Archive/screentinker

Fork 0

mirror of https://github.com/screentinker/screentinker.git synced 2026-06-17 11:42:40 -06:00

Commit graph

Author	SHA1	Message	Date
ScreenTinker	f4c5865013	fix(server): strip totp_secret_enc/totp_last_step from login responses (#100 ) Some checks are pending CI / Unit tests (node --test) (push) Waiting to run Details CI / OpenAPI spec lint (push) Waiting to run Details CI / Android unit tests (Kotlin schedule evaluator vectors) (push) Waiting to run Details CI / Boot smoke + version check (push) Waiting to run Details Review caught the encrypted TOTP secret riding in the login/verify response body: issueSession receives a SELECT * user row and only destructured out password_hash, so totp_secret_enc (and the internal replay counter totp_last_step) leaked. Encrypted, so not catastrophic, but it regresses the API work's "secrets never in responses" rule. Strip both in issueSession (covers /login and /totp/verify); add an assertion that a verify response carries no totp_secret_enc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 20:48:55 -05:00
ScreenTinker	728f03beba	test(server): TOTP - bite, lockout, replay, recovery, st_ bypass, key-rotation (#100 ) Unit: the mfa_pending BITE (db-injected so removing the rejection goes red), lockout, replay, recovery-hash, decrypt-null graceful. Integration: enrollment, login->mfa_required, route-level bite, recovery single-use, API-token bypass, verify lockout. Key-rotation: enroll under key A, reboot under key B -> recovery still works, TOTP fails cleanly (no 500). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 20:48:55 -05:00

Author

SHA1

Message

Date

ScreenTinker

f4c5865013

fix(server): strip totp_secret_enc/totp_last_step from login responses (#100 )

CI / Unit tests (node --test) (push) Waiting to run

Details

CI / OpenAPI spec lint (push) Waiting to run

Details

CI / Android unit tests (Kotlin schedule evaluator vectors) (push) Waiting to run

Details

CI / Boot smoke + version check (push) Waiting to run

Details

Review caught the encrypted TOTP secret riding in the login/verify response body:
issueSession receives a SELECT * user row and only destructured out password_hash, so
totp_secret_enc (and the internal replay counter totp_last_step) leaked. Encrypted, so
not catastrophic, but it regresses the API work's "secrets never in responses" rule.
Strip both in issueSession (covers /login and /totp/verify); add an assertion that a
verify response carries no totp_secret_enc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-13 20:48:55 -05:00

ScreenTinker

728f03beba

test(server): TOTP - bite, lockout, replay, recovery, st_ bypass, key-rotation (#100 )

Unit: the mfa_pending BITE (db-injected so removing the rejection goes red), lockout, replay,
recovery-hash, decrypt-null graceful. Integration: enrollment, login->mfa_required, route-level
bite, recovery single-use, API-token bypass, verify lockout. Key-rotation: enroll under key A,
reboot under key B -> recovery still works, TOTP fails cleanly (no 500).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-13 20:48:55 -05:00

2 commits