lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
195 Commits 4 Branches 109 Tags
Commit Graph

4 Commits

Author SHA1 Message Date
Dorian
4995dc2656 feat: add per-endpoint rate limiting for sensitive operations (PENTEST-04) 
New EndpointRateLimiter in session.rs tracks requests per (method, IP)
with configurable limits and time windows:

Financial operations (5 req/5min):
- wallet.send, lnd.sendcoins, lnd.payinvoice, lnd.create-psbt,
  lnd.finalize-psbt, wallet.ecash-send

Channel operations (3 req/5min):
- lnd.openchannel, lnd.closechannel

Backup operations (2-3 req/10min):
- backup.create, backup.restore

Container/package installs (5 req/5min):
- container-install, package.install

System operations (2 req/5min):
- system.reboot, system.shutdown, update.apply

Identity/auth (3-10 req/5min):
- identity.create, identity.issue-credential, auth.changePassword

Returns HTTP 429 with Retry-After header when limits exceeded.
Verified on live server: auth.changePassword blocks at 4th request,
lnd.sendcoins blocks at 6th request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-11 14:46:25 +00:00
Dorian
615ce4f939 test: add auth and session unit tests (20 test cases) 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 23:54:14 +00:00
Dorian
e55fd3baf0 feat: add TOTP 2FA, API key switcher, login progress bar, and alpha hardening plan 
- TOTP 2FA: full setup/confirm/disable/login flow with Argon2id + ChaCha20-Poly1305
  encrypted secret storage, QR code generation, and bcrypt-hashed backup codes
- API key switcher: OAuth vs personal API key toggle in AIUI chat settings with
  status indicator, key validation, and help text
- Login progress bar: server startup detection with health check polling, form
  disabled until server is ready
- AI quarantine docs: comprehensive HTML page documenting all 6 security layers
- Settings: AI Data Access permission toggles with per-category control
- Alpha hardening plan: 28-task overnight automation plan across 7 phases
  (onboarding, login, app install, AIUI, UI polish, security, ISO build)
- Backlog: node discovery spatial map feature for alpha demo

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 12:23:57 +00:00
Dorian
6656d2f1d9 fix: implement 22 security pentest remediation fixes 
Server-side session management with SHA-256 hashed tokens and HttpOnly
cookies. Auth middleware gating all RPC/WS/proxy routes with method
allowlist. Login rate limiting (5/60s per IP). CORS restricted to
config origin. Docker registry allowlist. App ID and path validation.
P2P message sanitization (HTML + log injection). Onion address and
known-peer validation. Nginx security headers (CSP, X-Frame-Options,
etc.) and AIUI proxy auth. Systemd hardening (non-root, NoNewPrivileges,
ProtectSystem).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 03:26:56 +00:00