azcomputerguru/guru-connect
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(server): revoke viewer tokens on logout + stop logging chat content
Some checks failed
Build and Test / Build Server (Linux) (push) Has started running
Details
Build and Test / Build Agent (Windows) (push) Has started running
Details
Build and Test / Security Audit (push) Has been cancelled
Details
Build and Test / Build Summary (push) Has been cancelled
Details

Browse Source 
Security follow-ups (audit 2026-05-30, both reviewed APPROVE):
- MEDIUM: viewer tokens were never blacklisted on logout, so a minted
  session-scoped viewer token stayed valid up to its 5-min TTL after the user
  logged out. Add a per-user ViewerTokenRegistry (Arc<Mutex<HashMap<sub,
  Vec<(token, expires_at)>>>>, prune-on-insert) on AppState; mint_viewer_token
  registers each token under the user sub; logout drains take_for_user(sub) and
  blacklists each via the existing token_blacklist. The viewer WS already calls
  is_revoked, so no WS change. Key chain user.user_id == ViewerClaims.sub ==
  registry key verified consistent. 8 new tests.
- LOW: relay chat logs now emit content length, not the chat body (support-chat
  can carry secrets/PII).
cargo fmt/clippy(-D warnings)/test green on GURU-5070 (37 agent + 61 server).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-30 19:20:15 -07:00
parent 8119292bcd
commit c98692e424
6 changed files with 312 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
server/src/relay/mod.rs
View File

@@ -772,8 +772,11 @@ async fn handle_agent_connection(
let _ = frame_tx.send(data.to_vec());
}
Some(proto::message::Payload::ChatMessage(chat)) => {
// Broadcast chat message to all viewers
info!("Chat from client: {}", chat.content);
// Broadcast chat message to all viewers. Do NOT log
// the chat body: support-session chat can carry
// secrets/PII. Log only the (non-sensitive) length
// so relay activity stays observable.
info!("Chat from client ({} chars)", chat.content.len());
let _ = frame_tx.send(data.to_vec());
}
Some(proto::message::Payload::AgentStatus(status)) => {
@@ -1369,8 +1372,10 @@ async fn handle_viewer_connection(
}
Some(proto::message::Payload::ChatMessage(chat)) => {
// Forward chat message to agent (not throttled —
// not an injected-input vector). Bounded send.
info!("Chat from technician: {}", chat.content);
// not an injected-input vector). Bounded send. Do
// NOT log the chat body (secrets/PII); log only the
// (non-sensitive) length so the relay is observable.
info!("Chat from technician ({} chars)", chat.content.len());
let _ = input_tx.try_send(data.to_vec());
}
_ => {}