Skip to content

Auth hardening + Terms acceptance and public info pages#45

Open
matthew-demidoff wants to merge 4 commits into
masterfrom
auth-hardening-and-terms-acceptance
Open

Auth hardening + Terms acceptance and public info pages#45
matthew-demidoff wants to merge 4 commits into
masterfrom
auth-hardening-and-terms-acceptance

Conversation

@matthew-demidoff

Copy link
Copy Markdown
Collaborator

Security

  • Reject banned users on the Telegram login callback, and exclude banned users at session resolution. A banned account whose Telegram stayed linked could otherwise mint a fresh session and re-enter every page and server action.
  • Route passkey registration and Telegram relink through requireUser, so banned or restricted accounts cannot mutate auth credentials.
  • Issue independent API key and OAuth client secret per app. Previously one secret backed both surfaces, so leaking one compromised both and rotating the OAuth secret left the old API key valid.

Terms acceptance + public info pages

  • Sign-up now requires accepting the Terms of Service, Privacy Policy, and Rules. Acceptance time and version are recorded per account (migration 025_terms_acceptance).
  • New public pages under app/(info): /docs, /faq, /terms, /privacy, /rules. FAQ moved out of the authenticated area; landing page repointed to the public URLs.

Verification

  • tsc clean; 166 unit tests pass (added a banned-callback regression test and terms-acceptance validation coverage); next build succeeds.
  • Integration suites run in CI (no local DB).

Migration 025 is additive and idempotent and applies automatically at app container boot.

The login-widget callback minted a session straight from a Telegram-signed payload without checking account status, and findSessionByToken did not exclude banned users, so a banned account whose Telegram stayed linked could re-enter every page and server action. Check status and the telegram_id ban on the callback, and exclude banned users at session resolution.
…nd relink

These routes used a raw session lookup that skipped the requireUser gate, letting a banned or restricted account add a passkey or change its Telegram link. Route them through requireUser.
New apps and DCR approvals stored one secret hash in both api_key_hash and oauth_client_secret_hash, so leaking one credential compromised both surfaces and rotating the OAuth secret left the old API key valid. Issue independent secrets; bearer-only apps now store a null OAuth secret.
… pages

Registration now requires accepting the Terms, Privacy Policy, and Rules; acceptance time and version are recorded per account (migration 025). Add public /docs, /faq, /terms, /privacy, /rules pages under app/(info), move FAQ out of the authenticated area, and point the landing page at the public URLs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant