fix: harden login for MLPS requirements
This commit is contained in:
@@ -94,8 +94,21 @@ func main() {
|
||||
|
||||
auditSvc := app.NewAuditService(auditsRepo, logger).WithIPRegionResolver(ipRegionResolver)
|
||||
issuer := app.NewTokenIssuer(cfg.JWT.Secret, cfg.JWT.AccessTTL)
|
||||
var passwordCipher *sharedauth.PasswordCipher
|
||||
if cfg.Auth.PasswordCipher.Enabled {
|
||||
if cfg.Auth.PasswordCipher.PrivateKeyPEM == "" {
|
||||
passwordCipher, err = sharedauth.NewEphemeralPasswordCipher(cfg.Auth.PasswordCipher.KeyID)
|
||||
} else {
|
||||
passwordCipher, err = sharedauth.NewPasswordCipher(cfg.Auth.PasswordCipher.PrivateKeyPEM, cfg.Auth.PasswordCipher.KeyID)
|
||||
}
|
||||
if err != nil {
|
||||
logger.Sugar().Fatalf("ops-api init password cipher: %v", err)
|
||||
}
|
||||
} else {
|
||||
logger.Warn("ops auth password cipher disabled; login request payloads may expose plaintext passwords in browser developer tools")
|
||||
}
|
||||
loginGuard := sharedauth.NewLoginGuard(rdb, sharedauth.DefaultLoginGuardConfig("ops"))
|
||||
authSvc := app.NewAuthService(accountsRepo, auditSvc, issuer, loginGuard)
|
||||
authSvc := app.NewAuthService(accountsRepo, auditSvc, issuer, loginGuard).WithPasswordCipher(passwordCipher)
|
||||
accountSvc := app.NewAccountService(accountsRepo, auditSvc)
|
||||
tenantLoginGuard := sharedauth.NewLoginGuard(rdb, sharedauth.DefaultLoginGuardConfig("tenant"))
|
||||
adminUserSvc := app.NewAdminUserService(adminUsersRepo, auditSvc, cfg.AdminUsers.DefaultPlanCode).
|
||||
@@ -139,6 +152,7 @@ func main() {
|
||||
|
||||
transport.RegisterRoutes(transport.Deps{
|
||||
Engine: engine,
|
||||
Server: cfg.Server,
|
||||
Logger: logger,
|
||||
DB: pool,
|
||||
MonitoringDB: monitoringPool,
|
||||
|
||||
Reference in New Issue
Block a user