You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(security): harden auth posture, credential flow, and error/output leakage
Closes a cluster of authentication, credential-handling, and error-output
exposure gaps, then hardens the places where a fix reached one chokepoint
while the live code path flowed through another.
Authentication
- Fail-closed config: reject enabled=True combined with a no-op strategy
(none/empty) at construction; a bare ServerConfig() yields auth disabled
(an honest 'unconfigured' posture) rather than enabled-with-no-strategy,
which previously let every anonymous caller through with full permissions.
- Bare-config fallbacks in server startup and the CLI now raise a
ConfigurationError instead of silently booting unauthenticated.
- The destructive-admin guard no longer passes under a no-op strategy.
- Cognito: revoke_token performs real revocation (RevokeToken API for refresh
tokens, denylist for access tokens); the denylist is resolved from the
container so revocation takes effect on the live path; the token is always
denylisted before any API call so a forged unsigned token_use cannot skip it.
- IAM: implement SimulatePrincipalPolicy with deny-by-default on error, run
the STS/IAM calls off the event loop, and paginate results fully.
CORS
- Reject credentials combined with wildcard origins, whitespace-padded or
subdomain wildcards, and wildcard headers.
Error / output
- Not-found handlers return categorical messages instead of echoing entity
ids; a details whitelist strips internal fields; unexpected errors are
logged; the sibling response builder no longer echoes raw exception text.
- REST routers return safe messages and log detail server-side.
Credentials & tooling
- AWS provider config wraps access_key_id/secret_access_key in SecretStr,
the session factory forwards explicit credentials to boto3, and the config
debug mask is recursive without over-masking non-secret keys.
- Dev-tools installers drop shell=True, download-then-execute (incl. Windows),
clean up temp files, and fix a broken pipe in the Docker install.
0 commit comments