kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e5fc9f111b4cbdabee6d8c484a155a914bace1a
mcias/clients
History
Kyle Isom 8545473703 Fix SEC-01: require password for TOTP enroll 
- REST handleTOTPEnroll now requires password field in request body
- gRPC EnrollTOTP updated with password field in proto message
- Both handlers check lockout status and record failures on bad password
- Updated Go, Python, and Rust client libraries to pass password
- Updated OpenAPI specs with new requestBody schema
- Added TestTOTPEnrollRequiresPassword with no-password, wrong-password,
  and correct-password sub-tests

Security: TOTP enrollment now requires the current password to prevent
session-theft escalation to persistent account takeover. Lockout and
failure recording use the same Argon2id constant-time path as login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 00:48:31 -07:00
..
go
Fix SEC-01: require password for TOTP enroll
2026-03-13 00:48:31 -07:00
lisp
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00
python
Fix SEC-01: require password for TOTP enroll
2026-03-13 00:48:31 -07:00
rust
Fix SEC-01: require password for TOTP enroll
2026-03-13 00:48:31 -07:00
testdata
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00
README.md
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00

README.md

This directory contains client libraries for the MCIAS REST API. All language implementations expose this API:

Client(server_url, [ca_cert_path], [token])
login(username, password, [totp_code]) → (token, expires_at)
logout() → void
renew_token() → (token, expires_at)
validate_token(token) → {valid, sub, roles, expires_at}
get_public_key() → {kty, crv, x}
health() → void  # raises/errors on 5xx
create_account(username, account_type, [password]) → account
list_accounts() → [account]
get_account(id) → account
update_account(id, [status]) → account
delete_account(id) → void
get_roles(account_id) → [role]
set_roles(account_id, roles) → void
issue_service_token(account_id) → (token, expires_at)
revoke_token(jti) → void
get_pg_creds(account_id) → pg_creds
set_pg_creds(account_id, host, port, database, username, password) → void
Name HTTP Status Meaning
MciasAuthError 401 Token missing, invalid, or expired
MciasForbiddenError 403 Insufficient role
MciasNotFoundError 404 Resource does not exist
MciasInputError 400 Malformed request
MciasConflictError 409 Conflict (e.g. duplicate username)
MciasServerError 5xx Unexpected server error
testdata/ contains canonical JSON response fixtures shared across language tests.
  • go/ — Go module git.wntrmute.dev/kyle/mcias/clients/go
  • rust/ — Rust crate mcias-client
  • lisp/ — ASDF system mcias-client
  • python/ — Python package mcias_client
Reference in New Issue View Git Blame Copy Permalink