Skip to content

Harden browser password and API request handling#228

Merged
coder13 merged 2 commits into
masterfrom
agent/codeql-high-security
Jul 14, 2026
Merged

Harden browser password and API request handling#228
coder13 merged 2 commits into
masterfrom
agent/codeql-high-security

Conversation

@coder13

@coder13 coder13 commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Scope\n\nTargets the password persistence, API/social rate-limit, and CSRF findings from #226.\n\n- replaces persistent private-room password storage with tab-memory-only storage and removes legacy browser keys;\n- adds express-rate-limit 8.5.2 to the API and every social router;\n- adds session-bound CSRF token verification with lusca 1.7.0 (the middleware recognized by this repository’s CodeQL version), automatic client token handling, and POST-only logout;\n- includes focused regression coverage for password migration, CSRF enforcement, request limiting, and client token propagation.\n\nlusca is a CodeQL-compatible legacy dependency, not a maintained-library endorsement. #227 tracks reassessment and migration to a maintained CSRF library once CodeQL support permits it. The legacy logout redirect is removed as a necessary part of the CSRF POST flow. Remaining CodeQL categories are tracked in #227.\n\n## Verification\n\n- yarn workspace letscube-server test --runInBand (38 suites, 205 tests)\n- yarn workspace letscube-client test --runInBand --runTestsByPath src/lib/fetch.test.js src/store/room/roomPasswordStorage.test.js src/store/middlewares/rooms.test.js (3 suites, 30 tests)\n- yarn workspace letscube-server lint (passes with 4 existing warnings)\n- yarn workspace letscube-client lint\n- yarn install --frozen-lockfile\n\nRelated production rollout: #176.

Keep private-room passwords out of persistent browser storage, enforce CSRF tokens for unsafe requests, and rate-limit the API and social routers to close the targeted CodeQL findings.

beforeEach((done) => {
const app = express();
app.use(session({ resave: false, saveUninitialized: false, secret: 'test-secret' }));
Fetch a session-bound token before Cypress issues state-changing API or authentication requests.
@coder13
coder13 marked this pull request as ready for review July 14, 2026 02:20
@coder13
coder13 merged commit 7bbbacb into master Jul 14, 2026
9 checks passed
@coder13
coder13 deleted the agent/codeql-high-security branch July 14, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants