Skip to content

Commit 19e3c63

Browse files
Userclaude
User
and
claude
committed
Address security concerns and PR review feedback
Security improvements: - Implement OAuth CSRF protection with secure state parameter management - Add proper validation and expiration for OAuth state tokens - Add security warnings for SECRET_KEY configuration in production - Sanitize database error logging to prevent sensitive info exposure Code quality fixes: - Fix missing import for get_user function in refresh endpoint - Fix async/await usage in get_current_user_optional - Standardize is_active default value to True across models - Add security documentation for shell=True usage - Update Alembic config to clarify placeholder database URL 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1 parent f812bf7 commit 19e3c63

File tree

10 files changed

+396
-45
lines changed

10 files changed

+396
-45
lines changed

backend/alembic.ini

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,10 @@ sourceless = false
3535
# are written from script.py.mako
3636
output_encoding = utf-8
3737

38-
# Database connection string (overridden by env.py)
39-
sqlalchemy.url = postgresql://postgres:postgres@localhost:5432/copilot
38+
# Database connection string
39+
# IMPORTANT: This value is overridden by env.py which uses the database URL from environment variables
40+
# The value below is just a placeholder and should NOT contain production credentials
41+
sqlalchemy.url = postgresql://user:pass@localhost/dbname
4042

4143
# Logging configuration
4244
[loggers]

backend/app/alembic/versions/2025_05_26_1343_add_oauth_state_table_for_csrf_.py

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
"""add_oauth_state_table_for_csrf_protection
2+
3+
Revision ID: 87ddaa4fab90
4+
Revises: 1a31ce608336
5+
Create Date: 2025-05-26 13:43:36.423557+00:00
6+
7+
"""
8+
from alembic import op
9+
import sqlalchemy as sa
10+
import sqlmodel.sql.sqltypes
11+
from sqlalchemy.dialects import postgresql
12+
13+
14+
# revision identifiers, used by Alembic.
15+
revision = '87ddaa4fab90'
16+
down_revision = '1a31ce608336'
17+
branch_labels = None
18+
depends_on = None
19+
20+
21+
def upgrade():
22+
# Create oauth_state table
23+
op.create_table(
24+
'oauthstate',
25+
sa.Column('state_token', sa.String(), nullable=False),
26+
sa.Column('provider', sa.String(length=50), nullable=False),
27+
sa.Column('redirect_uri', sa.String(length=500), nullable=False),
28+
sa.Column('expires_at', sa.DateTime(timezone=True), nullable=False),
29+
sa.Column('used', sa.Boolean(), nullable=False, server_default='false'),
30+
sa.Column('id', sa.UUID(), nullable=False),
31+
sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
32+
sa.PrimaryKeyConstraint('id')
33+
)
34+
35+
# Create indexes
36+
op.create_index(op.f('ix_oauthstate_state_token'), 'oauthstate', ['state_token'], unique=True)
37+
38+
# Create index for cleanup queries
39+
op.create_index('ix_oauthstate_expires_at', 'oauthstate', ['expires_at'])
40+
41+
42+
def downgrade():
43+
# Drop indexes
44+
op.drop_index('ix_oauthstate_expires_at', table_name='oauthstate')
45+
op.drop_index(op.f('ix_oauthstate_state_token'), table_name='oauthstate')
46+
47+
# Drop table
48+
op.drop_table('oauthstate')

backend/app/api/routes/auth/auth.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
from app.db import get_db
1111
from app.models import User
1212
from app.schemas.auth import Token, UserLogin, UserRegister, UserOut, PasswordResetRequest, PasswordResetConfirm
13-
from app.crud import create_user, get_user_by_email, update_user
13+
from app.crud import create_user, get_user, get_user_by_email, update_user
1414

1515
router = APIRouter()
1616

@@ -85,7 +85,7 @@ def refresh_token(
8585
raise e
8686

8787
# Get user
88-
user = get_user(db, user_id=token_data["sub"])
88+
user = get_user(session=db, user_id=token_data["sub"])
8989
if not user:
9090
raise HTTPException(
9191
status_code=status.HTTP_404_NOT_FOUND,

0 commit comments

Comments
 (0)