jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
131 Commits 1 Branch 0 Tags
be3f37cfdd4b45a2a3dfe672567e1cad8bb87b45
Commit Graph

3 Commits

Author SHA1 Message Date
Max Mayfield
be3f37cfdd Fix CRITICAL auth bypass: exact match for login/signup paths
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 45s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 28s
Details
CI — P3 Alert / test (push) Successful in 24s
Details
CI — P4 Portal / test (push) Successful in 27s
Details
CI — P5 Cost / test (push) Successful in 26s
Details
CI — P6 Run / saas (push) Successful in 25s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 46s
Details
CI — P3 Alert / build-push (push) Failing after 38s
Details
CI — P4 Portal / build-push (push) Failing after 50s
Details
CI — P5 Cost / build-push (push) Failing after 22s
Details
CI — P6 Run / build-push (push) Failing after 1m3s
Details 
startsWith('/api/v1/auth/login') allowed any path with that prefix
to bypass authentication (e.g. /api/v1/auth/login-anything).
Changed to exact path match with query string stripping.
Fixed across all 5 products + shared/auth.ts.
 2026-03-02 20:35:28 +00:00
Max Mayfield
5ee869b9d8 Implement auth: login/signup (scrypt), API key generation, shared migration 
- Login: email + password lookup, scrypt verify, JWT token
- Signup: create tenant + owner user in transaction, slug generation
- API key: dd0c_ prefix, SHA-256 hash (not bcrypt — faster for API key lookups), prefix index
- Scrypt over bcrypt: zero native deps, Node.js built-in crypto
- Auth routes skip JWT middleware (login/signup are public)
- 002_auth.sql: users + api_keys tables with RLS, copied to all products
- Synced auth middleware to P3/P4/P5/P6
 2026-03-01 03:19:18 +00:00
Max Mayfield
762e2db9df Add shared auth middleware (JWT + API key + RBAC) and canonical withTenant() helper 2026-03-01 03:09:01 +00:00