Fixed security issue & replication issue after refactoring of security

Istrate Andrei-Eduard · Istrate Andrei-Eduard · commit 310c52d8a6e3 · 2026-04-20T21:33:49.000+03:00
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,55 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Architectural Overview
+
+The codebase appears to be a Rust project, heavily focused on network communication, security, storage, and tokenization, suggesting an application that handles data processing, potentially involving encryption or large data structures (indicated by `zstd` dependencies).
+
+**Major Components & Interactions:**
+
+1.  **Network Layer (`src/network/`)**:
+    *   `broadcaster.rs` and `mod.rs` suggest a component responsible for broadcasting information across the system. This likely interfaces with other layers to disseminate data or state updates.
+2.  **Security Layer (`src/security/`)**:
+    *   `authentication.rs` and `mod.rs` handle user or service authentication/authorization. This layer is critical for securing interactions with storage and network components. It interacts heavily with encryption mechanisms.
+3.  **Storage Layer (`src/storage/`)**:
+    *   This is the data persistence core, featuring several modules:
+        *   `persistance.rs`: Likely handles the primary read/write operations for application data.
+        *   `engine.rs`: Suggests a core logic engine for data manipulation or state management within storage.
+        *   `subscription.rs`: Implies features related to managing subscriptions or access control over stored data.
+        *   `snapshoting.rs`: Points to functionality for creating snapshots of the storage state, crucial for backup or versioning.
+        *   `statistics.rs`: Suggests metrics collection related to storage operations.
+        *   `admin.*` (`admin.html`, `admin.rs`): Indicates an administrative interface or endpoint is present.
+4.  **Tokenizer Layer (`src/tokenizer/`)**:
+    *   `engine.rs` and `mod.rs` form a dedicated component for text processing, likely involved in data preparation, compression, or encoding before storage or transmission.
+5.  **Core / Utilities**:
+    *   The presence of `encryption.sh` and key files (`encryption.key`) indicates that cryptography is an integral part of the system's operation, likely used by the Security and Storage layers.
+    *   Files in the root like `Cargo.toml` and `.env` define project dependencies and environment configuration.
+
+**Component Interaction Flow (Hypothetical):**
+
+A typical flow might involve: A network request hits the **Network Layer**, which is validated by the **Security Layer**. If authorized, data is processed by the **Tokenizer Layer** (for encoding/compression) before being persisted via the **Storage Layer's engine**. The Storage Layer may use **Snapshotting** for state management and the Statistics module to track performance.
+
+## Common Commands
+
+### Build
+*   **Command**: `cargo build`
+*   **Notes**: Standard Rust compilation. Check `Cargo.toml` for specific target configurations or dependencies required by `zstd-sys`.
+
+### Linting
+*   **Command**: (Not explicitly found, but typically handled by `cargo clippy`)
+*   **Notes**: Check for existing linting setup in a `.cargo/config.toml` file or look for integration with Clippy via scripts in `test.sh`.
+
+### Testing
+*   **Command**: `./test.sh` (or individual tests)
+*   **Notes**: The presence of `test.sh` suggests an explicit script for running the test suite. Review files in `tests/` for component-specific test logic, especially around storage engine and network handlers.
+
+### Running Application / Stress Testing
+*   **Command**: `./stress.sh`
+*   **Notes**: This script is designated for stress testing the system, likely targeting the Storage or Network layers under heavy load. Review this script to understand the specific load profile it imposes on the system components.
+
+## Code Conventions & Specifics
+
+*   **Encryption**: Cryptographic operations are separated (via `encryption.sh` and key files), suggesting a clear separation of cryptographic concerns from business logic in storage/security modules.
+*   **Data Structures**: The presence of `zstd` related files (`zdict.h`, `zstd.h`) suggests that data serialization or compression is a significant concern, likely implemented within the Tokenizer layer or Storage persistence routines.
+*   **Administration**: The existence of `src/storage/admin.rs` and `src/storage/admin.html` indicates that system configuration or monitoring access points are designed into the storage module structure.
diff --git a/src/main.rs b/src/main.rs
@@ -93,6 +93,7 @@ async fn main() -> std::io::Result<()> {
     // (Optionally) Ensure the default table exists in memory.
     state.store.entry("default".to_string()).or_default();
     start_snapshot_task(&state);
+    
 
     // Initialize cluster data with dynamic membership.
     let mut initial_nodes = HashMap::new();
diff --git a/src/security/authentication.rs b/src/security/authentication.rs
@@ -5,6 +5,7 @@ use sha2::{Digest, Sha256};
 use hex;
 use chrono::{Utc, Duration};
 use std::collections::HashMap;
+use std::env;
 use jsonwebtoken::{encode, Header, EncodingKey};
 
 use crate::storage::engine::{get_active_nodes, get_jwt_secret, get_replication_nodes, AppState, ClusterData, VersionedValue};
@@ -36,38 +37,43 @@ pub async fn access(
 
     println!("Access request for user: {}", username);
 
-    // Internal replication requests bypass authentication
-    if req.headers().contains_key("X-Internal-Request") {
-        let provided_secret = match bincode::deserialize::<AccessToken>(&body) {
-            Ok(t) => t.secret,
-            Err(_) => return HttpResponse::BadRequest().finish(),
-        };
 
-        println!("Processing internal replication request for {}", username);
+    let cluster_secret = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
 
-        // Simplified internal replication handling
-        let auth_table = state.store.entry("auth".to_string()).or_default();
+    // Internal replication requests - verify secret matching
+    if let Some(internal_req) = req.headers().get("X-Internal-Request") {
+        if internal_req.to_str().unwrap_or("") == cluster_secret {
+            let provided_secret = match bincode::deserialize::<AccessToken>(&body) {
+                Ok(t) => t.secret,
+                Err(_) => return HttpResponse::BadRequest().finish(),
+            };
 
-        // For internal requests, use the provided hash directly
-        let mut value_map = HashMap::new();
-        value_map.insert("secret".to_string(), json!(provided_secret));
+            println!("Processing internal replication request for {}", username);
 
-        let user_header = req.headers().get("User")
-            .and_then(|h| h.to_str().ok())
-            .unwrap_or(&username);
+            // Simplified internal replication handling
+            let auth_table = state.store.entry("auth".to_string()).or_default();
 
-        let new_rec = VersionedValue::new(value_map, String::from(user_header), current_addr.get_ref().clone());
-        auth_table.insert(username.clone(), new_rec.clone());
+            // For internal requests, use the provided hash directly
+            let mut value_map = HashMap::new();
+            value_map.insert("secret".to_string(), json!(provided_secret));
 
-        println!("Successfully replicated user: {}", username);
+            let user_header = req.headers().get("User")
+                .and_then(|h| h.to_str().ok())
+                .unwrap_or(&username);
 
-        sub_manager
-            .notify(&"auth".to_string(), &username, KeyEvent::Updated(new_rec.clone()))
-            .await;
+            let new_rec = VersionedValue::new(value_map, String::from(user_header), current_addr.get_ref().clone());
+            auth_table.insert(username.clone(), new_rec.clone());
+
+            println!("Successfully replicated user: {}", username);
 
-        return HttpResponse::Created().json(json!({
-            "status": "User replicated"
-        }));
+            sub_manager
+                .notify(&"auth".to_string(), &username, KeyEvent::Updated(new_rec.clone()))
+                .await;
+
+            return HttpResponse::Created().json(json!({
+                "status": "User replicated"
+            }));
+        }
     }
 
     // Regular authentication flow
@@ -163,10 +169,11 @@ pub async fn access(
                     println!("Sending replication request to: {}", url);
                     // Create the payload with the same structure as AccessToken
                     let payload = AccessToken { secret: secret_clone };
+                    let cluster_secret = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
 
                     let result = client_clone
                         .post(&url)
-                        .header("X-Internal-Request", "true")
+                        .header("X-Internal-Request", cluster_secret)
                         .header("User", &username_clone)
                         .header("Content-Type", "application/octet-stream")
                         .body(bincode::serialize(&payload).unwrap())
diff --git a/src/storage/admin.rs b/src/storage/admin.rs
@@ -195,12 +195,13 @@ pub async fn admin_delete_record(
             let url = format!("http://{}/{}/key/{}", target, table_name, key_val);
             let client_clone = client.clone();
             let permit = <Arc<Semaphore> as Clone>::clone(&sem).acquire_owned().await.unwrap();
+            let cluster_secret = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
 
             tokio::spawn(async move {
                 let _permit = permit;
                 let _ = client_clone
                     .delete(&url)
-                    .header("X-Internal-Request", "true")
+                    .header("X-Internal-Request", cluster_secret)
                     .timeout(std::time::Duration::from_secs(3))
                     .send()
                     .await;
@@ -244,8 +245,7 @@ async fn replicate_admin_change(
             let _permit = permit;
             let _ = cli
                 .put(&url)
-                .header("X-Internal-Request", "true")
-                .header("SECRET", &secret_clone)
+                .header("X-Internal-Request", &secret_clone)
                 .json(&payload)
                 .send()
                 .await;
diff --git a/src/storage/engine.rs b/src/storage/engine.rs
