Security improvements

.github/workflows/backend-audit.yaml

@@ -0,0 +1,42 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Mix Audit
+on:
+  workflow_call:
+  workflow_dispatch:
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash
+    working-directory: backend
+env:
+  MIX_ENV: test
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: team-alembic/staple-actions/actions/mix-task@main
+        with:
+          task: deps.audit
+          working-directory: backend
+          mix-env: test

.github/workflows/backend-ci.yaml

@@ -47,6 +47,12 @@ jobs:
   credo:
     needs: [warmup-cache]
     uses: ./.github/workflows/backend-credo.yaml
+  audit:
+    needs: [warmup-cache]
+    uses: ./.github/workflows/backend-audit.yaml
+  sobelow:
+    needs: [warmup-cache]
+    uses: ./.github/workflows/backend-sobelow.yaml
   test:
     needs: [warmup-cache]
     uses: ./.github/workflows/backend-test.yaml

.github/workflows/backend-sobelow.yaml

@@ -0,0 +1,42 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Mix Sobelow
+on:
+  workflow_call:
+  workflow_dispatch:
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash
+    working-directory: backend
+env:
+  MIX_ENV: test
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: team-alembic/staple-actions/actions/mix-task@main
+        with:
+          task: sobelow --config
+          working-directory: backend
+          mix-env: test

.github/workflows/frontend-audit.yaml

@@ -0,0 +1,45 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: NPM Audit
+on:
+  workflow_call:
+  workflow_dispatch:
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash
+    working-directory: frontend
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          show-progress: false
+      - uses: actions/setup-node@v6
+        id: cache-npm
+        with:
+          node-version-file: .tool-versions
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+      - name: npm install
+        run: npm ci --ignore-scripts
+      - name: npm audit
+        run: npm audit --audit-level=high

.github/workflows/frontend-ci.yaml

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2021 - 2025 SECO Mind Srl
+# Copyright 2021 - 2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -62,3 +62,6 @@ jobs:
   coverage:
     needs: [warmup-cache]
     uses: ./.github/workflows/frontend-coverage.yaml
+  audit:
+    needs: [warmup-cache]
+    uses: ./.github/workflows/frontend-audit.yaml

backend/.sobelow-conf

@@ -0,0 +1 @@
+[exit: :medium, format: "txt", ignore_files: [], ignore: ["Config.CSWH", "Config.HTTPS"], out: nil, private: false, router: nil, skip: false, threshold: :low, verbose: false, version: false]

backend/.sobelow-conf.license

@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2021-2026 SECO Mind Srl
+SPDX-License-Identifier: CC0-1.0

backend/lib/edgehog/config.ex

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2023 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,14 +30,6 @@ defmodule Edgehog.Config do
   alias Edgehog.Geolocation
   alias Edgehog.Geolocation.Providers.GoogleGeocoding
 
-  @envdoc """
-  Disables admin authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
-  """
-  app_env :disable_admin_authentication, :edgehog, :disable_admin_authentication,
-    os_env: "DISABLE_ADMIN_AUTHENTICATION",
-    type: :boolean,
-    default: false
-
   @envdoc "The Admin API JWT public key."
   app_env :admin_jwk, :edgehog, :admin_jwk,
     os_env: "ADMIN_JWT_PUBLIC_KEY_PATH",
@@ -67,14 +59,6 @@ defmodule Edgehog.Config do
     type: :boolean,
     default: false
 
-  @envdoc """
-  Disables tenant authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
-  """
-  app_env :disable_tenant_authentication, :edgehog, :disable_tenant_authentication,
-    os_env: "DISABLE_TENANT_AUTHENTICATION",
-    type: :boolean,
-    default: false
-
   @envdoc "The API key for the ipbase.com geolocation provider."
   app_env :ipbase_api_key, :edgehog, :ipbase_api_key,
     os_env: "IPBASE_API_KEY",
@@ -112,12 +96,6 @@ defmodule Edgehog.Config do
     type: GeocodingProviders,
     default: [GoogleGeocoding]
 
-  @doc """
-  Returns true if admin authentication is disabled.
-  """
-  @spec admin_authentication_disabled?() :: boolean()
-  def admin_authentication_disabled?, do: disable_admin_authentication!()
-
   @doc """
   Returns true if edgehog should use an ssl connection with the database.
   """
@@ -179,12 +157,6 @@ defmodule Edgehog.Config do
       else: false
   end
 
-  @doc """
-  Returns true if tenant authentication is disabled.
-  """
-  @spec tenant_authentication_disabled?() :: boolean()
-  def tenant_authentication_disabled?, do: disable_tenant_authentication!()
-
   @doc """
   Returns the list of geolocation modules to use.
   """
@@ -215,11 +187,7 @@ defmodule Edgehog.Config do
   """
   @spec validate_admin_authentication!() :: :ok | no_return()
   def validate_admin_authentication! do
-    if admin_authentication_disabled?() do
-      :ok
-    else
-      admin_jwk!()
-      :ok
-    end
+    admin_jwk!()
+    :ok
   end
 end

backend/lib/edgehog_web/admin_api/auth/auth.ex

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2023 SECO Mind Srl
+# Copyright 2023-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,16 +20,14 @@
 
 defmodule EdgehogWeb.AdminAPI.Auth do
   @moduledoc false
-  alias Edgehog.Config
   alias EdgehogWeb.AdminAPI.Auth.Pipeline
 
   def init(opts) do
     Pipeline.init(opts)
   end
 
   def call(conn, opts) do
-    if Config.admin_authentication_disabled?() ||
-         conn.path_info == ["admin-api", "v1", "open_api"] do
+    if conn.path_info == ["admin-api", "v1", "open_api"] do
       conn
     else
       Pipeline.call(conn, opts)

backend/lib/edgehog_web/auth.ex

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2023 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,20 +20,13 @@
 
 defmodule EdgehogWeb.Auth do
   @moduledoc false
-  alias Edgehog.Config
   alias EdgehogWeb.Auth.Pipeline
 
   def init(opts) do
     Pipeline.init(opts)
   end
 
   def call(conn, opts) do
-    if Config.tenant_authentication_disabled?() do
-      # TODO: when we add Authz this path will probably have to
-      # put some type of all-access Authz in the GraphQL context
-      conn
-    else
-      Pipeline.call(conn, opts)
-    end
+    Pipeline.call(conn, opts)
   end
 end

backend/mix.exs

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2021-2025 SECO Mind Srl
+# Copyright 2021-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -127,7 +127,9 @@ defmodule Edgehog.MixProject do
       {:ymlr, "~> 5.1"},
       {:sourceror, "~> 1.10", only: [:dev, :test]},
       {:phoenix_pubsub, "~> 2.0"},
-      {:absinthe_phoenix, "~> 2.0"}
+      {:absinthe_phoenix, "~> 2.0"},
+      {:mix_audit, "~> 2.1", only: [:dev, :test], runtime: false},
+      {:sobelow, "~> 0.13", only: [:dev, :test], runtime: false}
     ]
   end
 

backend/mix.lock

@@ -57,6 +57,7 @@
   "mime": {:hex, :mime, "2.0.7", "b8d739037be7cd402aee1ba0306edfdef982687ee7e9859bee6198c1e7e2f128", [:mix], [], "hexpm", "6171188e399ee16023ffc5b76ce445eb6d9672e2e241d2df6050f3c771e80ccd"},
   "mimerl": {:hex, :mimerl, "1.4.0", "3882a5ca67fbbe7117ba8947f27643557adec38fa2307490c4c4207624cb213b", [:rebar3], [], "hexpm", "13af15f9f68c65884ecca3a3891d50a7b57d82152792f3e19d88650aa126b144"},
   "mint": {:hex, :mint, "1.7.1", "113fdb2b2f3b59e47c7955971854641c61f378549d73e829e1768de90fc1abf1", [:mix], [{:castore, "~> 0.1.0 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:hpax, "~> 0.1.1 or ~> 0.2.0 or ~> 1.0", [hex: :hpax, repo: "hexpm", optional: false]}], "hexpm", "fceba0a4d0f24301ddee3024ae116df1c3f4bb7a563a731f45fdfeb9d39a231b"},
+  "mix_audit": {:hex, :mix_audit, "2.1.5", "c0f77cee6b4ef9d97e37772359a187a166c7a1e0e08b50edf5bf6959dfe5a016", [:make, :mix], [{:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.11", [hex: :yaml_elixir, repo: "hexpm", optional: false]}], "hexpm", "87f9298e21da32f697af535475860dc1d3617a010e0b418d2ec6142bc8b42d69"},
   "mox": {:hex, :mox, "1.2.0", "a2cd96b4b80a3883e3100a221e8adc1b98e4c3a332a8fc434c39526babafd5b3", [:mix], [{:nimble_ownership, "~> 1.0", [hex: :nimble_ownership, repo: "hexpm", optional: false]}], "hexpm", "c7b92b3cc69ee24a7eeeaf944cd7be22013c52fcb580c1f33f50845ec821089a"},
   "nimble_options": {:hex, :nimble_options, "1.1.1", "e3a492d54d85fc3fd7c5baf411d9d2852922f66e69476317787a7b2bb000a61b", [:mix], [], "hexpm", "821b2470ca9442c4b6984882fe9bb0389371b8ddec4d45a9504f00a66f650b44"},
   "nimble_ownership": {:hex, :nimble_ownership, "1.0.2", "fa8a6f2d8c592ad4d79b2ca617473c6aefd5869abfa02563a77682038bf916cf", [:mix], [], "hexpm", "098af64e1f6f8609c6672127cfe9e9590a5d3fcdd82bc17a377b8692fd81a879"},
@@ -84,6 +85,7 @@
   "reactor": {:hex, :reactor, "1.0.0", "024bd13df910bcb8c01cebed4f10bd778269a141a1c8a234e4f67796ac4883cf", [:mix], [{:igniter, "~> 0.4", [hex: :igniter, repo: "hexpm", optional: true]}, {:iterex, "~> 0.1", [hex: :iterex, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:libgraph, "~> 0.16", [hex: :libgraph, repo: "hexpm", optional: false]}, {:spark, ">= 2.3.3 and < 3.0.0-0", [hex: :spark, repo: "hexpm", optional: false]}, {:splode, "~> 0.2", [hex: :splode, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.2", [hex: :telemetry, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.11", [hex: :yaml_elixir, repo: "hexpm", optional: false]}, {:ymlr, "~> 5.0", [hex: :ymlr, repo: "hexpm", optional: false]}], "hexpm", "ae8eb507fffc517f5aa5947db9d2ede2db8bae63b66c94ccb5a2027d30f830a0"},
   "recon": {:hex, :recon, "2.5.6", "9052588e83bfedfd9b72e1034532aee2a5369d9d9343b61aeb7fbce761010741", [:mix, :rebar3], [], "hexpm", "96c6799792d735cc0f0fd0f86267e9d351e63339cbe03df9d162010cefc26bb0"},
   "skogsra": {:hex, :skogsra, "2.5.0", "57d57c15bb8356662177779cb10adf1272069eeb4f3c032bf7d71d522e726f06", [:mix], [{:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: true]}, {:yamerl, "~> 0.10", [hex: :yamerl, repo: "hexpm", optional: true]}], "hexpm", "b7dfe23ef3f9999a96fa330b73363b3f48d68a7ca3eb98ab1f32cd888ef207ee"},
+  "sobelow": {:hex, :sobelow, "0.14.1", "2f81e8632f15574cba2402bcddff5497b413c01e6f094bc0ab94e83c2f74db81", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "8fac9a2bd90fdc4b15d6fca6e1608efb7f7c600fa75800813b794ee9364c87f2"},
   "sourceror": {:hex, :sourceror, "1.10.1", "325753ed460fe9fa34ebb4deda76d57b2e1507dcd78a5eb9e1c41bfb78b7cdfe", [:mix], [], "hexpm", "288f3079d93865cd1e3e20df5b884ef2cb440e0e03e8ae393624ee8a770ba588"},
   "spark": {:hex, :spark, "2.4.0", "f93d3ae6b5f3004e956d52f359fa40670366685447631bc7c058f4fbf250ebf3", [:mix], [{:igniter, ">= 0.3.64 and < 1.0.0-0", [hex: :igniter, repo: "hexpm", optional: true]}, {:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: true]}, {:sourceror, "~> 1.2", [hex: :sourceror, repo: "hexpm", optional: true]}], "hexpm", "4e5185f5737cd987bb9ef377ae3462a55b8312f5007c2bc4ad6e850d14ac0111"},
   "splode": {:hex, :splode, "0.3.0", "ff8effecc509a51245df2f864ec78d849248647c37a75886033e3b1a53ca9470", [:mix], [], "hexpm", "73cfd0892d7316d6f2c93e6e8784bd6e137b2aa38443de52fd0a25171d106d81"},

backend/mix.lock.license

@@ -1,2 +1,2 @@
-SPDX-FileCopyrightText: 2021-2025 SECO Mind Srl
+SPDX-FileCopyrightText: 2021-2026 SECO Mind Srl
 SPDX-License-Identifier: CC0-1.0