lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/loop/pentest/analysis/auth.md
Dorian 870ff095d8 feat: rootless podman, session hardening, boot stability, sidebar fix 
Rootless podman migration (TASK-11):
- Remove sudo from all podman calls in PodmanClient + 8 backend files
- Remove sudo from all podman/docker calls in deploy script
- Restore full systemd security hardening: NoNewPrivileges,
  RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime,
  RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict
- Enable loginctl linger for rootless container persistence
- Remove Ollama from auto-deploy (marketplace-only)

Session & auth hardening:
- Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms)
- Debounced 401 redirect in rpc-client.ts (prevents redirect storms)

Boot stability:
- optimize-debian.sh: adds chrony, swap, removes policy-rc.d
- deploy script: pre-restart chrony + swap setup
- ISO build: chrony package, swap file creation
- BootScreen: no longer clears localStorage (prevents splash replay)
- RootRedirect: sole owner of localStorage clearing on server ready

UI fixes:
- Sidebar opacity default changed from 0→visible (fixes missing sidebar
  after page-persistence login without entrance animation)
- Console.log/error wrapped in import.meta.env.DEV guards
- Remove unused route import from RootRedirect

Beta tracking:
- CLAUDE.md: beta freeze protocol added
- MASTER_PLAN.md: TASK-11, TASK-17, phase structure
- BETA-PROGRESS.md: initial tracking doc
- Tagged v1.2.0-alpha.1 as pre-rootless baseline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 13:53:27 +00:00

1.8 KiB
Raw Blame History

Authentication & Authorization Assessment Complete

15 findings identified across the Archipelago auth surface. Here's the breakdown:

Critical (P0) — Fix immediately

  • AUTH-001: Production systemd service has ARCHIPELAGO_DEV_MODE=truepassword123 is a valid login credential and Secure cookie flags are disabled
  • AUTH-002: /lnd-connect-info exposes the full LND admin macaroon (Lightning node control) without any authentication, with CORS: *
  • AUTH-011: Nginx AIUI proxy only checks $cookie_session != "" — any non-empty string bypasses auth to the Claude/OpenRouter API proxies

High (P1) — Fix before beta

  • AUTH-003: remember cookie (30-day TTL) not cleared on logout — stolen token auto-restores sessions indefinitely
  • AUTH-004: CSRF validation explicitly skipped on remember-me session auto-restore — enables single-request CSRF attacks
  • AUTH-007/008: Federation peer-joined and peer-address-changed accept arbitrary DIDs without cryptographic proof — attacker can inject fake trusted peers or redirect peer traffic

Medium (P2)

  • AUTH-005: Rate limit bypass via X-Real-IP spoofing on direct port 5678 access
  • AUTH-006: /content leaks file catalog (names, sizes, UUIDs) without auth
  • AUTH-009: federation.get-state leaks installed apps/versions without auth
  • AUTH-010: backup.restore-identity can overwrite node identity even after setup

Positives

Session management is otherwise solid: 256-bit tokens, SHA256 server-side storage, bcrypt passwords, TOTP with Argon2id+ChaCha20 three-layer encryption, proper session rotation, and replay protection. The core auth architecture is good — these are mostly configuration issues and missing auth checks on specific endpoints.

Full report written to loop/pentest/analysis/auth.md.