fix: harden login for MLPS requirements
This commit is contained in:
@@ -43,6 +43,7 @@ type App struct {
|
||||
JWT *auth.Manager
|
||||
Sessions *auth.SessionStore
|
||||
LoginGuard *auth.LoginGuard
|
||||
PasswordCipher *auth.PasswordCipher
|
||||
LLM llm.Client
|
||||
ReloadableLLM *llm.ReloadableClient
|
||||
RetrievalProvider retrieval.Provider
|
||||
@@ -116,6 +117,17 @@ func New(configPath string) (*App, error) {
|
||||
|
||||
jwtMgr := auth.NewManager(cfg.JWT.Secret, cfg.JWT.AccessTTL, cfg.JWT.RefreshTTL)
|
||||
sessions := auth.NewSessionStore(rdb)
|
||||
passwordCipher, err := buildPasswordCipher(cfg.Auth.PasswordCipher)
|
||||
if err != nil {
|
||||
pool.Close()
|
||||
monitoringPool.Close()
|
||||
_ = rdb.Close()
|
||||
_ = mqClient.Close()
|
||||
return nil, fmt.Errorf("init password cipher: %w", err)
|
||||
}
|
||||
if passwordCipher == nil {
|
||||
logger.Warn("auth password cipher disabled; login request payloads may expose plaintext passwords in browser developer tools")
|
||||
}
|
||||
loginGuardCfg := auth.DefaultLoginGuardConfig("tenant")
|
||||
loginGuardCfg.Enabled = cfg.Auth.LoginGuard.Enabled
|
||||
if !loginGuardCfg.Enabled {
|
||||
@@ -173,8 +185,14 @@ func New(configPath string) (*App, error) {
|
||||
middleware.Recovery(logger),
|
||||
middleware.RequestID(),
|
||||
middleware.Logger(logger),
|
||||
middleware.CORS(),
|
||||
)
|
||||
if cfg.Server.SecurityHeaders.Enabled {
|
||||
engine.Use(middleware.SecurityHeaders())
|
||||
}
|
||||
engine.Use(middleware.CORSWithConfig(middleware.CORSConfig{
|
||||
AllowedOrigins: cfg.Server.AllowedOrigins,
|
||||
AllowAll: len(cfg.Server.AllowedOrigins) == 0,
|
||||
}))
|
||||
|
||||
engine.GET("/api/health/live", func(c *gin.Context) {
|
||||
response.Success(c, gin.H{"status": "alive"})
|
||||
@@ -210,6 +228,7 @@ func New(configPath string) (*App, error) {
|
||||
JWT: jwtMgr,
|
||||
Sessions: sessions,
|
||||
LoginGuard: loginGuard,
|
||||
PasswordCipher: passwordCipher,
|
||||
LLM: llmClient,
|
||||
ReloadableLLM: llmClient,
|
||||
RetrievalProvider: retrievalProvider,
|
||||
@@ -237,6 +256,16 @@ func New(configPath string) (*App, error) {
|
||||
}, nil
|
||||
}
|
||||
|
||||
func buildPasswordCipher(cfg config.PasswordCipherConfig) (*auth.PasswordCipher, error) {
|
||||
if !cfg.Enabled {
|
||||
return nil, nil
|
||||
}
|
||||
if cfg.PrivateKeyPEM == "" {
|
||||
return auth.NewEphemeralPasswordCipher(cfg.KeyID)
|
||||
}
|
||||
return auth.NewPasswordCipher(cfg.PrivateKeyPEM, cfg.KeyID)
|
||||
}
|
||||
|
||||
func (a *App) Config() *config.Config {
|
||||
if a == nil || a.ConfigStore == nil {
|
||||
return nil
|
||||
|
||||
Reference in New Issue
Block a user