Skip to content

fix(security): tighten CORS defaults, enforce secure secrets, migrate token hashing#124

Closed
mojomast wants to merge 3 commits intodevfrom
followup/pr124-auth-security
Closed

fix(security): tighten CORS defaults, enforce secure secrets, migrate token hashing#124
mojomast wants to merge 3 commits intodevfrom
followup/pr124-auth-security

Conversation

@mojomast
Copy link
Collaborator

@mojomast mojomast commented Feb 14, 2026
edited by ellipsis-dev bot
Loading

Summary

  • tighten CORS defaults by introducing explicit origin/credential settings and rejecting wildcard origins with credentialed requests
  • add startup security validation for APP_ENV/ALLOW_INSECURE_DEFAULTS so prod refuses default or missing SESSION_SECRET and API_TOKEN_PEPPER
  • migrate API token hashing to HMAC-SHA256 with opportunistic legacy hash upgrade on successful auth to preserve existing tokens
  • document new security and migration environment variables in .env.example and README.md

Verification

  • PYTHONPATH=src .venv/bin/python -m py_compile src/proxy_app/security_config.py src/proxy_app/auth.py src/proxy_app/api_token_auth.py src/proxy_app/main.py tests/test_auth.py tests/test_security_config.py
  • PYTHONPATH=src .venv/bin/pytest -q tests/test_auth.py tests/test_api_keys.py tests/test_security_config.py

Important

Enhance security by tightening CORS settings, enforcing secure secrets, and updating token hashing, with comprehensive documentation and tests.

  • Security Enhancements:
    • Tighten CORS defaults by rejecting wildcard origins with credentials in main.py.
    • Enforce secure secrets by refusing startup with default SESSION_SECRET and API_TOKEN_PEPPER in production in security_config.py.
  • Token Management:
    • Migrate API token hashing to HMAC-SHA256 in api_token_auth.py.
    • Opportunistic legacy hash upgrade on successful auth to preserve existing tokens in api_token_auth.py.
  • Environment and Configuration:
    • Add new environment variables for security and migration in .env.example.
    • Document changes in README.md and DOCUMENTATION.md.
  • Testing:
    • Add tests for security settings in test_security_config.py.
    • Add tests for API key management in test_api_keys.py.
    • Add tests for usage recording in test_usage_attribution.py.

This description was created by Ellipsis for 2ef512d. You can customize this summary. It will automatically update as commits are pushed.

@mojomast mojomast requested a review from Mirrowel as a code owner February 14, 2026 03:23
@mojomast
Copy link
Collaborator Author

mojomast commented Feb 14, 2026

Superseded by updates pushed to #123 to keep all MVP changes in one review thread.

@mojomast mojomast closed this Feb 14, 2026
@mojomast mojomast mentioned this pull request Feb 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mirrowel Mirrowel Awaiting requested review from Mirrowel Mirrowel is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mojomast