fix: resolve 20 security vulnerabilities from comprehensive audit
Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
This commit is contained in:
@@ -1,25 +1,32 @@
|
||||
import client from "./client";
|
||||
import type { User } from "../types/models";
|
||||
|
||||
interface TokenResponse {
|
||||
access_token: string;
|
||||
token_type: string;
|
||||
}
|
||||
|
||||
/** Authenticate and return the access token. */
|
||||
/**
|
||||
* Authenticate the user.
|
||||
*
|
||||
* The backend sets an HttpOnly cookie with the JWT — no token is stored
|
||||
* in JavaScript memory or localStorage.
|
||||
*/
|
||||
export async function login(
|
||||
username: string,
|
||||
password: string,
|
||||
): Promise<string> {
|
||||
): Promise<void> {
|
||||
const params = new URLSearchParams();
|
||||
params.append("username", username);
|
||||
params.append("password", password);
|
||||
|
||||
const { data } = await client.post<TokenResponse>("/auth/login", params, {
|
||||
await client.post("/auth/login", params, {
|
||||
headers: { "Content-Type": "application/x-www-form-urlencoded" },
|
||||
});
|
||||
}
|
||||
|
||||
return data.access_token;
|
||||
/** Clear the authentication cookie on the server. */
|
||||
export async function logout(): Promise<void> {
|
||||
try {
|
||||
await client.post("/auth/logout");
|
||||
} catch {
|
||||
// Best-effort — the cookie will expire anyway
|
||||
}
|
||||
}
|
||||
|
||||
/** Fetch the currently authenticated user profile. */
|
||||
|
||||
Reference in New Issue
Block a user