trusted proxy, TOTP replay protection, new tests
- Trusted proxy config option for proxy-aware IP extraction used by rate limiting and audit logs; validates proxy IP before trusting X-Forwarded-For / X-Real-IP headers - TOTP replay protection via counter-based validation to reject reused codes within the same time step (±30s) - RateLimit middleware updated to extract client IP from proxy headers without IP spoofing risk - New tests for ClientIP proxy logic (spoofed headers, fallback) and extended rate-limit proxy coverage - HTMX error banner script integrated into web UI base - .gitignore updated for mciasdb build artifact Security: resolves CRIT-01 (TOTP replay attack) and DEF-03 (proxy-unaware rate limiting); gRPC TOTP enrollment aligned with REST via StorePendingTOTP Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -2,7 +2,10 @@
|
||||
// These are pure data definitions with no external dependencies.
|
||||
package model
|
||||
|
||||
import "time"
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
)
|
||||
|
||||
// AccountType distinguishes human interactive accounts from non-interactive
|
||||
// service accounts.
|
||||
@@ -43,6 +46,33 @@ type Account struct {
|
||||
TOTPRequired bool `json:"totp_required"`
|
||||
}
|
||||
|
||||
// Allowlisted role names (DEF-10).
|
||||
// Only these strings may be stored in account_roles. Extending the set of
|
||||
// valid roles requires a code change, ensuring that typos such as "admim"
|
||||
// are caught at grant time rather than silently creating a useless role.
|
||||
const (
|
||||
RoleAdmin = "admin"
|
||||
RoleUser = "user"
|
||||
)
|
||||
|
||||
// allowedRoles is the compile-time set of recognised role names.
|
||||
var allowedRoles = map[string]struct{}{
|
||||
RoleAdmin: {},
|
||||
RoleUser: {},
|
||||
}
|
||||
|
||||
// ValidateRole returns nil if role is an allowlisted role name, or an error
|
||||
// describing the problem. Call this before writing to account_roles.
|
||||
//
|
||||
// Security (DEF-10): prevents admins from accidentally creating unmatchable
|
||||
// roles (e.g. "admim") by enforcing a compile-time allowlist.
|
||||
func ValidateRole(role string) error {
|
||||
if _, ok := allowedRoles[role]; !ok {
|
||||
return fmt.Errorf("model: unknown role %q; allowed roles: admin, user", role)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Role is a string label assigned to an account to grant permissions.
|
||||
type Role struct {
|
||||
GrantedAt time.Time `json:"granted_at"`
|
||||
|
||||
Reference in New Issue
Block a user