LLM/pocketpaw
1
0
Fork 0
mirror of https://github.com/pocketpaw/pocketpaw.git synced 2026-05-19 00:17:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
pocketpaw/tests/e2e
History
Ragini Pandey ee64be4fc8 fix(security): require auth on /api/qr to prevent session token leak 
Remove /api/qr and /api/v1/qr from exempt_paths in auth middleware so
the QR endpoint can no longer be hit without a valid session. Previously
any network-reachable client could GET /api/qr, decode the PNG, and
extract a fully valid 1-hour session token — a complete auth bypass
(OWASP A01 — Broken Access Control).

Changes:
- Remove /api/qr and /api/v1/qr from exempt_paths in dashboard_auth.py
- Reduce QR pairing token TTL from 1 hour to 60 seconds
- Add ttl_seconds param to create_session_token() for short-lived tokens
- Add audit log event on QR code generation
- Update v1 QR endpoint (/api/v1/auth.py) with matching fix
- Update tests: unauthenticated /api/qr now returns 401
- Update docs to reflect auth requirement

Fixes #854
2026-04-03 19:52:32 +00:00
..
conftest.py
feat(memory): Implement knowledge graph features in memory management
2026-03-24 17:52:29 +05:30
test_dashboard.py
fix: lint cleanup, test fixes, and unused import removal
2026-03-05 21:13:30 +05:30
test_deep_work_e2e.py
fix: resolve lint and format errors across deep work v2 files
2026-03-07 21:08:27 +05:30
test_security.py
fix(security): require auth on /api/qr to prevent session token leak
2026-04-03 19:52:32 +00:00