversation
SSO Handler validation: - CreateProviderRequest: provider enum (entra_id/okta/google_workspace), display_name max=255, client_id max=255, client_secret max=1000, issuer_url validated url, scopes max=20, allowed_domains max=50, default_role enum (member/viewer only - owner not allowed via SSO) - UpdateProviderRequest: same bounds on all optional fields E2E test (28 tests): - A. Provider CRUD (create, list, get, update, delete) - B. Input validation (invalid provider, missing fields, role, bounds) - C. Security (no auth, cross-tenant, SSRF redirect, invalid state) - D. SSO authorize flow (URL generation, state token, scopes) - E. Provider lifecycle (activate, deactivate, delete)
When a user exists with auth_provider=local (has password), block SSO login with the same email from a different provider. This prevents: 1. Attacker controls SSO IdP with victim's email → logs into victim's account 2. Local user accidentally merged with SSO identity Rules: - Same provider → allow (normal SSO re-login) - OIDC provider → allow (generic OIDC is flexible) - Local user WITHOUT password → allow (invited user, not yet set password) - Local user WITH password → BLOCK (existing local account, must use password) Log blocked attempts as warnings for security monitoring.
Same auth provider mismatch bug as SSO fixed earlier: - Block OAuth login when email exists with local auth (has password) - Allow if local user has no password (invited, not yet configured) - Log blocked attempts as warnings Also: require email from OAuth provider before creating/linking user. Previously, a provider returning no email could create a user with empty email, breaking uniqueness constraints.
Google OAuth userinfo can return unverified emails. An attacker could: 1. Create Google account with unverified corporate email 2. Login via OAuth → system accepts unverified email 3. Join corporate tenant if domain matches Fix: check 'verified_email' field from Google userinfo v2 endpoint. Reject login if email is not verified. Note: GitHub already checks verified flag. Microsoft Graph API inherently returns verified emails (no explicit check needed).
PKCE (RFC 7636) for OAuth: - Generate code_verifier (32 bytes random, base64url) - Compute code_challenge = SHA256(verifier), base64url - Send code_challenge + code_challenge_method=S256 in authorize URL - Send code_verifier in token exchange request - Verifier stored in signed state token (HMAC-SHA256) - Prevents authorization code interception attacks Nonce for SSO: - Generate 16-byte random nonce per SSO authorization - Include nonce in authorize URL params - Store nonce in signed state token for verification - Prevents ID token replay attacks Session revocation: - Document race window between session and refresh token revocation - Window is <1ms and mitigated by session check in ExchangeToken
GetAssetStats: 3 queries → 1 CTE (total + by_type + by_status in single scan) GetFindingStats: 4 queries → 1 CTE (total + by_severity + by_status + avg_cvss) Dashboard endpoint now uses 2 queries instead of 8 for the summary page. Both CTEs use a common base CTE to scan the table once.
Added 13 fields that were stored in DB but never returned: - parent_id, discovery_source, discovery_tool, discovered_at - compliance_scope, data_classification - pii_data_exposed, phi_data_exposed, is_internet_accessible - sync_status, last_synced_at Verified on live API: all fields present in response.
…role, service_account) 5 asset types existed in Go code and UI but were missing from the asset_types DB table, causing FK constraint violation (500 error) when creating assets of these types. Migration 000100 seeds: - ip_address (was 'ip' in DB, Go uses 'ip_address') - serverless (was 'serverless_function', Go uses 'serverless') - iam_user (new identity type) - iam_role (new identity type) - service_account (new identity type) Verified: all 5 types now create successfully (201). Status lifecycle (activate/deactivate/archive) also verified working.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.