azcomputerguru/guru-connect
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat(server): v2 secure-session-core Task 4 - rate limit + single-use codes
Some checks failed
Build and Test / Build Server (Linux) (push) Failing after 6m12s
Details
Build and Test / Build Agent (Windows) (push) Successful in 6m43s
Details
Build and Test / Security Audit (push) Successful in 4m23s
Details
Build and Test / Build Summary (push) Has been skipped
Details

Browse Source 
SPEC-002 Phase 1 Task 4 (the final keystone task), code-reviewed APPROVED.
Closes the audit's reusable-code HIGH and rate-limiting-disabled HIGH.

- Rebuilt rate limiting as a self-contained in-memory per-IP limiter (replaces
  the non-compiling tower_governor; removed that dep). Fixed-window caps wired
  to login (8/min), change-password (5/min), code-validate (15/min) -> 429;
  per-IP lockout after 10 consecutive failed code validations (15-min cooldown).
- Single-use support codes: atomic consume on first agent bind (in-memory
  Pending->Connected under write lock + DB conditional UPDATE), rejecting a
  second presenter; validate/preview does not consume.
- Widened code format: XXX-XXX-XXX, 31-char unambiguous alphabet (no 0/O/1/I/L),
  CSPRNG + rejection sampling, ~44.6 bits (replaces 6-digit numeric); migration
  006 widens the code columns to TEXT.

Completes the keystone (Tasks 1-4): every audit CRITICAL + HIGH in the secure
auth/session core is now addressed. Known follow-up todos (not blocking): (1)
trusted-proxy client-IP extraction (NPM-on-loopback collapses clients to
127.0.0.1); (2) multi-instance fail-closed DB single-use gate. Not
cargo-check-verified locally - build-host/CI verification follows this commit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-29 21:04:54 -07:00
parent 8a0193577b
commit bfcdbb5379
9 changed files with 1026 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
specs/v2-secure-session-core/plan.md
View File

@@ -1,7 +1,8 @@
# v2 Secure Session Core — Implementation Plan
> Spec created: 2026-05-29
> Status: in progress — Tasks 1-3 DONE 2026-05-29 (Task 3 code-reviewed APPROVED). Viewer-token authz
> Status: in progress — Tasks 1-4 IMPLEMENTED 2026-05-29 (Task 4 self-reviewed, pending Code Review;
> Tasks 1-3 code-reviewed APPROVED). Task 4 completes the KEYSTONE (secure auth/session core). Viewer-token authz
> STRENGTH split IMPLEMENTED 2026-05-29 (self-reviewed; no Rust toolchain on this machine — not yet
> `cargo check`-verified; pending Code Review). This was the REQUIRED Phase-1-exit follow-up: the gate
> previously used `view` (held by EVERY default role incl. `viewer`) but a viewer token granted input
@@ -179,7 +180,59 @@ Reference: audit Pass E (`reports/2026-05-29-gc-audit.md` §"Pass 5"); `relay/mo
---
## Task 4 (KEYSTONE): Working rate limiting + single-use support codes
## Task 4 (KEYSTONE) [IMPLEMENTED 2026-05-29 — self-reviewed; no Rust toolchain on this machine, not yet `cargo check`-verified; pending Code Review]: Working rate limiting + single-use support codes
> [IMPLEMENTED] Closes the keystone (Tasks 14). Three parts:
>
> A. RATE LIMITING — replaced the non-compiling tower_governor layer with a small
> self-contained in-memory limiter (`middleware/rate_limit.rs`): a per-IP
> fixed-window `RateLimiter` (`Mutex<HashMap<IpAddr, Window>>`, no new dep) +
> a per-IP consecutive-failure `FailureLockout`, bundled as `RateLimitState`
> in `AppState`. Keyed by `ConnectInfo<SocketAddr>` IP (same source the relay
> uses); X-Forwarded-For intentionally NOT trusted (proxy-spoofable). 429 with
> the standard error envelope on limit. Re-enabled `pub mod rate_limit`. Wired
> per-route via `route_layer(from_fn_with_state(...))` onto `POST
> /api/auth/login` (8/min/IP), `POST /api/auth/change-password` (5/min/IP), and
> `GET /api/codes/:code/validate` (15/min/IP). Named consts for every limit.
> LOCKOUT: after 10 consecutive failed code-validations from an IP, that IP is
> locked out 15 min; the validate handler reports success/failure into the
> lockout, the middleware enforces it BEFORE the handler runs. Unit tests cover
> window allow/block/reset, per-IP isolation, and lockout trip/reset/expire
> (clock injected, no sleeps).
>
> B. SINGLE-USE CODES — the agent bind path now CONSUMES the code atomically on
> first bind. In-memory: new `SupportCodeManager::consume_for_bind` accepts
> ONLY a `Pending` code and flips it to `Connected` under the write lock (a 2nd
> presenter loses the race → rejected). This replaces the v1 pre-upgrade check
> that accepted `pending` OR `connected` (the reusable-code HIGH). DB: new
> `db::support_codes::consume_code_for_bind` — a single conditional UPDATE
> `... SET consumed_at = NOW(), status='connected' WHERE code=$1 AND consumed_at
> IS NULL AND status='pending' AND (expires_at IS NULL OR expires_at > NOW())
> RETURNING id`; zero rows ⇒ not consumable. The in-memory consume is
> AUTHORITATIVE (the live source of truth); the DB UPDATE is a durable/audit
> mirror applied best-effort after it (a missing DB row does not veto a bind the
> in-memory layer admitted). To make the durable record meaningful, the portal
> `create_code` handler now also inserts the code into `connect_support_codes`.
> Validate/preview path is UNCHANGED and explicitly does NOT consume (test
> `preview_validate_does_not_consume`).
>
> C. WIDER CODE — replaced the 6-digit numeric generator with a grouped
> base32-style code `XXX-XXX-XXX` (9 symbols over a 31-char UNAMBIGUOUS alphabet
> excluding 0/O/1/I/L ≈ 44.6 bits), CSPRNG-backed (`OsRng`, rejection sampling
> to avoid modulo bias). The new code (11 chars incl. hyphens) does NOT fit the
> `VARCHAR(10)` column from migration 001, so migration `006_widen_support_code.sql`
> widens `connect_support_codes.code` AND `connect_sessions.support_code` to
> TEXT (idempotent). Unit tests cover shape, charset (no ambiguous chars), and
> practical uniqueness.
>
> DEPS: none added; `tower_governor` REMOVED from Cargo.toml (it never compiled).
> No code/secret/support-code value logged on any path. Runtime `sqlx::query`.
> Files: `server/src/middleware/rate_limit.rs` (rebuilt), `server/src/middleware/mod.rs`,
> `server/src/main.rs` (AppState field + 3 route wirings + create_code DB insert +
> validate handler lockout feed), `server/src/support_codes.rs` (new generator +
> `consume_for_bind` + tests), `server/src/db/support_codes.rs`
> (`consume_code_for_bind`), `server/src/relay/mod.rs` (atomic consume on bind),
> `server/migrations/006_widen_support_code.sql` [new], `server/Cargo.toml`.
Files touched: `server/src/middleware/rate_limit.rs` (rebuild — v1 is non-compiling),
`server/src/middleware/mod.rs`, `server/src/api/auth.rs` (login), `server/src/api/` (code validate),