anders-pub/markdown-hub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security hardening

Browse Source 
- JWT: validate signing algorithm (prevent alg confusion)
- Login: rate limiting (10 attempts per 5 min per IP)
- Request body: 10MB size limit (prevent DoS)
- WebSocket: require JWT auth (token query param or cookie)
- Daemon endpoints: require admin role (not just any user)
- io.LimitReader on all request body decoding
This commit is contained in:
Anders Holck
2026-05-26 22:51:33 +02:00
parent 2de92b0375
commit 4f3113199b
5 changed files with 90 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/router.go
+4 -4
View File
@@ -69,10 +69,10 @@ func NewRouter(db *sql.DB, dataDir, secret string) http.Handler {
mux.HandleFunc("POST /api/build/status", s.requireAuth(s.handleBuildStatus))
mux.HandleFunc("POST /api/build/cancel", s.requireAuth(s.handleBuildCancel))
// Daemon endpoints
mux.HandleFunc("POST /api/daemon/poll", s.requireAuth(s.handleDaemonPoll))
mux.HandleFunc("POST /api/daemon/heartbeat", s.requireAuth(s.handleDaemonHeartbeat))
mux.HandleFunc("POST /api/daemon/report", s.requireAuth(s.handleDaemonReport))
// Daemon endpoints (admin only)
mux.HandleFunc("POST /api/daemon/poll", s.requireAdmin(s.handleDaemonPoll))
mux.HandleFunc("POST /api/daemon/heartbeat", s.requireAdmin(s.handleDaemonHeartbeat))
mux.HandleFunc("POST /api/daemon/report", s.requireAdmin(s.handleDaemonReport))
// Static frontend
frontendDir := filepath.Join(dataDir, "..", "frontend", "dist")