Skip to content

API server security and reliability improvements #53

Description

@abtreece

Problem

The API server (apiserver/app.rb) has several security and reliability issues.

Bugs

  1. JWT exception message leaked to client (line 65): "Invalid authorization token: #{e.message}" exposes JWT library internals (algorithm mismatches, signature details). Replace with a generic "Invalid authorization token" message.

  2. Full JWT claims logged to stderr (lines 97, 102, 108): JSON.pretty_generate(claims) dumps all token claims on auth failure. This may include workflow context, branch names, and other metadata. Log only the relevant claim key and expected vs actual values.

Security

  1. JWKS cached forever (line 88): @github_jwks ||= begin...end never expires. If GitHub rotates signing keys, the server won't pick up the new keys until restarted. Add a TTL-based cache (e.g., 1 hour).

  2. Gem versions unpinned: puma and jwt have no version constraints in the Gemfile. Pin to ~> 6.4 and ~> 2.8 respectively to prevent unexpected breaking changes.

Reliability

  1. No health check endpoint: GET / returns static "ok" without verifying JWKS reachability. Add a /health endpoint that validates the server can actually authenticate requests.

  2. No request timeouts: The JWKS HTTP fetch (line 89) and system() calls (lines 20, 29, 45) can hang indefinitely. Add timeouts to prevent thread exhaustion.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions