Skip to content

fix(auth): enforce password bounds, key expiry, and exact node-host binding#3081

Open
xilosada wants to merge 1 commit into
masterfrom
auth-hardening
Open

fix(auth): enforce password bounds, key expiry, and exact node-host binding#3081
xilosada wants to merge 1 commit into
masterfrom
auth-hardening

Conversation

@xilosada

Copy link
Copy Markdown
Member

What

  • Enforces the configured min/max password length; derives the key id with a salted KDF instead of an unsalted hash.
  • Adds key expiry (expires_at); a key past its expiry is treated as invalid (absent expiry means non-expiring, preserving existing keys).
  • Node binding uses an exact host comparison and fails closed when the request carries no host/origin.

Independent of the other auth PRs.

Tests

cargo test -p mero-auth green (86 passed).

- enforce the configured min/max password length; derive the key id with a
  salted KDF instead of an unsalted hash
- add key expiry (expires_at); a key past its expiry is treated as invalid
  (absent expiry means non-expiring, preserving existing keys)
- node binding uses an exact host comparison and fails closed when the request
  carries no host/origin
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

This pull request has been automatically marked as stale. If this pull request is still relevant, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize reviewing it yet. Your contribution is very much appreciated.

@github-actions github-actions Bot added the Stale label Jul 8, 2026
@frdomovic frdomovic changed the title auth: enforce password bounds, key expiry, and exact node-host binding fix(auth): enforce password bounds, key expiry, and exact node-host binding Jul 13, 2026
@frdomovic

Copy link
Copy Markdown
Member

bump — still relevant. Closes security-review items 4 (salted-KDF key id), 17 (password bounds), 18 (key expiry), and 7/20 (exact node-host binding, fail-closed). Independent off master. Note: overlaps user_password.rs with #3221 (bootstrap-secret) — trivial rebase whichever lands first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants