Problem
The API server (apiserver/app.rb) has several security and reliability issues.
Bugs
-
JWT exception message leaked to client (line 65): "Invalid authorization token: #{e.message}" exposes JWT library internals (algorithm mismatches, signature details). Replace with a generic "Invalid authorization token" message.
-
Full JWT claims logged to stderr (lines 97, 102, 108): JSON.pretty_generate(claims) dumps all token claims on auth failure. This may include workflow context, branch names, and other metadata. Log only the relevant claim key and expected vs actual values.
Security
-
JWKS cached forever (line 88): @github_jwks ||= begin...end never expires. If GitHub rotates signing keys, the server won't pick up the new keys until restarted. Add a TTL-based cache (e.g., 1 hour).
-
Gem versions unpinned: puma and jwt have no version constraints in the Gemfile. Pin to ~> 6.4 and ~> 2.8 respectively to prevent unexpected breaking changes.
Reliability
-
No health check endpoint: GET / returns static "ok" without verifying JWKS reachability. Add a /health endpoint that validates the server can actually authenticate requests.
-
No request timeouts: The JWKS HTTP fetch (line 89) and system() calls (lines 20, 29, 45) can hang indefinitely. Add timeouts to prevent thread exhaustion.
Problem
The API server (
apiserver/app.rb) has several security and reliability issues.Bugs
JWT exception message leaked to client (line 65):
"Invalid authorization token: #{e.message}"exposes JWT library internals (algorithm mismatches, signature details). Replace with a generic"Invalid authorization token"message.Full JWT claims logged to stderr (lines 97, 102, 108):
JSON.pretty_generate(claims)dumps all token claims on auth failure. This may include workflow context, branch names, and other metadata. Log only the relevant claim key and expected vs actual values.Security
JWKS cached forever (line 88):
@github_jwks ||= begin...endnever expires. If GitHub rotates signing keys, the server won't pick up the new keys until restarted. Add a TTL-based cache (e.g., 1 hour).Gem versions unpinned:
pumaandjwthave no version constraints in the Gemfile. Pin to~> 6.4and~> 2.8respectively to prevent unexpected breaking changes.Reliability
No health check endpoint:
GET /returns static"ok"without verifying JWKS reachability. Add a/healthendpoint that validates the server can actually authenticate requests.No request timeouts: The JWKS HTTP fetch (line 89) and
system()calls (lines 20, 29, 45) can hang indefinitely. Add timeouts to prevent thread exhaustion.