Kyle Isom
1121b7d4fd
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
# mcias-dev.conf — Local development configuration for mciassrv
|
|
#
|
|
# Suitable for running mciassrv on a developer workstation.
|
|
# DO NOT use this configuration in production:
|
|
# - Tokens expire quickly (for rapid test iteration).
|
|
# - The master key passphrase is trivial.
|
|
# - TLS paths point to local self-signed certificates.
|
|
#
|
|
# Generate a self-signed certificate for local development:
|
|
# openssl req -x509 -newkey ed25519 -days 365 \
|
|
# -keyout /tmp/mcias-dev.key -out /tmp/mcias-dev.crt \
|
|
# -subj "/CN=localhost" -nodes
|
|
#
|
|
# Set the master passphrase:
|
|
# export MCIAS_MASTER_PASSPHRASE=devpassphrase
|
|
#
|
|
# Start the server:
|
|
# mciassrv -config /path/to/mcias-dev.toml
|
|
|
|
[server]
|
|
listen_addr = "127.0.0.1:8443"
|
|
grpc_addr = "127.0.0.1:9443"
|
|
tls_cert = "/tmp/mcias-dev.crt"
|
|
tls_key = "/tmp/mcias-dev.key"
|
|
# trusted_proxy not set — direct local development, no reverse proxy.
|
|
|
|
[database]
|
|
path = "/tmp/mcias-dev.db"
|
|
|
|
[tokens]
|
|
issuer = "https://localhost:8443"
|
|
default_expiry = "1h"
|
|
admin_expiry = "30m"
|
|
service_expiry = "24h"
|
|
|
|
[argon2]
|
|
# OWASP minimums maintained even in dev; do not reduce further.
|
|
time = 2
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|