You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(security): harden auth posture, credential flow, and error/output leakage
Follow-up hardening after an adversarial review of the initial security
fixes surfaced gaps where a fix was applied at one chokepoint while the
live path flowed through another.
Auth
- Fail-closed config: reject enabled=True combined with a no-op strategy
(none/empty) at construction; ServerConfig() now yields auth disabled
(an honest 'unconfigured' posture) rather than enabled-with-no-strategy.
- Bare ServerConfig() fallbacks in server startup and the CLI now raise a
ConfigurationError instead of silently booting an unauthenticated server.
- Destructive-admin guard no longer passes when the active strategy is a
no-op pass-through.
- CORS validator also rejects whitespace-padded and subdomain wildcards,
and wildcard headers, when credentials are enabled.
Cognito
- Token denylist is now resolved from the container (falling back to an
in-process denylist) so access-token revocation actually takes effect on
the live path; register the denylist port as a default.
- Revocation always denylists the token before any API call, so a forged
unsigned token_use claim can no longer skip denylisting; return False
when revocation cannot be performed.
- Structural token check before denylist lookup; boto3 calls off the loop.
IAM
- Run the STS/IAM calls off the event loop; paginate SimulatePrincipalPolicy
fully; deny-by-default preserved on every error path; tighten error logging.
Error output
- Not-found handlers return categorical messages instead of echoing entity
ids; a details whitelist strips internal fields; unexpected errors are
logged; the sibling response builder no longer echoes raw exception text.
- REST routers return safe messages and log detail server-side instead of
returning raw exception strings to callers.
Credentials & tooling
- AWS session factory now actually forwards explicit credentials to boto3;
config-dict masking is recursive and no longer over-masks non-secret keys.
- Dev-tools installers clean up temp files, avoid a broken pipe in the Docker
install, and download-then-execute on Windows instead of piping to a shell.
0 commit comments