anders-pub/markdown-hub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security hardening

Browse Source 
- JWT: validate signing algorithm (prevent alg confusion)
- Login: rate limiting (10 attempts per 5 min per IP)
- Request body: 10MB size limit (prevent DoS)
- WebSocket: require JWT auth (token query param or cookie)
- Daemon endpoints: require admin role (not just any user)
- io.LimitReader on all request body decoding
This commit is contained in:
Anders Holck
2026-05-26 22:51:33 +02:00
parent 2de92b0375
commit 4f3113199b
5 changed files with 90 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/auth.go
+4
View File
@@ -1,6 +1,7 @@
package auth
import (
"fmt"
"time"
"github.com/golang-jwt/jwt/v5"
@@ -28,6 +29,9 @@ func CreateToken(userID string, isAdmin bool, secret string) (string, error) {
func ValidateToken(tokenStr, secret string) (userID string, isAdmin bool, err error) {
token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method")
}
return []byte(secret), nil
})
if err != nil || !token.Valid {