fix: resolve 20 security vulnerabilities from comprehensive audit
Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
This commit is contained in:
@@ -6,7 +6,11 @@ import {
|
||||
useCallback,
|
||||
type ReactNode,
|
||||
} from "react";
|
||||
import { login as apiLogin, getMe } from "../api/auth";
|
||||
import {
|
||||
login as apiLogin,
|
||||
logout as apiLogout,
|
||||
getMe,
|
||||
} from "../api/auth";
|
||||
import type { User } from "../types/models";
|
||||
|
||||
/* ── Context shape ────────────────────────────────────────────────── */
|
||||
@@ -27,29 +31,25 @@ export function AuthProvider({ children }: { children: ReactNode }) {
|
||||
const [user, setUser] = useState<User | null>(null);
|
||||
const [isLoading, setIsLoading] = useState(true);
|
||||
|
||||
// On mount — check for a persisted token and hydrate the user
|
||||
// On mount — try to hydrate the user from the existing HttpOnly cookie.
|
||||
// If no valid cookie exists the /auth/me call will 401 and we stay
|
||||
// unauthenticated — no localStorage involved.
|
||||
useEffect(() => {
|
||||
const token = localStorage.getItem("token");
|
||||
if (!token) {
|
||||
setIsLoading(false);
|
||||
return;
|
||||
}
|
||||
|
||||
getMe()
|
||||
.then(setUser)
|
||||
.catch(() => localStorage.removeItem("token"))
|
||||
.catch(() => setUser(null))
|
||||
.finally(() => setIsLoading(false));
|
||||
}, []);
|
||||
|
||||
const login = useCallback(async (username: string, password: string) => {
|
||||
const token = await apiLogin(username, password);
|
||||
localStorage.setItem("token", token);
|
||||
// The backend sets the HttpOnly cookie automatically
|
||||
await apiLogin(username, password);
|
||||
const me = await getMe();
|
||||
setUser(me);
|
||||
}, []);
|
||||
|
||||
const logout = useCallback(() => {
|
||||
localStorage.removeItem("token");
|
||||
const logout = useCallback(async () => {
|
||||
await apiLogout();
|
||||
setUser(null);
|
||||
}, []);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user