Complete implementation: e2e tests, gofmt, hardening
- Add test/e2e: 11 end-to-end tests covering full login/logout, token renewal, admin account management, credential-never-in-response, unauthorised access, JWT alg confusion and alg:none attacks, revoked token rejection, system account token issuance, wrong-password vs unknown-user indistinguishability - Apply gofmt to all source files (formatting only, no logic changes) - Update .golangci.yaml for golangci-lint v2 (version field required, gosimple merged into staticcheck, formatters section separated) - Update PROGRESS.md to reflect Phase 5 completion Security: All 97 tests pass with go test -race ./... (zero race conditions). Adversarial JWT tests (alg confusion, alg:none) confirm the ValidateToken alg-first check is effective against both attack classes. Credential fields (PasswordHash, TOTPSecret*, PGPassword) confirmed absent from all API responses via both unit and e2e tests. go vet ./... clean. golangci-lint v2.6.2 incompatible with go1.26 runtime; go vet used as linter until toolchain is updated.
This commit is contained in:
@@ -1,15 +1,15 @@
|
||||
// Package auth implements login, TOTP verification, and credential management.
|
||||
//
|
||||
// Security design:
|
||||
// - All credential comparisons use constant-time operations to resist timing
|
||||
// side-channels. crypto/subtle.ConstantTimeCompare is used wherever secrets
|
||||
// are compared.
|
||||
// - On any login failure the error returned to the caller is always generic
|
||||
// ("invalid credentials"), regardless of which step failed, to prevent
|
||||
// user enumeration.
|
||||
// - TOTP uses a ±1 time-step window (±30s) per RFC 6238 recommendation.
|
||||
// - PHC string format is used for password hashes, enabling transparent
|
||||
// parameter upgrades without re-migration.
|
||||
// - All credential comparisons use constant-time operations to resist timing
|
||||
// side-channels. crypto/subtle.ConstantTimeCompare is used wherever secrets
|
||||
// are compared.
|
||||
// - On any login failure the error returned to the caller is always generic
|
||||
// ("invalid credentials"), regardless of which step failed, to prevent
|
||||
// user enumeration.
|
||||
// - TOTP uses a ±1 time-step window (±30s) per RFC 6238 recommendation.
|
||||
// - PHC string format is used for password hashes, enabling transparent
|
||||
// parameter upgrades without re-migration.
|
||||
package auth
|
||||
|
||||
import (
|
||||
@@ -168,10 +168,10 @@ func parsePHC(phc string) (ArgonParams, []byte, []byte, error) {
|
||||
// A ±1 time-step window (±30s) is allowed to accommodate clock skew.
|
||||
//
|
||||
// Security:
|
||||
// - Comparison uses crypto/subtle.ConstantTimeCompare to resist timing attacks.
|
||||
// - Only RFC 6238-compliant HOTP (HMAC-SHA1) is implemented; no custom crypto.
|
||||
// - A ±1 window is the RFC 6238 recommendation; wider windows increase
|
||||
// exposure to code interception between generation and submission.
|
||||
// - Comparison uses crypto/subtle.ConstantTimeCompare to resist timing attacks.
|
||||
// - Only RFC 6238-compliant HOTP (HMAC-SHA1) is implemented; no custom crypto.
|
||||
// - A ±1 window is the RFC 6238 recommendation; wider windows increase
|
||||
// exposure to code interception between generation and submission.
|
||||
func ValidateTOTP(secret []byte, code string) (bool, error) {
|
||||
if len(code) != 6 {
|
||||
return false, nil
|
||||
|
||||
Reference in New Issue
Block a user