unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases 4 Wiki Activity

fix(web): harden BFF auth — adversarial-review fixes
ci / rust (push) Has been cancelled
Details

Browse Source 
Multi-agent security review of 9856c04 (4 dimensions, 2-skeptic verification):

- CRITICAL functional+security: the session cookie inherited h3's Secure=true default;
  browsers DROP Secure cookies over plain http://, so login silently failed on a LAN HTTP
  client (worked only on localhost, a secure context — which is why the live test passed).
  Now set the cookie attributes explicitly: HttpOnly + SameSite=Lax + Path=/, and Secure
  only when PUNKTFUNK_UI_SECURE=1 (behind TLS). Verified: Set-Cookie no longer has Secure.
- Gate bypass: isPublicPath allowlisted any path ending in .json/.css/.png/etc., so
  /api/v1/openapi.json (served unauthenticated on the mgmt side too) leaked the whole API
  schema through the token-injecting proxy. Now /api is ALWAYS gated and the generic
  extension allowlist is gone (client assets are all under /assets/, still allowlisted).
  Verified: /api/v1/openapi.json and /api/v1/status.json → 401.
- Session lifetime: added maxAge (7d) — bounds a stolen cookie (cookie Max-Age + iron seal
  TTL); previously never expired.
- Open redirect: the post-login `next` accepted protocol-relative `//evil.com`. Hardened
  client + added safeNextPath() (same-origin path only).

Re-validated end to end: login assets public (200), /api/openapi.json gated (401), authed
/api/v1/status (200), unauth /→302. tsc + build green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-10 18:55:41 +00:00
parent 9856c04b75
commit c9ad74a620
2 changed files with 35 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/routes/login.tsx
+4 -2
View File
@@ -38,8 +38,10 @@ function LoginPage() {
setBusy(false)
return
}
// Full reload to the target so SSR re-runs WITH the new session cookie.
window.location.href = next && next.startsWith('/') ? next : '/'
// Full reload to the target so SSR re-runs WITH the new session cookie. Only a
// same-origin path — reject protocol-relative/absolute URLs (open-redirect guard).
const safe = next && next.startsWith('/') && !next.startsWith('//') ? next : '/'
window.location.href = safe
} catch {
setError(true)
setBusy(false)